In cPanel & WHM version 56 two of the most exciting new features we released were the cPanel Market Provider, and the automatic generation of Free hostname SSLs for anyone with a valid cPanel license.
Market Provider
- Summary: We are providing a method to integrate marketplace modules that offer free or paid products within cPanel.
- Release Notes: Manage Market Providers
- Availability: 55.9999.122 and later
- This service is currently disabled by default, can be disabled for all of your Licenses in Manage2, and can be enabled through WHM >> Market Provider Manager
- This feature will be expanded on for version 58.
The Market Provider Interface in WHM is an interface for server administrators to create their own “Market” provider modules, through which you can currently sell SSL certificates, and which can be expanded on to sell anything else through the cPanel interface.
The first release of this feature is in v56, and comes with the cPanel Store provider module, which allows users to purchase COMODO and cPanel-signed SSL certificates within the cPanel user interface. Once the purchase is complete, the system will automatically download and install them without the need to leave the cPanel interface.
Note: If you enable this provider module, a commission equal to one-third of the sales price of the certificate will be credited to your selected cPanel Store account. The pricing is per domain, and you can adjust it within the provider module in WHM.
We very much want to add functionality to this feature, and these are the things at the top of our list:
- Free multi-domain Domain Validated (DV) certificates for all users. (This is in addition to the Let’s Encrypt plugin mentioned on our Feature Request site).
- Availability of Organization Validation (OV) and Extended Validation (EV) certificates.
- Automatic renewal of SSL certificates.
The most exciting part of this, in our opinion, is the ease with which you can create your own module. We have documented that process in our SDK, and are so very excited to see what you will come up with.
Installation of a Free DV Hostname Certificate
- Summary: If the certificate for your server’s hostname does not validate, your server will automatically order, download, and install a FREE DV-signed SSL certificate from the cPanel Store.
- Release Notes: Free cPanel-signed Hostname Certificate
- Availability: 55.9999.114 and later
- This service is currently enabled by default.
- You can disable this part of the tool for all of your Licenses in Manage2, or on a single server by touching this file: /var/cpanel/ssl/disable_auto_hostname_certificate
We updated the tool ‘checkallsslcerts’ that runs every night to also to automatically order, acquire, and install a DV SSL certificate for the hostname of the server on the exim, dovecot, cPanel/WHM, and ftp services. This is only done in the following conditions:
- If the installed SSL is self-signed
- If the installed SSL has been revoked
- If the installed SSL has a weak signature algorithm
- If the installed SSL is invalid
- If the installed SSL will expire in less than a week
- None of the domains on the certificate are configured on or resolve to the server
Note: Your server must have a valid and active license to automatically order, download, and install this no-cost hostname DV certificate.
If your hostname isn’t current, you should update it! You can do so through WHM, or on the command line.
Our Goal: Make it Easier to Build A Secure Internet
We are excited to deliver these new features, and we hope that they advance both the business of web hosting and the security of online communications. I’m excited for you to start using the new features! Version 56 just went to RELEASE on Monday, and will be rolled out to all servers on the RELEASE tier over the new 8 days. Let us know what you think! As always, find me on the Feature Request site, Twitter, or just send me an email.
Header photo credit: https://www.pexels.com/photo/night-black-and-white-long-exposure-london-29502/
Hey Scott! DNSOnly doesn’t include a free hostname SSL at this time. Currently one of the stipulations is that you must have a valid to cPanel license in order to get the hostname SSL, and DNSOnly does not have a license.
Benny, can you confirm that in v56, free hostname SSLs are even a part of DNS Only? It’s definitely not working or doing anything with my DNS Only box, and I didn’t want to dig too far, if it’s not even a feature of DNS Only.
Hey all! Sorry for my delay here.
Neither Comodo nor Let’s Encrypt would issue SSLs without some form of domain verification, for sure. In this case we use the same verification for SSLs issued via AutoSSL and for hostnames. It’s true that the list of checks isn’t yet published, but I believe that’s just an oversight. I’ve reached out internally to find out if that’s the case, or if there’s another reason they aren’t published.
If you have questions, feel free to reach out to me directly: [email protected]
They should be . But they are not.
