SSL Everywhere (Again)
It's almost hard to believe it's only been 2 years since Let's Encrypt came out of beta and began providing SSL Certificates to the general public. I wrote a post at the time calling it a turning point for the web, but cPanel support was pretty much non-existent. Since then much has changed. Just 2 months after that post was written we began using a plugin that offered Let's Encrypt support directly in cPanel for all users on Reclaim Hosting and announced general support for free SSL certificates. In August of 2016 we began employing ways of scripting the ability for domains to get certificates automatically using the plugin and hooks from our billing system and I wrote a post aptly titled SSL Everywhere where I wrote:
After testing over the past 2 weeks Iām pleased to announce that going forward every domain hosted by Reclaim Hosting will automatically be provisioned with a free and renewable SSL certificate by default.
Around that same time cPanel had also made strides to offer their own support for automatic certificate provisioning with a feature announced called AutoSSL. Initially AutoSSL only supported cPanel's own certificates issued through Comodo but later Let's Encrypt support was added. Rate Limits employed by both certificate providers made it difficult to truly promise SSL everywhere and one issue we found was that notifications were a real problem.
Normally receiving a notification that your domain was secure would be a good thing, however often we have found this can confuse a customer that thinks they might have been charged for something, or possibly that the email is spam, especially if they didn't specifically issue a certificate themselves (and remember we were attempting to issue certificates for all users so that would often be the case). Our ideal scenario is one in which all domains have certificates but no one gets needless emails regarding the provisioning of them (success or failure). Our plugin offered such granular notification settings and at the time AutoSSL did not so given the conflict we decided to double down on the Let's Encrypt plugin and disable the AutoSSL feature across the board to streamline things.
We have more recently found out that there is a key difference between what the AutoSSL feature can accomplish and the plugin we use cannot. AutoSSL can (and has in many cases) replace and renew certificates for expired domains. That is a good thing in that even if you had a self-signed certificate or previously paid for one and it had expired you'd get a new free one. What we didn't know was that our plugin was not able to do this, so when we disabled cPanel's AutoSSL feature we suddenly had a large number of domains with cPanel-issued certificates that the Let's Encrypt plugin could not renew or replace leading to confusion with folks waking up and finding their sites didn't work over https.
In the past we have pointed folks to our documentation on installing a Let's Encrypt certificate but remember our goal was that no one was supposed to have to do that. SSL Everywhere was and still is the goal. We needed to fix this. I've reached out to the plugin developers who are now aware of the issue and have committed to working on a fix that could be released along with wildcard support in the next 2-3 months. But that's a long time to continue fielding issues of certificates not renewing which can render a site inaccessible.
We decided this week that a better short term solution was to turn the AutoSSL feature back on and have it issue certificates for any domains that did not have them or were expired. We would continue to have the Let's Encrypt plugin exist but with the goal being that users would have a certificate from one or the other automatically and either way they would be renewed automatically. Unfortunately an attempt to ensure that users didn't receive a bunch of notifications of this failed. cPanel provides an API call to change the setting and it returned the correct response so I didn't think to check and make sure the setting was actually changed and it wasn't. Long story short there, many users got emails for every certificate provisioned. But we've fixed that now so that the emails won't be sent in the future and meanwhile the good news overall is that I think we're much closer to the goal of SSL Everywhere, provisioned by default and renewed automatically with no work on the part of users.
We'll continue to keep an eye on this in case the landscape changes (with technology it always does) and as always reach out if you have any questions or concerns!