cPanel a law to itself

easyhostmedia

Well-known member
To all hosts that sell SSL certificates and have cPanel servers.

When you upgrade your server to WHM version 6 then cpanel will place a shared cpanel DV SSL cert on all accounts on the server if you want them or not even if an account already has a paid SSL cert.

I noticed this yesterday when one of my clients ordered an SSL and they could not install it as the system was saying they already had a DV cert on their account.
I also noticed that cPanel had over ridden 2 clients paid SSL certs, so these had to be reinstalled.

Opened a ticket with cPanel as they told me that these are default with WHM 6 and if i wanted to remove them than i would have to do this myself manually as they dont have anything to mass remove the SSLs they installed without permission, although they told me i could place a request with their developers to create a feature to mass remove these.

i told them why should i when they added all the SSLs without permission, so they should have a method to remove them
 
To all hosts that sell SSL certificates and have cPanel servers.

When you upgrade your server to WHM version 6 then cpanel will place a shared cpanel DV SSL cert on all accounts on the server if you want them or not even if an account already has a paid SSL cert.

I noticed this yesterday when one of my clients ordered an SSL and they could not install it as the system was saying they already had a DV cert on their account.
I also noticed that cPanel had over ridden 2 clients paid SSL certs, so these had to be reinstalled.

Opened a ticket with cPanel as they told me that these are default with WHM 6 and if i wanted to remove them than i would have to do this myself manually as they dont have anything to mass remove the SSLs they installed without permission, although they told me i could place a request with their developers to create a feature to mass remove these.

i told them why should i when they added all the SSLs without permission, so they should have a method to remove them

good day

You can disable the ssl certificate of your sites by following the following path

Home »SSL / TLS» Manage AutoSSL

Disabled

Blessings
 
good day

You can disable the ssl certificate of your sites by following the following path

Home »SSL / TLS» Manage AutoSSL

Disabled

Blessings

yes, but when these have already been installed without permission that just stops future ones.

Had to spend 3 hours removing all these and correcting the ones they had over ridden.

This feature should be disabled by default and upto hosts to enable it and not the other way round.
 
good day

You're right

SSL Certificates from cpanel are free, but do not certify the company they insure

They can be given free to their customers, if they wish

You can enable them individually

Blessings
 
good day

You're right

SSL Certificates from cpanel are free, but do not certify the company they insure

They can be given free to their customers, if they wish

You can enable them individually

Blessings
but the fact is when you upgrade to WHM6 cpanel will place a free SSL on ALL accounts on the server regardless if you want these added or not as it is the default setting.

yes you can disable this feature in Home »SSL / TLS» Manage AutoSSL, but this does not remove the ones already installed without permission. and cpanel have no feature in place to remove these, so you have to manually remove each one individually.
These are simple DV certs, but these would stop users purchasing DVs from you, so losing you revenue.
 
but the fact is when you upgrade to WHM6 cpanel will place a free SSL on ALL accounts on the server regardless if you want these added or not as it is the default setting.

yes you can disable this feature in Home »SSL / TLS» Manage AutoSSL, but this does not remove the ones already installed without permission. and cpanel have no feature in place to remove these, so you have to manually remove each one individually.
These are simple DV certs, but these would stop users purchasing DVs from you, so losing you revenue.

good day

Again you're right

Users are interested in seeing the padlock

Customers do not care if SSL is professional or Free

We must create a method, that these certificates for free, do not displace the SSL that we sell

Blessings
 
We must create a method, that these certificates for free, do not displace the SSL that we sell

Blessings

that is simple and all cPanel need to do is make the feature disabled as default, so that these are not added to accounts when you upgrade to whm6. then you as a host can market them as free or paid shared SSL certs can activate these for individual accounts
 
but the fact is when you upgrade to WHM6 cpanel will place a free SSL on ALL accounts on the server regardless if you want these added or not as it is the default setting.

yes you can disable this feature in Home »SSL / TLS» Manage AutoSSL, but this does not remove the ones already installed without permission. and cpanel have no feature in place to remove these, so you have to manually remove each one individually.
These are simple DV certs, but these would stop users purchasing DVs from you, so losing you revenue.

