cPanel® Blog

The cPanel Market Provider, and free hostname SSLs

In cPanel & WHM version 56 two of the most exciting new features we released were the cPanel Market Provider, and the automatic generation of Free hostname SSLs for anyone with a valid cPanel license.

Market Provider

  • Summary: We are providing a method to integrate marketplace modules that offer free or paid products within cPanel.
  • Release Notes: Manage Market Providers
  • Availability: 55.9999.122 and later
  • This service is currently disabled by default, can be disabled for all of your Licenses in Manage2, and can be enabled through WHM >> Market Provider Manager
  • This feature will be expanded on for version 58.

The Market Provider Interface in WHM is an interface for server administrators to create their own “Market” provider modules, through which you can currently sell SSL certificates, and which can be expanded on to sell anything else through the cPanel interface. 

The first release of this feature is in v56, and comes with the cPanel Store provider module, which allows users to purchase COMODO and cPanel-signed SSL certificates within the cPanel user interface. Once the purchase is complete, the system will automatically download and install them without the need to leave the cPanel interface.

MarketProviderManager

Note: If you enable this provider module, a commission equal to one-third of the sales price of the certificate will be credited to your selected cPanel Store account. The pricing is per domain, and you can adjust it within the provider module in WHM.

We very much want to add functionality to this feature, and these are the things at the top of our list:

  • Free multi-domain Domain Validated (DV) certificates for all users. (This is in addition to the Let’s Encrypt plugin mentioned on our Feature Request site).
  • Availability of Organization Validation (OV) and Extended Validation (EV) certificates.
  • Automatic renewal of SSL certificates.

The most exciting part of this, in our opinion, is the ease with which you can create your own module. We have documented that process in our SDK, and are so very excited to see what you will come up with.

Installation of a Free DV Hostname Certificate

  • Summary: If the certificate for your server’s hostname does not validate, your server will automatically order, download, and install a FREE DV-signed SSL certificate from the cPanel Store.
  • Release Notes: Free cPanel-signed Hostname Certificate
  • Availability: 55.9999.114 and later
  • This service is currently enabled by default.
  • You can disable this part of the tool for all of your Licenses in Manage2, or on a single server by touching this file: /var/cpanel/ssl/disable_auto_hostname_certificate

We updated the tool ‘checkallsslcerts’ that runs every night to also to automatically order, acquire, and install a DV SSL certificate for the hostname of the server on the exim, dovecot, cPanel/WHM, and ftp services. This is only done in the following conditions:

  • If the installed SSL is self-signed
  • If the installed SSL has been revoked
  • If the installed SSL has a weak signature algorithm
  • If the installed SSL is invalid
  • If the installed SSL will expire in less than a week
  • None of the domains on the certificate are configured on or resolve to the server

Note: Your server must have a valid and active license to automatically order, download, and install this no-cost hostname DV certificate.

If your hostname isn’t current, you should update it! You can do so through WHM, or on the command line.

Our Goal: Make it Easier to Build A Secure Internet

We are excited to deliver these new features, and we hope that they advance both the business of web hosting and the security of online communications. I’m excited for you to start using the new features! Version 56 just went to RELEASE on Monday, and will be rolled out to all servers on the RELEASE tier over the new 8 days. Let us know what you think! As always, find me on the Feature Request site, Twitter, or just send me an email.

Header photo credit: https://www.pexels.com/photo/night-black-and-white-long-exposure-london-29502/

benny Vasquez

scripter, crafter, cPanel's Manager of Community Engagement. Facilitating communication between cPanel's amazing development team, and cPanel's amazing community. Find me on twitter: @cpaneldev

28 responses to “The cPanel Market Provider, and free hostname SSLs”

  1. cPanelbenny says:

    Hey Scott! DNSOnly doesn’t include a free hostname SSL at this time. Currently one of the stipulations is that you must have a valid to cPanel license in order to get the hostname SSL, and DNSOnly does not have a license.

  2. Scott Neader says:

    Benny, can you confirm that in v56, free hostname SSLs are even a part of DNS Only? It’s definitely not working or doing anything with my DNS Only box, and I didn’t want to dig too far, if it’s not even a feature of DNS Only.

  3. cPanelbenny says:

    Hey all! Sorry for my delay here.

    Neither Comodo nor Let’s Encrypt would issue SSLs without some form of domain verification, for sure. In this case we use the same verification for SSLs issued via AutoSSL and for hostnames. It’s true that the list of checks isn’t yet published, but I believe that’s just an oversight. I’ve reached out internally to find out if that’s the case, or if there’s another reason they aren’t published.

