Skip to main content

Confused about installing new certificate for hostname

Comments

13 comments

  • cPanelLauren
    Hi @Tearabite The free hostname SSL process is a bit different than the standard AutoSSL process but ultimately if your current certificate is expired you can get the hostname certificate by running the following via CLI: /usr/local/cpanel/bin/checkallsslcerts --verbose Though this process (pending you hadn't made any customizations) should be automatic. You can see the new certificate (or manage existing ones) by going to WHM>>Service Configuration>>Manage Service SSL Certificates Our documentation on this can be found here: Manage Service SSL Certificates - Version 68 Documentation - cPanel Documentation Thanks!
    0
  • Tearabite
    thank you! when running that command I see an error about pki-validation - the temp file cant be found. It looks like I have a DNS issue I need to work out. I will try again after i fix that.
    0
  • cPanelLauren
    Hi @Tearabite Let us know if you need assistance with the error as well! Thank you!
    0
  • Tearabite
    ok, this is turning a bit into a cluster... My configuration is a bit non-standard because some of this domain (www) is hosted on one server, and the hostname.cpanel/email/whm services are hosted on a different server. The problem now is that for hostname.domain.com running /usr/local/cpanel/bin/checkallsslcerts --verbose is generating the pki-validation/xxxxxxyyyyy.txt file in an unknown location - it seems that it is not being generated in the cpanel account/public_html account that (i thought) it should be. If i put a dummy file anywhere in the public_html folder of the cpanel account I thought was tied to hostname.domain.com and browse to
    0
  • cPanelLauren
    Hi @Tearabite For the hostname SSL they should be created in /var/www/html/.well-known/pki-validation If you go there do you see the hash file? Thank you,
    0
  • Tearabite
    yes - a whole slew of hash files created there.. But these arent being shown when I (or the validator) try to locate them via
    0
  • cPanelLauren
    Can you tell me the exact error you get when you run /usr/local/cpanel/bin/checkallsslcerts --verbose
    0
  • Tearabite
    This is the error: [WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID ra934h) The system queried for a temporary file at ", but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. I found the location where the pki-validation files are being created - it's in an account that has nothing to do with the hostname account. I also found that when trying to open
    0
  • cPanelLauren
    Hello, They should definitely not be created in any other location besides /var/www/html/.well-known/pki-validation for the hostname. Can you run the following: grep -r hostname.domain.tld /var/cpanel/users/ If the hostname is listed anywhere but in the system user this is an issue. Can you also ensure that the hostname resolves to that server properly: dig a hostname.domain.tld
    Do you have any Apache includes on the server? You can see this at WHM>>Service Configuration>>Apache Configuration -> Include Editor
    0
  • Tearabite
    I dont see any includes. Here is the output from the two commands above (grep was blank/no result): root@server [~]# grep -r hostname.domain.net /var/cpanel/users/ root@server [~]# dig a hostname.domain.net ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.5 <<>> a hostname.domain.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42265 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;hostname.domain.net. IN A ;; ANSWER SECTION: hostname.domain.net. 3600 IN A xx.yy.zz.75 ;; AUTHORITY SECTION: domain.net. 86400 IN NS dns2.ourNShost.com. domain.net. 86400 IN NS dns1.ourNShost.com. ;; Query time: 52 msec ;; SERVER: xx.yy.206.2#53(xx.yy.206.2) ;; WHEN: Thu Apr 12 09:27:27 2018 ;; MSG SIZE rcvd: 103 I think i may have found (part of, at least) the issue: hostname.domain.net. 3600 IN A xx.yy.zz.75 xx.yy.zz.75 is statically assigned to this "other" account where the files are being created; that IP should probably be reserved only for hostname.domain.net. I will be moving that 'other' account to the shared IP pool - will there be any other steps to make sure that hostname.domain.net is using xx.yy.zz.75 and all the files for it get written into the /var/www/html/.well-known/pki-validation dirs?
    0
  • cPanelLauren
    The hostname should use the primary IP of the server, it sounds like it's using an IP that's dedicated to another account. Changing the A record for the hostname or moving the account to the main/shared IP would most likely resolve the issue (based on what I know of the configuration from here)
    0
  • Tearabite
    right now the hostname AND this 'other' account are using the same IP.. i will be moving "other" to the shared IP address leaving only hostname.domain.net using that IP. Is there a specific setting somewhere to make this the "primary" IP ?
    0
  • cPanelLauren
    Hi @Tearabite Hi, wouldn't suggest making changes to the network configuration unless you're an experienced system or network administrator. Ultimately the primary IP is the IP listed on the first network interface. In most cases, this is the IP listed under eth0 We have a couple of threads on how to do this Thank you,
    0

Please sign in to leave a comment.