In the past, cPanel & WHM services used a self-signed certificate. Now all cPanel & WHM services use a cPanel-signed hostname certificate with a Comodo® trust chain. This document explains how the system installs a cPanel-signed hostname certificate and how to disable the automatic installation of a cPanel-signed hostname SSL certificate if you do not wish to use it.
The system runs the
/usr/local/cpanel/bin/checkallsslcerts script during the nightly cPanel & WHM update (
upcp) process. This script performs the following actions:
Issues a Comodo-signed SSL certificate on any server with a self-signed, expired, or soon-to-expire certificate.
A soon-to-expire certificate means that the SSL certificate expires in three days or fewer.
To execute these actions, the script performs the following steps:
The system creates a Domain Control Validation (DCV) file, which resembles the following example:
The system performs a DNS lookup for the hostname's IP address on the root nameservers. To do this, it runs the following command:
dig =trace hostname.example.com
The system uses the hostname's IP address to confirm that it can access the Domain Control Validation (DCV) file. To do this, it runs the following command:
In this example,
When the local DCV check passes, the system sends a request to the cPanel Store API for the new SSL certificate.
If a valid SSL certificate exists and matches the DCV file, the system does not perform any action.
Comodo validates the DCV file from the following IP addresses:
Comodo uses these IP addresses to attempt to access the cPanel server. You must whitelist these IPs in the server firewall. For more information, read our How to Configure Your Firewall for cPanel Services documentation.
188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168
The system logs the Comodo requests in the
/etc/apache2/logs/access file. It also contains user agent strings that show who accesses the DCV file. These user agent strings resemble the following examples:
/usr/local/cpanel/bin/checkallsslcerts script includes the following optional flags:
|Optional CLI Switches||Description|
Adjusts output to include messages that resemble the following:
If the cPanel Store continues the hostname certificate request, then the system checks the cPanel Store again in an hour. To do this, it runs the following command:
If the system must retry, an entry will apper in the
To disable a cPanel-signed hostname certificate's installation, run the following command:
To disable the automatic replacement of all expired service certificates and disable notifications about expired or expiring service certificates, run the following command: