Page tree
Skip to end of metadata
Go to start of metadata

Overview


This document explains how a cPanel-signed hostname certificate works and how to disable SSL if you do not wish to use it.

The cPanel-signed SSL certificate


During the nightly cPanel & WHM upate, the system runs the /usr/local/cpanel/bin/checkallsslcerts command. This command does the following actions:

The server creates a Domain Control Validation (DCV) file in the /usr/local/apache/htdocs/DCV.txt file that resembles the following example:

4221C402112E4831C72C2E004614C47C.txt

The server performs a DNS lookup for the hostname at the root nameservers with the following command:

dig +trace host.server.tld

The server uses the IP that the previous command returned and ensures that the DCV.txt file is accessible with the following command:

curl 208.67.121.102/4221C402112E4831C72C2E004614C47C.txt

Note:

If the system returns multiple IP addresses with the dig command, then it uses the first IP address returned.

When the local DCV check passes, the system sends a request to the cPanel Store API for the new SSL certificate.

  • When a valid SSL certificate is in place and matches the DCV.txt file, the system does nothing.

  • When the system needs to issue a new SSL certificate, then the system sends a request from cPanel to Comodo. This request revokes the current SSL certificate and issues a new one. Comodo then verifies the DCV.txt file.

  • Comodo validates the DCV.txt file from the following IP addresses: 

    178.255.81.12
    178.255.81.13
    91.199.212.132
    199.66.201.132

    Note:

    Comodo IPs uses these IP addresses to attempt to access the cPanel server. You must white list these IPs in the server Firewall.

The system logs the Comodo requests in the /usr/local/cpanel/logs/access_logs file. It also contains user agent strings that show who accesses the DCV.txt file.

cPanel User Agent String
10.215.217.223 - - [16/Jun/2016:16:16:16 -0500]  "GET /4221C402112E4831C72C2E004614C47C.txt HTTP/1.1" 200 53  "-" "Cpanel-HTTP-Client/1.0"
10.215.217.223 - - [16/Jun/2016:16:16:16 -0500]  "GET /4221C402112E4831C72C2E004614C47C.txt HTTP/1.1" 200 53  "-" "Cpanel-HTTP-Client/1.0"
Comodo User Agent String
199.66.201.132 - - [16/Jun/2016:16:18:46 +0000]  "GET /4F571E4CB76F46E37B8118CEA1DB42BA.txt HTTP/1.1" 200 53  "-" "COMODO DCV"
199.66.201.132 - - [16/May/2016:16:18:46 +0000]  "GET /4F571E4CB76F46E37B8118CEA1DB42BA.txt HTTP/1.1" 200 53  "-" "COMODO DCV"

The /usr/local/cpanel/bin/checkallsslcerts file


The  /usr/local/cpanel/bin/checkallsslcerts  file updates the SSL certificate for all cPanel services. It also issues a Comodo signed SSL certificate on any server with a self-signed, expired, or soon to expire certificate.

In the past, cPanel services used a self-signed certificate. Now all cPanel services use a cPanel, Inc.® signed certificate with a Comodo trust chain.

Optional CLI SwitchesDescription
--verbose

Adjusts output to include messages that resemble the following:

  • The system will attempt to replace the self-signed certificate for the “cpanel” service with a signed certificate from the cPanel Store.
  • The system will attempt to replace the self-signed certificate for the “dovecot” service with a signed certificate from the cPanel Store.
  • The system will attempt to replace the self-signed certificate for the “exim” service with a signed certificate from the cPanel Store.
  • The system will attempt to replace the self-signed certificate for the “ftp” service with a signed certificate from the cPanel Store.
--allow-retry

The system runs through the following process:

If the cPanel Store is still processing the hostname certificate request, then the system checks the cPanel Store again in an hour. It checks for an issued certificate via the following command:

/usr/local/cpanel/scripts/try-later --action '/usr/local/cpanel/bin/checkallsslcerts --no-retry' --check '/bin/sh -c exit 1' –delay 60 --max-retries 1 --skip-first

Note:

If the system must retry, you will see an entry in the at daemon (atd) job queue. Use the following arguments to view, execute, or remove a job:

ArgumentsDescription
atqViews queue at jobs.
at -c #Views contents of a specific job number.
at -c # | shManually executes a job.
atrm #Manually removes a job.

Perl modules


You must install all of the following Perl modules on the server for this feature to function properly:

Cpanel::Market::SSL.pm
Cpanel::Market::Provider::cPStore.pm
Cpanel::Market::Provider::Utils.pm
Cpanel::Market::Provider::cPStore::Utils.pm
Cpanel::Market::Provider::cPStore::ProductsCache.pm
Cpanel:: WebVhosts
Cpanel::API::Market

How to disable a free cPanel SSL


Create the following touch file to disable the fetching of cPanel-signed hostname certificates:

/var/cpanel/ssl/disable_service_certificate_management 

Possible errors


You might experience any of the following issues with your free cPanel SSL Certificate:

  • The server's hostname runs on the cpanel.hostname.tld subdomain with proxy subdomains enabled.
  • A hostname matches cPanel & WHM's proxy subdomains. 
  • Enabled proxy subdomains with a hostname that matches one of the standard proxy subdomains. For example, the cpanel.hostname.tld and whm.hostname.tld subdomains. When they access the server's hostname directly, this provides the Default Web Page template.  

To allow the  cpanel.hostname.tld subdomain to properly display the cPanel interface, port 2083, follow the steps in our  Custom Templates  documentation.

Additional documentation