cPanel® Blog

New SSL Notifications in v68

AutoSSL is indisputably one of the best parts of cPanel & WHM. We have continued to improve and expand the functionality of AutoSSL since we introduced it in version 58, and version 68 includes some very specific improvements we want to talk about.

Building the best experience

Much of our work with AutoSSL has been on improving the DCV (Domain Control Validation) process and success rates. While most of the work has been behind-the-scenes and not something that is easily outwardly noticed, there are a couple things we can point to. The most obvious improvements were when we added the DCV global exclude to alleviate the .htaccess edits that were required, and adjusted the folder that was being used for the validation. We’ve worked hand-in-hand with the team over at Comodo to make the domain validation process faster and more secure.

We’ve also added features like allowing cPanel users to define which domains are secured by AutoSSL in version 66, and giving those users the ability to trigger their own AutoSSL run in version 68.

New Notifications

One thing that we held off on intentionally was notifications around AutoSSL. Automated notifications are one of the best ways for an administrator to be notified of a potential problem on a server, but being notified of the problem typically also means that you will want to respond to it. We avoid enabling notifications unless we think it is absolutely necessary, because notifications often cause an increase in support interactions, both for us and for our partners. In version 68 we added numerous new notifications around SSLs and SSL renewals, to help ensure that websites are being secured the best possible way. Let’s go through them.

As of v68 new and upgraded systems will default to automatically sending hosting providers and cPanel users notifications about the status of their existing SSL certificates, whether they are issued through AutoSSL or were purchased and installed outside of AutoSSL. The full list of notifications that we’ve added in version 68 is below.

Webhosting providers will receive the following notifications: 

  • AutoSSL certificates expiring soon — Triggered when account’s AutoSSL certificate expires soon.
  • Installation of AutoSSL certificates — Triggered when AutoSSL installs an SSL certificate.
  • Installation of purchased SSL certificates — Triggered when the system installs SSL certificates that a user purchased through the cPanel Market.
  • SSL Certificate Expiration — Triggered when a service-level SSL certificate has expired.
  • SSL Certificate Expires Soon — Triggered when an account’s SSL certificate expires soon.
  • SSL certificates expiring — Triggered when an account’s SSL certificate expires soon.

cPanel users will receive the following notifications:

  • AutoSSL has renewed a certificate — Triggered when AutoSSL has successfully completed a certificate renewal.
  • AutoSSL certificate expiry — Triggered when an AutoSSL certificate will expire soon.
  • SSL certificate expiry — Triggered when a non-AutoSSL certificate will expire soon.

This level of communication will help ensure that all domains on a server can be secured, and noticed if they are not yet secured by an SSL. Webhosting providers and cPanel users can manage their notifications in one of two ways, either on the command line using the API (WHMAPI or cPanel API), or through the appropriate contact interface (WHM Contact Manager or cPanel Contact Information).

What’s next?

Our end goal continues to remain the same: help make it easier to increase security around internet traffic. Looking to the numbers provided by a bunch of sources, including Let’s Encrypt and Google, the number of interactions happening over SSL has nearly doubled in the last two years, and we’re happy to be one part of that push. If you have more features you’d like to see included as part of AutoSSL, or have other questions, comment below or find me on twitter.

benny Vasquez

scripter, crafter, cPanel's Manager of Community Engagement. Facilitating communication between cPanel's amazing development team, and cPanel's amazing community. Find me on twitter: @cpaneldev

  • Donna O

    Hi Benny

    So glad to find this article.

    We are a hosting reseller and have just started receiving around 55 emails a day regarding autoSSL certificates for our 55+ clients on a shared server.

    An example of text from the emails:

    examplecompany.com: The AutoSSL certificate expires on 2017-11-23 at 00:00:00 UTC. At the time of this notice, the certificate will expire in “4 days, 10 hours, 21 minutes, and 3 seconds”.

    AutoSSL did not renew the certificate for “examplecompany.com”. You must take action to keep this site secure.

    The “cPanel” AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems: ⛔ mail.examplecompany.com [ Last AutoSSL Run at “2017-11-18 at 13:12:02 UTC” ]

    “mail.examplecompany.com” does not resolve to any IPv4 addresses on the internet.

    Other subdomains affected are cpanel, mail, webdisk, autodiscover.

    Our hosting partner is telling us just to disable the messages by going into each account but doesn’t seem to be able to tell us why it is happening or what we can do about the issue.

    Are you able to shed light on what the cause could be or direct me to where to find more detail on this cPanel upgrade and the possible error messages and solutions.

    Also is there a setting to send out a message from our shared server when there is a cPanel/WHM update without finding it out by receiving 55 new messages each day?

    Thanks

    • benny Vasquez

      Hi Donna! I’m so sorry for my delay! Unfortunately providing support via blog post comments isn’t possible, but it looks like the problem is that the domain in question doesn’t have a valid IP address. You should be able to add a A record for that subdomain through cPanel’s Zone Editor.

      https://documentation.cpanel.net/display/ALD/Zone+Editor

      If you’re still having trouble, feel free to open a ticket with our support team: https://tickets.cpanel.net/submit/

      • Donna O

        Thanks benny for the advice and I think I will need to raise a ticket and maybe walk through one or two of the accounts with someone. It seems a better idea to fix the issues now rather just turn off the notifications.

  • Diya Patel

    very helpful post about Auto SSL thanks for sharing i like it already installed auto ssl on my web https://www.hostkarle.in

  • Vinnie Murdico

    Is there any way to control how far in advance of a certificate expiration the system will start sending “expiring soon” notifications? I have my own system to handle renewals for my hosted customers about 10 days in advance of expiration, but cPanel is already sending me notices more than two weeks in advance of expiration.

    • benny Vasquez

      Unfortunately that timeline isn’t configurable at this time. You can disable it entirely in Tweak Settings, but there’s no way to customize that yet.

  • Scott Neader

    Can you remind me… in v68 WHM, where in Contact Manager can I find “Installation of AutoSSL certificates”. I only see “Installation of purchased SSL certificates”

    • benny Vasquez

      Hi Scott! There currently isn’t a way to manage this in WHM, only as the cPanel user. There’s a script being shared on the forums to disable those as a cPanel user, if you’d like. https://forums.cpanel.net/threads/ssl-notifications-in-cpanel-68.614395/

      • Scott Neader

        Color me confused. The posting above says “Webhosting providers will receive the following notifications: .AutoSSL certificates expiring soon — Triggered when account’s AutoSSL certificate expires soon. Installation of AutoSSL certificates — Triggered when AutoSSL installs an SSL certificate.” — yet I have not received a single notification. However, the end-users are most definitely getting them. That is why I was looking for the magic setting that I might not have set correctly. Since there is no such setting, then I must be set to get them “somehow” yet there are none.

  • Nonton Drama Asia

    this article is very good, I feel the new knowledge after reading it, hope this can help me to be better again ..

    thank you

  • Syed Muhammad Mahfuz-ul Huq

    Hello I have a dedicated server where i have more then 600 a/c. Does this SSL free for all 600 a/c. or is their any limitation??

    • benny Vasquez

      There’s no limitation from the cPanel side, but there may be limitations that prevent the issuing of the SSLs. If you’re seeing any problems or have details questions, feel free to open a ticket either with your license provider or with our support team. We’ll get you squared away.

    • Scott Neader

      Syed, we have servers with well over 600 domains active, and AutoSSL works great, with either Let’s Encrypt or the cPanel/Comodo provider.

  • Ross Gerring

    I think it’s fair to say the WHM users don’t have any strong allegiance towards free SSL suppliers, i.e. Comodo or Let’s Encrypt. But we do want to go with the one that works best, i.e. minimises auto-install failures. From these blogs, it appears to me that cPanel is (slightly?) more aligned with Comodo than with Let’s Encrypt. Is that fair to say? Is it also fair to say that, therefore, free Comodo SSL certs are likely to work more error-free than Let’s Encrypt free SSLs? Or is it the case that when an improvement is made for one, it’s simultaneously an impovement for the other? Thx.

    • benny Vasquez

      We definitely have a closer relationship with Comodo, just due to the length of that relationship. However, you’re correct: If a bug is found in one provider, it’s addressed in both providers.

  • Scott Neader

    Nick and his team really worked hard to get these SSL notifications right — please pass along my sincere thanks! I am sure there will be some tweaking needed, but “knowledge is power” and being notified when there are SSL problems is really necessary! Quick question… the v66 or v68 “SSL TLS Status” docs don’t mention how to enable the feature for cPanel users. I’m not seeing it as a feature (disabled or otherwise)… can you remind me where the feature is, so that it can be enabled?

    • benny Vasquez

      Right now the SSL/TLS Status feature in cPanel only shows up if you have all three of the following features enabled:

      * SSL/TLS
      * SSL Host Installer
      * SSL/TLS Wizard

      Let me know if you have any questions!

      • Scott Neader

        Thanks!! I know this isn’t a support forum… but since you said to let you know if I had any questions… 🙂 Any idea what would cause ‘SSL/TLS Status’ to NOT appear in a user’s cPanel, if one had all three of those checked in every feature list, and not checked on the disabled list?

        • Scott Neader

          Here is a screen shot of the ‘disabled’ and ‘default’ feature list. I also confirmed that the end user’s package is using the ‘default’ feature list.
          https://uploads.disquscdn.com/images/c999debf964be7e622e6d321391beb50c619e4fddc3e5f25d10375a4d19c0212.jpg

        • benny Vasquez

          It looks like there’s a bug that’s fixed in 68.0.9 that prevents the status page from showing up if the cPanel Market wasn’t enabled. That should be fixed in CURRENT now!

          • Scott Neader

            Thanks. I’m on the Release tier, v66.0.29. So, I won’t see this fix until 68 moves to Release?

          • benny Vasquez

            Yup! Unless that fix get back-ported you won’t see it until you upgrade. I’m going to ask about a backport tomorrow, though!

          • Scott Neader

            Thanks… although I think 68 going to Release is fairly imminent anyway… so I should see it soon. Thanks again for solving the mystery!

          • benny Vasquez

            Anytime. 🙂