Hostname certificates continue to report as having an expired intermediary CA certificate by Sectigo.
We have found that the autofixer that we released is not properly updating the Root CA for the hostname, which can cause the same issues to be presented even after performing the workaround steps.
For reference, the case number is CPANEL-32921. Follow this article to receive an email notification when a solution is published in the product.
NOTE: The following steps will restart services on the system and temporarily provision a self-signed certificate. SSL issuance may be delayed due to the current high volume of SSL Requests.
At this time the current workaround involves resetting the cPanel and service certificates to a self-signed SSL, then forcing the system to reissue the hostname certificate. The steps are as follows;
- Navigate to WHM »Service Configuration »Manage Service SSL Certificates.
- Click on "Reset Certificate" in the row for the service
- Click "Proceed" in the pop-up
- Repeat for each service; FTP Server, Exim (SMTP) Server, Dovecot Mail Server, Calendar, cPanel, WebDisk, Webmail, and WHM Services
The certificates will automatically be issued the new Hostname SSL during the nightly maintenance. Optionally it can be forced to run immediately by running the following command via Terminal or root SSH:
/usr/local/cpanel/bin/checkallsslcerts --verbose --allow-retry
Alternatively, all the steps above can be done at once via the command line with the following:
for service in ftp exim dovecot cpanel ; do whmapi1 reset_service_ssl_certificate service=$service ; done ; /scripts/restartsrv_ftpd ; /scripts/restartsrv_dovecot ; /scripts/restartsrv_exim ; /scripts/restartsrv_cpsrvd ; /usr/local/cpanel/bin/checkallsslcerts --verbose --allow-retry