In Progress CPANEL-42630 - Determining best certificate logic

[sparek-3]

How does cPanel's best certificate for a service logic work?

It seems that for addon domains, despite having a certificate issued for that domain name - and mail. included in the SANs for that certificate, the cPanel best certificate logic is determining that the server's hostname is the best certificate to use for IMAP.

This has ramifications in displaying the best SSL/TLS settings for an email account in cPanel.

Or am I doing something wrong some where?

Is there a way to overwrite and set my own recommended setting for a given domain name?

 

[sparek-3]

I think the issue may be that the addon domain's (i.e. addondomain.com) certificate is expired... but there is a mail subdomain attached to that addon domain (mail.addondomain.com) that is valid.

It would seem that the system is not adding mail.addondomain.com to the list of domains to check for a valid certificate.

Seemingly the steps to duplicate this would be to add an addon domain (addondomain.com) to an account

Don't issue a CA signed certificate for this addon domain.

Create a mail. subdomain for this domain (mail.addondomain.com)

Issue a CA signed certificate for this mail. subdomain (mail.addondomain.com) and just for this subdomain.

Create an email account on the addon domain ([email protected])

Click the Connected Devices button on the Email Accounts list page for this newly created email account ([email protected])

Note that the Secure SSL/TLS Settings (Recommended) does not list mail. subdomain (mail.addondomain.com) as the recommended incoming and outgoing mail server to use.

 

[cPRex]

Hey there!

I think the main issue here is that cPanel isn't designed to support only the mail subdomain in the certificate. In a default addon domain scenario, at least on my test server with live DNS, both the domain and mail.domain.com were secured with the SSL. When I follow these instructions with the default SSL, the correct settings are shown in both a mail client (I used Thunderbird for testing) and cPanel >> Connect Devices:

-created an addon domain
-configured DNS for the domain
-ran AutoSSL to ensure the domain/subdomain was secured
-confirm the domain could be reached over https in a browser, indicating the SSL has been applied

Can you get me more details on why the mail subdomain would have an SSL but the main domain wouldn't? I'm happy to create a case with the developers about the cert for just "mail" not being enough to be detected properly, but I'd like to have a bit more background and how we got to this scenario, if possible.

 

[sparek-3]

What if we're only handling mail for addondomain.com?

What if addondomain.com and www.addondomain.com are resolving to some other remote server.

mail.addondomain.com is resolving to our server. And the MX record for addondomain.com is pointing to mail.addondomain.com

Additionally, what if mail.addondomain.com has a paid certificate?

There really shouldn't be any tie in to AutoSSL with this. What does "best certificate available" have to do with whether or not the certificate was issued with AutoSSL?

 

[cPRex]

That all makes sense to me. I've created case CPANEL-42630 for our developers to look into this, and I'll keep this thread updated with my findings.