They are never asking me , the domain holder, that they can create a certicate for my domain/subdomain.
They do some checks ( unpublished by cPanel) . Now depending on these checks, i may be able to impersonate a 3rd party domain (paypal.com ), and obtain a certificate for that 3rd party domain. Then could use that certificate for MITM attacks.
Then they are doing it via DNS entry. These are DV certs so they have to be verified by some type of DV issuing criteria (WHOIS contact email, DNS, text file)
Uhm, cPanel doesn’t upload any text file to my some.somedomain.com site, and still releases a certificate for it.
Obviously Comodo lowered his requirements on the certificates cross signed with cPanel. And thats the problem.
But seems nobody cares.
I believe this scenario is impossible, since the certificate issuance process is using file-based authentication. i.e. Comodo would go to paypal.com/somefilename.txt to authenticate. Since the file would not exist at the real paypal.com, the cert would never be issued.
Good blog that provides nice information on cPanel market provider & the free host name SSLs!
Hi there! That’s true. Is there something specific you dislike about that?
Hello benny,Up to now, getting a certificate required the owners accord, now they are cross signing a request by a 3rd party
Thank you so much for the feedback, Shaun. I sincerely appreciate it. I’ll pass it up the chain, for sure. If you have any other questions or feedback, I’d love to hear it! [email protected]
This sounds like something might not be working the way it’s intended. If you haven’t resolved this yet, can you open a ticket with our support team? https://tickets.cpanel.net
I think you need to rethink the auto SSL purchase. We hit the “If the installed SSL will expire in less than a week” condition. Our wildcard cert hadn’t expired yet but it got replaced by a Comodo cert for the hostname. I’ve now gone around the servers switching off this feature. This should be OFF by default.
This doesn’t appear to be functional on WHM DNSONLY (my NS02 machine). I am still seeing the self-signed certificates there, even though my NS01 machine has the new cPanel-signed service certs. Unfortunately, the installation of the proper certs on the NS01 machine also coincided with my NS01 machine suddenly no longer being able to synchronize with my NS02 machine.
Probably better to do two, since we try to keep each ticket limited to a single request.
Is it better to do one ticket or two?
I’m so sorry for my delay. It sounds like you have everything set correctly, so if you aren’t seeing it, there might be something else going on. I’d love to see you open a ticket with us for both of your questions, just to make sure we get everything squared away for you! https://tickets.cpanel.net
I enabled the market, but I don’t see any market link in the cPanel interface even though it is enabled in the feature manager. Am I missing something?
On an unrelated note: I also notice that there is a feature showcase; how do I disable or change what is on that showcase?
First i don’t really understand Comodo. Up to now, getting a certificate required the owners accord, now they are cross signing a request by a 3rd party. And the end result is a certificate which i (as the domain owner) can’t revoke.
Second doesn’t affect me or my servers, but this could be used by attackers to get certificates for 3rd party domains. A hacker may set hostname to paypal.com, somehow trick cpanel to think its a valid hostname, and he has a certificate which can be used in MITM attacks.
Thanks so much for the interest! Like you read, while we’re working to add Let’s Encrypt support, the free hostname SSLs are not issued through them at this time. They are valid for a year, and will automatically renew when they get close to expiration.
I honestly don’t see what’s wrong with it, and now I’m curious why you do. Why do you feel uncomfortable about this?
Question:
1. Is your Lets Encrypt Free SSL will automatically renew on every 90 days or we will need to manually renew SSL?
Hi there! The certificates are valid for 1 year, and the plan is to renew them every year for free.
Hello benny, this certificate is valid only for 1 year or after it is renewed for free?
I’m sincerely sorry we’re causing frustration for you. The certificates we created should only have replaced self-signed or otherwise invalid certificates, and are completely free.
Thanks for that. Updated. You can also find it here:
https://documentation.cpanel.net/display/SDK/How+to+Create+a+cPanel+Market+Provider+Module
Huh?
I am the only one seeing how wrong is that?
Tonight cPanel created certificates for multiple hostnames i own, without my accord?
And Comodo cross-signed it?
What?
The link for creating our own module seems to be broken.