    If you have questions, feel free to reach out to me directly: benny@cpanel.net

  4. Sandor Marton says:

    They should be . But they are not.
    They are never asking me , the domain holder, that they can create a certicate for my domain/subdomain.
    They do some checks ( unpublished by cPanel) . Now depending on these checks, i may be able to impersonate a 3rd party domain (paypal.com ), and obtain a certificate for that 3rd party domain. Then could use that certificate for MITM attacks.

  5. Scott Neader says:

    Then they are doing it via DNS entry. These are DV certs so they have to be verified by some type of DV issuing criteria (WHOIS contact email, DNS, text file)

  6. Sandor Marton says:

    Uhm, cPanel doesn’t upload any text file to my some.somedomain.com site, and still releases a certificate for it.
    Obviously Comodo lowered his requirements on the certificates cross signed with cPanel. And thats the problem.
    But seems nobody cares.

  7. Scott Neader says:

    I believe this scenario is impossible, since the certificate issuance process is using file-based authentication. i.e. Comodo would go to paypal.com/somefilename.txt to authenticate. Since the file would not exist at the real paypal.com, the cert would never be issued.

  8. Good blog that provides nice information on cPanel market provider & the free host name SSLs!

  9. cPanelbenny says:

    Hi there! That’s true. Is there something specific you dislike about that?

  10. Fahim Ali says:

    Hello benny,Up to now, getting a certificate required the owners accord, now they are cross signing a request by a 3rd party

  11. cPanelbenny says:

    Thank you so much for the feedback, Shaun. I sincerely appreciate it. I’ll pass it up the chain, for sure. If you have any other questions or feedback, I’d love to hear it! benny@cpanel.net

  12. cPanelbenny says:

    This sounds like something might not be working the way it’s intended. If you haven’t resolved this yet, can you open a ticket with our support team? https://tickets.cpanel.net

  13. Shaun Murray says:

    I think you need to rethink the auto SSL purchase. We hit the “If the installed SSL will expire in less than a week” condition. Our wildcard cert hadn’t expired yet but it got replaced by a Comodo cert for the hostname. I’ve now gone around the servers switching off this feature. This should be OFF by default.

  14. René Kåbis says:

    This doesn’t appear to be functional on WHM DNSONLY (my NS02 machine). I am still seeing the self-signed certificates there, even though my NS01 machine has the new cPanel-signed service certs. Unfortunately, the installation of the proper certs on the NS01 machine also coincided with my NS01 machine suddenly no longer being able to synchronize with my NS02 machine.

  15. cPanelbenny says:

    Probably better to do two, since we try to keep each ticket limited to a single request.

  16. Lewis says:

    Is it better to do one ticket or two?

  17. cPanelbenny says:

    I’m so sorry for my delay. It sounds like you have everything set correctly, so if you aren’t seeing it, there might be something else going on. I’d love to see you open a ticket with us for both of your questions, just to make sure we get everything squared away for you! https://tickets.cpanel.net

  18. Lewis says:

    I enabled the market, but I don’t see any market link in the cPanel interface even though it is enabled in the feature manager. Am I missing something?

    On an unrelated note: I also notice that there is a feature showcase; how do I disable or change what is on that showcase?

  19. Sandor Marton says:

    First i don’t really understand Comodo. Up to now, getting a certificate required the owners accord, now they are cross signing a request by a 3rd party. And the end result is a certificate which i (as the domain owner) can’t revoke.
    Second doesn’t affect me or my servers, but this could be used by attackers to get certificates for 3rd party domains. A hacker may set hostname to paypal.com, somehow trick cpanel to think its a valid hostname, and he has a certificate which can be used in MITM attacks.

  20. cPanelbenny says:

    Thanks so much for the interest! Like you read, while we’re working to add Let’s Encrypt support, the free hostname SSLs are not issued through them at this time. They are valid for a year, and will automatically renew when they get close to expiration.

  21. Ripper says:

    I honestly don’t see what’s wrong with it, and now I’m curious why you do. Why do you feel uncomfortable about this?

  22. Dewlance says:

    Question:
    1. Is your Lets Encrypt Free SSL will automatically renew on every 90 days or we will need to manually renew SSL?

  23. cPanelbenny says:

    Hi there! The certificates are valid for 1 year, and the plan is to renew them every year for free.

  24. Hello benny, this certificate is valid only for 1 year or after it is renewed for free?

  25. cPanelbenny says:

    I’m sincerely sorry we’re causing frustration for you. The certificates we created should only have replaced self-signed or otherwise invalid certificates, and are completely free.

  26. Sandor Marton says:

    Huh?
    I am the only one seeing how wrong is that?
    Tonight cPanel created certificates for multiple hostnames i own, without my accord?
    And Comodo cross-signed it?
    What?

  27. Monarobase says:

    The link for creating our own module seems to be broken.

Leave a Reply