Skip to main content

AutoSSL failed to request SSL certificate Permission Denied

Comments

26 comments

  • cPanelLauren
    Hello, The error message being provided indicates that the provider you purchased your cPanel license through has disabled the 90 day certificates from cPanel's AutoSSL feature. I would suggest discussing this with your provider to identify the steps necessary to obtain a free 90-day certificate using AutoSSL Thank you,
    0
  • rivali
    Thanks cPanelLauren! I'm not sure that's the reason as we own the server and we ran the AutoSSL renewals through WHM, not just cPanel. And, as I mentioned above, all the other domains (all same owner on same server) renewed automatically with no problems whatsoever. Only these two had errors and I can't figure out why. Is there any location I can check for a log that would provide more info than the above error message?
    0
  • rivali
    Sorry, just to clarify: we have root access to the server. We did not disable AutoSSL or the 90-day cert feature and it continues to work fine with other domains on the same server. Would you be able to point me to: 1) Any location on the server where I might be able to find/edit the configuration files for AutoSSL? Are they in /etc somewhere? 2) Any location on the server where more detailed AutoSSL logs might be found, so I can troubleshoot better? Thank you for any help you can give.
    0
  • rivali
    After investigating further, it looks like one domain was allowed to expire and then the owner renewed it a few days later after it had already lapsed. It looks like AutoSSL may have checked the domain during this expired period so it would of course have failed the DCV test at that time. The domain is now renewed and the website is still hosted on this server (nothing was changed on the server/website side throughout), but it may be that the temporary IP during the lapsed period is still somehow cached somewhere by AutoSSL/cPanel, so it keeps thinking it can't be validated. Is there a DNS caching period? How long would it take before AutoSSL picks up on the current IP for the renewed domain? The domain was renewed by the owner around the 16th so it's already been a week. The correct IP address should be fully propagated by now. The website was already loading fine on the 17th. Is there any command to tell AutoSSL to double-check the domain again so it will know that the website is now back on our server?
    0
  • cPanelLauren
    Hi @rivali That specific error message won't come up for any other reason than if the AutoSSL 90 day certs are disabled, this isn't something that you would be able to manage from the server either, the license provider would have had to do this in their licensing interface. If you had a temporary IP assigned to the site it may be that the IP had previously been assigned to a provided that disallowed this. When the IP was changed the AutoSSL process was able to complete. You can run the check again any time you would like by running the following via CLI: /usr/local/cpanel/bin/autossl_check --user=$USER |--all
    You can also do this via the UI at WHM>>SSL/TLS>>Manage AutoSSL Are you getting an error when running this now? Thank you,
    0
  • rivali
    Thanks cPanelLauren! 1) Sorry, I was not clear - when I referred to the domain being renewed I meant the domain name registration being renewed by the domain owner, not to the AutoSSL cert being renewed. From what I can tell, it looks like the domain name owner allowed the domain name registration to lapse for about 6 days. During this time AutoSSL was running its usual nightly checks and of course DCV failed because during those 6 expired days the domain name was reassigned to some other temporary IP by the domain registrar. About 6 days after the domain name expired, the owner renewed the domain name registration. We had not removed the site or the zone file from our server during this period, so once the domain name registration was renewed, the original IP settings kicked back in and the site came back online same as before. It has now been about a week or slightly longer since the domain name registration was renewed, so the live website IP should already have propagated. But AutoSSL is still giving the same error when it tries to renew the SSL certificate, which is why I asked whether it was somehow caching an old DNS record - because maybe it is still thinking that the IP is the temporary one from the expired period, whereas the current/new IP should be the correct one pointing to our own server and ought to pass DCV with no problems. 2) Another domain may have a similar problem. It is partly hosted on a different server with a different hosting company. Some subdomains, including the mail server subdomains, are hosted on this server, but the main domain and the www subdomain are on another server. In cPanel I disabled AutoSSL renewal for the main domain and the www subdomain but enabled AutoSSL renewal for the mail subdomain. The IP address for the mail subdomain is that of our server. It is also getting the same AutoSSL renewal error message. 3) A third domain originally had no website. It was just used as a pointer to another site. The pointer was originally set using the domain registrar's control panel. A few days ago I changed the DNS settings so that the DNS and the website are now hosted on our server. There is a 301 redirect in cPanel from this third domain to another site. There is also an A record for this third domain in our server's zone file, going to this server's IP address. This third domain is also getting the same error message. I am wondering whether it is because AutoSSL is still seeing the old IP address set at the domain name registrar (which went nowhere), or if it is because the pointer redirect causes problems with DCV. Since it is just a pointer it is fine if it doesn't get an SSL cert, but we would at least like the mail subdomain to have a cert. There is no redirect for the mail subdomain and the A record for the mail subdomain is the correct IP address for our server. 4) AutoSSL was originally able to give SSL certificates to all three problem domains the first time around, so I am not sure why things have changed now. I noticed that the change log in WHM mentions an update on 3/26: "Implemented case CPANEL-18952: Update AutoSSL provider to sort vhost FQDNs for Apache TLS." Could this change have had any effect on the renewals of the above 3 domains? 5) I temporarily disabled AutoSSL on the problem domain names yesterday. I was hoping maybe if I gave it a short break it would realize the IP had changed back to that of our own server after I re-enabled it. However, I just tested it again via the WHM UI as per your post, and it is still giving the same error for all three domains. Could you please clarify who you meant by "license provider"? Is that a reference to the hosting company or the domain name registrar, or the certificate provider, or some other party? If it's the hosting company I could try to ask them whether they manually disabled AutoSSL on those three domains. Could be they noticed the repeated errors and took action without letting us know. Sorry for the lengthy reply (bolding added to hopefully make the key points stand out more from the wall of text :)) and thanks very much for your help!
