This document explains how a cPanel-signed hostname certificate works and how to disable SSL if you do not wish to use it.
The cPanel-signed SSL certificate
During the nightly cPanel & WHM upate, the system runs the
/usr/local/cpanel/bin/checkallsslcerts command. This command performs the following actions:
The server creates a Domain Control Validation (DCV) file in the
/home/USERNAME/public_html/.well-known/pki-validation/ directory, where
USERNAME represents the account's username. The filename resembles the following example:
The server performs a DNS lookup for the hostname at the root nameservers with the following command:
The server uses the IP that the previous command returned and ensures that the DCV file is accessible with the following command:
If the system returns multiple IP addresses with the
dig command, then it uses the first IP address returned.
When the local DCV check passes, the system sends a request to the cPanel Store API for the new SSL certificate.
When a valid SSL certificate is in place and matches the DCV file, the system does nothing.
When the system needs to issue a new SSL certificate, then the system sends a request from cPanel to Comodo. This request revokes the current SSL certificate and issues a new one. Comodo then verifies the DCV file.
Comodo validates the DCV file from the following IP addresses:
Comodo IPs uses these IP addresses to attempt to access the cPanel server. You must white list these IPs in the server Firewall.
The system logs the Comodo requests in the
/usr/local/cpanel/logs/access_logs file. It also contains user agent strings that show who accesses the DCV file.
file updates the SSL certificate for all cPanel services. It also issues a Comodo signed SSL certificate on any server with a self-signed, expired, or soon to expire certificate.
In the past, cPanel services used a self-signed certificate. Now all cPanel services use a cPanel, Inc.® signed certificate with a Comodo trust chain.
|Optional CLI Switches||Description|
Adjusts output to include messages that resemble the following:
The system runs through the following process:
If the cPanel Store is still processing the hostname certificate request, then the system checks the cPanel Store again in an hour. It checks for an issued certificate via the following command:
If the system must retry, you will see an entry in the at daemon (
cPanel & WHM ships with the following
Perl modules, which allow cPanel-signed hostname certificate to function properly:
How to disable a cPanel-signed hostname certificate
Create the following
touch file to disable the fetching of cPanel-signed hostname certificates:
You might experience any of the following issues with your free cPanel SSL Certificate:
- The server's hostname runs on the
cpanel.hostname.tldsubdomain with proxy subdomains enabled.
- A hostname matches cPanel & WHM's proxy subdomains.
- Enabled proxy subdomains with a hostname that matches one of the standard proxy subdomains. For example, the
whm.hostname.tldsubdomains. When they access the server's hostname directly, this provides the Default Web Page template.
To allow the
cpanel.hostname.tld subdomain to properly display the cPanel interface, port
2083, follow the steps in our Custom Templates documentation.