Child pages
  • The checkallsslcerts Script

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In the past, cPanel & WHM services used a self-signed certificate. Now all cPanel & WHM services use a cPanel-signed hostname certificate with a Comodo® trust chain. This document explains how the system installs a cPanel-signed hostname certificate and how to disable SSL to disable the automatic installation of a cPanel-signed hostname SSL certificate if you do not wish to use it. 


The /usr/local/cpanel/bin/checkallsslcerts script

...

  • Installs a cPanel-signed hostname certificate on the server, if one does not exist.
  • Updates the SSL certificate for all cPanel & WHM services.
  • Issues a Comodo-signed SSL certificate on any server with a self-signed, expired, or soon-to-expire certificate.

    Note
    titleNote:

    A soon-to-expire certificate means that the SSL certificate expires in three days or fewer.


...

  1. The system creates a Domain Control Validation (DCV) file in the /usr/local/apache/htdocs/DCV.txt file, which resembles the following example:

    Code Block
    languagetext
    4221C402112E4831C72C2E004614C47C.txt


    Note
    titleNotes:
    • Systems that use EasyApache 3 store this file in the /usr/local/apache/htdocs/.well-known/pki-validation/ directory.
    • Systems that use EasyApache 4 store this file in the /var/www/html/.well-known/pki-validation directory.


  2. The system performs a DNS lookup for the hostname's IP address on the root nameservers. To do this, it runs the following command:

    Code Block
    languagetext
    dig =trace hostname.example.com


    Note
    titleNotes:
    • If the dig command returns multiple IP addresses, the system uses the first IP address that the command returns.
    • In this example, hostname.example.com represents the server's hostname.


  3. The system uses the hostname's IP address to confirm that it can access the Domain Control Validation (DCV) file. To do this, it runs the following command:

    Code Block
    languagetext
    curl 192.0.2.1020/AFAA5C66A1EEF5812703A46C21C013B4.txt


    Note
    titleNote:

    In this example, 192.0.2.102 represents 0 represents the primary IP address, and AFAA5C66A1EEF5812703A46C21C013B4.txt represents the DCV file.


  4. When the local DCV check passes, the system sends a request to the cPanel Store API for the new SSL certificate.

    • If a valid SSL certificate exists and matches the DCV file, the system does not perform any action.

    • If the system must issue a new SSL certificate, the systems sends a request to Comodo.
    • Comodo validates the DCV file from the following IP addresses: 

      Warning
      titleImportant:

      Comodo uses these IP addresses to attempt to access the cPanel server. You must whitelist these IPs in the server firewall. For more information, read our  How to Configure Your Firewall for cPanel Services  documentation.


      Code Block
      languagetext
      linenumberstrue
      178.255.81.12
      178.255.81.13
      91.199.212.132
      199.66.201.132


  5. The system logs the Comodo requests in the /usretc/localapache2/cpanel/logs/access_logs file file. It also contains user agent strings that show who accesses the DCV file. These user agent strings resemble the following examples:

    Localtab Group


    Localtab
    titlecPanel user agent strings


    Code Block
    languagetext
    linenumberstrue
    192.0.2.1020 - - [16/Jun/2016:16:16:16 -0500]  "GET /4221C402112E4831C72C2E004614C47C.txt HTTP/1.1" 200 53  "-" "Cpanel-HTTP-Client/1.0"
    192.0.2.1020 - - [16/Jun/2016:16:16:16 -0500]  "GET /4221C402112E4831C72C2E004614C47C.txt HTTP/1.1" 200 53  "-" "Cpanel-HTTP-Client/1.0"



    Localtab
    titleComodo user agent strings


    Code Block
    languagetext
    linenumberstrue
    199.66.201.132 - - [16/Jun/2016:16:18:46 +0000]  "GET /4F571E4CB76F46E37B8118CEA1DB42BA.txt HTTP/1.1" 200 53  "-" "COMODO DCV"
    199.66.201.132 - - [16/May/2016:16:18:46 +0000]  "GET /4F571E4CB76F46E37B8118CEA1DB42BA.txt HTTP/1.1" 200 53  "-" "COMODO DCV"




...

To disable a cPanel-signed hostname certificate's installation, run the following command:

Code Block
languagegroovytext
touch /var/cpanel/ssl/disable_auto_hostname_certificate

To disable the automatic replacement of all expired service certificates and disable notifications about expired or expiring service certificates, run the following command:

Code Block
touch /var/cpanel/ssl/disable_service_certificate_management


Additional documentation

...