Good point. You mentioned addressing cPanel about it - did they offer any suggestion as to a permanent fix?
 
Good point. You mentioned addressing cPanel about it - did they offer any suggestion as to a permanent fix?

this is all i get from cpanel

Hello,

Thank you for getting back to us. Andrew already explained how to remove the certificates from the server. I've included that information below as well:

However, you can remove certificates in WHM -> SSL/TLS -> Manage SSL Hosts, and then remove the certificates from WHM -> SSL/TLS -> SSL Storage Manager.

There is nothing in cPanel that will do mass removal though. I apologize for the inconvenience.

I'd suggest opening a feature request to have our developers implement a tool to do mass removal of SSL certificates at https://features.cpanel.net. I can understand where you're coming from, but this isn't something that we have in the product as clients don't normally want to remove SSL certificates, especially in mass.

i esculated the ticket as i was getting nowhere and this is what i got from management.

Hello,

Thank you for your patience, I've read over the ticket and got myself familiar with the issues you're having.

It's concerning that you weren't presented with the feature showcase option upon first login after upgrading to v60, and we've not been presented with issues where this didn't show up with other customers. Do you have other people who login via root who may have just accepted the default settings and moved on?

Since the damage you noted has already been done (the sites got free SSL certificates), the solution you are looking for is to delete them all - unfortunately this isn't something that is typically requested so it would be a feature request that would need to be made for implementation. The only currently provided method is to delete them from the UI individually. We do, however, offer an API call that you may take benefit in using here:

https://documentation.cpanel.net/display/SDK/UAPI+Functions+-+SSL::delete_ssl

You could essentially create a for loop to traverse through domains and delete them.

--

I'd like to further comment that the certificates that got installed are DV certificates, which is typically the lower end SSL certificates - we've recently implemented the Market Provider, which allows you (the server owner/provider) to sell your SSL certificates through our interfaces. ( https://documentation.cpanel.net/display/ALD/Market+Provider+Manager ) You can choose to resell our certificates, or create your own plugin for the manager to have it go through your own provider.

The cPanel DV Certificates are only installed on domains that have no SSL certificate, it previously replaced signed ssl certificates if they were set to expire within 3 days, but this got changed (and may have been changed after you updated) as per: https://documentation.cpanel.net/di...ongerreplacesnon-AutoSSLcertificatesbydefault

so in otherwords

TOUGH we will do what we like
 
A few things here:

Firstly, cPanel doesn't force you to use their software. They don't force you to use AutoSSL either. You're more than welcome to turn it off once you upgrade.

Secondly, by default, cPanel will not overwrite certificates, unless they are expired. Not sure about expired ones, even.

This has been an issue since long before they released autossl. They tried this with service certificates, and got a ton of feedback there as well. I wouldn't say they are a 'law unto themselves', but they do seem to want their name out there quite a bit.
 
A few things here:

Firstly, cPanel doesn't force you to use their software. They don't force you to use AutoSSL either. You're more than welcome to turn it off once you upgrade.
yes they do as when you upgrade to WHM version 60 they automatically placed DV SSL to every account on both my servers.
This is forcing this service onto me.
so they place a free DV cert onto a clients account, so is that client going to purchase an SSL from you NO, so you lose revenue due to this action by cpanel.

Secondly, by default, cPanel will not overwrite certificates, unless they are expired. Not sure about expired ones, even.

I am afraid the autoSSL system did override 2 paid SSL certs that were still active and not expired.
 
cPanel certainly isn't perfect, but I still prefer it over other options.

yes, but what i objected too is them deciding every account should have a cpanel SSL and then install these without permission, which would lose me revenue.

