cPanel® Blog

Securing your site; Comodo, cPanel, & AutoSSL

It’s been nearly four years since we began working with Comodo to make the entire internet safer and more secure. Thanks to that partnership SSL adoption on cPanel servers is higher than ever before.

With cPanel & WHM version 56 we introduced the Market Provider, and began adding Comodo-signed hostname SSLs to cPanel & WHM servers. In version 58 we added AutoSSL to install those same free SSLs on all hosted domains automatically. With version 60 we both enabled AutoSSL by default on new servers and gave server administrators the option to enable it after the upgrade.  The Market Provider and AutoSSL have each been a hugely popular. Let’s take a look at the numbers.

SSL By the Numbers

We issued our very first Comodo-backed SSL in February, and then only 181 in March. In April the Market Provider and Free Hostname SSL certificates were starting to hit live servers, and we started to see the uptick. The real jumps, though, started once AutoSSL was released in version 58, which included Comodo’s free 90 day SSLs as well. In version 60 we added AutoSSL to the Feature Showcase and have seen an incredible response. In the last 16 days we have issued over 3.5 Million SSL certificates.

Number of SSLs issued by cPanel and WHM.

The Comodo team has been working hard to keep up with demand, and since March 1st we have issued over 5.2 million SSL certificates. Thanks to them, that number is climbing every second. We are issuing new SSL certificates at a rate of approximately 240,000 per day. That’s 10,000 new certificates per hour, or 166 certificates a minute. We could not have anticipated the demand that we’ve seen, and are incredibly grateful to the Comodo team for their commitment to our shared goal: securing traffic across the internet.

Up Next: Remove Non-SSL Support for cPanel Services

The success of AutoSSL has been exciting, but we’re just getting started. Version 60 introduced wildcard SSL support to the Market Provider, and we are still planning to add OV and EV support as well. As more domains are secured by AutoSSL, it becomes clear what the next step in our journey should be: drop support for cPanel & WHM’s services on insecure ports. To be clear, our plan for this only involves removing insecure connections for cPanel services; we won’t touch the LAMP stack. One of the many decisions to be made along the way is whether or not to include proxy-subdomain support. Make sure to vote on the feature request site, if that is important to you!

What other concerns do you have for us? Would SSL-only access to cPanel, WHM, Webmail, and Web Disk cause you problems?  Find me on Twitter, comment below, or send me an email and let me know what you think!

benny Vasquez

scripter, crafter, cPanel's Community Manager. Facilitating communication between cPanel's amazing development team, and cPanel's amazing community. Find me on twitter: @cpaneldev

  • Host Prairie

    Unfortunately, this feature does not work like it is supposed to. The SNI for mail service doesn’t display the proper domain level SSL certificate to email client and instead only presents the server level hostname SSL certificate to email client. Already opened a ticket with your support staff and after 4 days of getting nowhere I’ve decided to move on. However, I thought perhaps your development team would like to know you have some bugs in your software as I doubt the cPanel customer support staff I dealt with on my ticket will pass any information along.

    • cPanelbenny

      If you could, please, send me an email with the ticket number (benny@cpanel.net) so I can look into it, I definitely will pass the information on. Thanks!

  • cPanelFelipe

    @denverprophitjr:disqus – Just a quick note to say that, on the development side, we’ve been very aware of the concerns of our clientele who base their revenue model on SSL sales. Both AutoSSL and the cPanel Market can be disabled entirely, and there are no plans to remove that ability.

    You may actually be interested in using the cPanel Market to sell your own products? You can still disable cPanel’s (Comodo-based) SSL products so that yours are the only SSL sales your users see. You’ll need to use a per-domain pricing model (e.g., a cert with 3 domains would cost 3x what a single-domain cert costs), and the authn/authz has to use the same pattern as cPanel’s provider.

    We have documentation on how to do this up at: https://documentation.cpanel.net/display/SDK/Guide+to+cPanel+Market+Provider+Modules

  • Monarobase

    Sounds good… we already block all insecure services in our firewall.

    Not sure about blocking things like exim or dovecot would go down well though, I suppose you are only talking about cpsrvd related services ?

    We defenetly would love /webmail to redirect to https://webmail.domain.tld, we often have customers who can’t access ports above 1024 in https.

    • cPanelbenny

      That’s correct, we’d only be forcing https on cpsrvd services.

      • I already prevent your Comodo partnership. It would eliminate my SSL reseller revenue. Comodo in the past would attempt to steal renewals out from under me. Continue with premium certs from comodo and I’m switching all our licenses over to Plesk.

        • cPanelbenny

          Hey Denver! I completely understand your position and will make sure this gets passed up the chain. Thanks!