Question
When does the /usr/local/cpanel/bin/checkallsslcerts command replace the cPanel hostname certificate?
Answer
Free SSL certificates will automatically replace any hostname or service certificates that meet any of the following conditions:
- Maintains a weak signature algorithm.
- Revoked.
- Self-signed. Self-signed certificates are not as secure as certificates that Certificate Authorities (CAs) provide. Because there is no third-party verification, any server could claim to have a self-signed certificate.
- Invalid (For example, your server’s hostname must resolve in DNS and point to the server’s main IP address).
- Will expire soon, based on the following criteria:
- Let’s Encrypt™ certificates that expire in less than 25 days.
- Certificates issued by any other provider that expire in less than 3 days.
When an SSL certificate meets the replacement conditions, the server orders a replacement when the /usr/local/cpanel/scripts/upcp script runs. Then, when Let’s Encrypt sends the replacement certificate, the system downloads and installs it.
If a certificate expires before Let’s Encrypt sends a replacement, the system will install a self-signed certificate as a placeholder. The system will replace its self-signed certificate with the new Let’s Encrypt certificate.
Comments
0 comments
Article is closed for comments.