It took me 3 hrs to remove all these manually and then disable autoSSL, but even after disabling it they went ahead and installed all the SSLs again.

now when i reported this they have thought the best action is to ignore me
 
Its a good move by cPanel to offer some free security the only problem is them not asking you before hand if you want it installed or not so that you treat it case by case
 
Its a good move by cPanel to offer some free security the only problem is them not asking you before hand if you want it installed or not so that you treat it case by case

yes that is my point, any security is good, but it is the way they have gone about it and the way they caused the problem, but are not willing to fix it.

I would rather have it disabled as default, so you as a host can activate it if you want, but then when you activate it, the system will place an SSL on all accounts, so a host loses the revenue of shared SSLs.

i would rather have it so you can enable it and then decide which accounts get an SSL cert.

this way some clients may purchase an SSL cert from you as 9/10 clients that purchase as SSL will purchase a comodo positive ssl or rapidssl, but why would they need to purchase 1 when cpanel have decided to give them one free
 
well it seems cpanel through their dummy out of their pram.

yesterday i got an email that i thought was spam from paypal saying cpanel had refunded me £428, so i check my PP account and yes money in their, so contacted cpanel to see if it was genuine and why.

it seems it was genuine and they refunded me and cancelled my cpanel licences as they did not like that i suggested they placed autossl as disabled by default.

The fact is i do not pay then for licences as these come as part of my VPS packages.
 
Hi,

This is a very important point that is covered, but whenever a new features is introduced with the next WHM login, it asks to enable it or not with a little bit of explanation and if anyone is not sure, they can just keep it disabled and later on with proper planning implement those... It seems that you may have missed on this pop up that may have occurred at the next login after cPanel update. I have seen this so many times occurring and being an admin, I would like to have those evaluated properly before implementing, so the existing setup is not disturb. May be you will have to look for this the next time because cPanel is implementing lot of things and is like to override the current features too.. I do agree forcing things is not good especially with the SSL when it is known that more SSL provider already exist and already certificate from these SSL would have been installed on the server already those more strongly encrypted than the cPanel is forcing..
 
Hi,

This is a very important point that is covered, but whenever a new features is introduced with the next WHM login, it asks to enable it or not with a little bit of explanation and if anyone is not sure, they can just keep it disabled and later on with proper planning implement those... It seems that you may have missed on this pop up that may have occurred at the next login after cPanel update. I have seen this so many times occurring and being an admin, I would like to have those evaluated properly before implementing, so the existing setup is not disturb. May be you will have to look for this the next time because cPanel is implementing lot of things and is like to override the current features too.. I do agree forcing things is not good especially with the SSL when it is known that more SSL provider already exist and already certificate from these SSL would have been installed on the server already those more strongly encrypted than the cPanel is forcing..

Yes i always read the showcase when upgrading for new features etc. which their was no mention of autossl. you could take i may have missed it on 1 server, but on both servers is very unlikely. The thing with cpanel is they know they are no1 and nothing matches them, so they can do as they please
 
I agree that this should never have been enabled by default. We already had autossl on in v58 so I can't say if there was a notice asking to enable/disable this feature after the upgrade.

We activly follow new features / versions of cPanel and have a small VPS to test them before they make it to stable. We run our production servers in the stable branch and allow automatic upgrades. When a feature that could cause issues is comming out soon we switch to LTS so we can be there when the upgrade happens and make sure all options are ok.

If we didn't follow new versions regularly we would put our servers in LTS to only manually upgrade to new major versions.
 
We already had autossl on in v58.

was the the cpanel one as this was only brought in under version 60

thesslstore have their cpanel plugin which they call autossl, which allows clients to order SSL cert direct through the plugin.

what gets me is cpanel just recently allowed Let's Encrypt to link into their system and then they bring out their own SSL certificates, so that is 2 free SSL services available through cpanel which does make it less likely a client will pay a host for a basic SSL cert.
 
Top