    0
  • cPanelLauren
    Hi @rivali From what it looks like all the domains are getting the same error regardless of the status of the domain or extenuating circumstances - if this is incorrect and you have some domains getting certificates and some NOT getting certificates and all are using Comodo as the provider I would urge you to open a ticket using the link in my signature so that we can take a closer look. [QUOTE]Could you please clarify who you meant by "license provider"? Is that a reference to the hosting company or the domain name registrar, or the certificate provider, or some other party?
    The AutoSSL 90-day certificate is something that can be disabled by the provider you purchased your cPanel license from. There are a few ways to purchase a cPanel license, you can get one directly from cPanel or you can purchase one from a 3rd party or your hosting provider can provide you with one. You can check who you purchased your license from by going to cPanel & WHM License Verification | cPanel Inc. and entering your IP address for your license. The AutoSSL 90-day certificate is able to be disabled per licensed IP address and would affect all domains on the server using AutoSSL 90-day certificates from Comodo. Thank you,
    0
  • rivali
    Thanks very much for the quick reply, cPanelLauren! There are more than 20 domains on the server at the moment and all the rest have been renewing without any problems. Only these three domains are having AutoSSL renewal issues, and these are also the only three with "unusual" setups/issues relating to their domain name registrations or hosting setups. (ie. one temporarily expired domain name registration, one using a 301 pointer redirect, and one partly hosted on a different server with AutoSSL requested only for the subdomain hosted on our server.) The cPanel came with the server so I'm guessing it came from the hosting provider. I will check using the license verification link you provided and open a support ticket as you recommended, since none of our other domains are having this renewal problem.
    0
  • cPanelLauren
    Hi @rivali I think it may be best to open a ticket so we can look closer, either way. This shouldn't be happening for just a few domains on the server. Please post the ticket ID here once it's open so we can follow up here once the ticket is complete. Thank you,
    0
  • rivali
    Yes, based on what you said, if it had been disabled by the license provider then all the domains on the server would have failed since they are all on the same IP address, but all of them renewed successfully except for these three. I'm kind of wondering if it had something to do with the cPanel update of 3/26 mentioned in the cPanel changelogs, because these errors seem to have started just about then. I have opened a ticket with the same subject as this thread title. The ticket # is 9464277. Thank you very much for all your help, cPanelLauren!
    0
  • cPanelLauren
    Hi @rivali You're most welcome, thank you for posting the Ticket Id here I've checked your ticket and I'll update here as soon as there's more information. Thank you,
    0
  • cPanelLauren
    Hi @rivali Something I noticed when I looked at your ticket, it does indicate that your provider has disabled purchase certificates and 90-day certificates. I am curious, if you attempt to run the AutoSSL check on a domain that previously worked, do you get the same error? Thank you,
    0
  • rivali
    Hi cPanelLauren, No, the error is only appearing for three domains which previously worked. All of the other domains which previously worked are still continuing to work fine and are all being renewed normally. To clarify:
    • There are 20+ domains on the same server on the same IP address
    • All of them previously worked fine when obtaining an SSL cert via AutoSSL for the first time.
    • Now, 3 out of these 20+ domains are giving errors and are unable to renew via AutoSSL.
    • The rest of the 20+ domains are able to renew successfully via AutoSSL and have no errors whatsoever.
    According to what you said, if the license provider had disabled the renewals, it would have affected all the domains on the same IP. But only three domains on this IP are affected. The rest are all renewing just fine. So it would seem to suggest that it is not because the license provider disabled something. However, if it is possible for a license provider to selectively disable only a few domains on the same IP, then please let me know and I will check with my hosting company to see if they have done something. Thanks very much for all your help!
    0
  • cPanelLauren
    I completely understand, I am sorry for any confusion. This setting is something of an all or none setting as I mentioned before you can't just disallow some domains, or rather that isn't the purpose of the setting and why I asked you to open the ticket. The Comodo 90-day certificates shouldn't be getting issued for any of the domains on the server with that setting enabled which is only accessible for your provider. I did see your response to the ticket and the analyst is looking further into the issue now for you. Thank you,
    0
  • rivali
    Thanks very much cPanelLauren! Yes, the AutoSSL logs on WHM clearly show other domains on the same server, on the same IP, renewing without any problems before, at the same time as, and after the three problem domains had issues. So far it is only affecting these three domains and not any others.
    0
  • cPanelLauren
    Hi @rivali Thank you for that information, I added it to the ticket for the analyst!
    0
  • rivali
    Thanks very much cPanelLauren! The analyst thinks AutoSSL was disabled so I am checking with my hosting company now. I will update again to let you know what they say.
    0
  • cPanelLauren
    hi @rivali Yes and to elaborate further it appears that the change to disallow 90-day certificates was not made until the 17th of this month, which explains why the previous AutoSSL runs were successful. Please let us know how things go after you speak with the provider. Thank you,
    0
  • rivali
    Thanks cPanelLauren! My hosting company confirms that AutoSSL is enabled on my server, so it's not because of the license provider disabling renewals. April 17th may have been a coincidence, or perhaps something else changed around then. It does match the date on which the expired domain was renewed (as mentioned earlier), but that only relates to one of the domains and not the other two. I'm still suspecting something to do with the March 26th cPanel update, or maybe some kind of IP caching issue. I've updated the support ticket accordingly.
    0
  • cPanelLauren
    Hi @rivali Unfortunately, there's a bit more to this, in our ticket system we immediately get a banner/warning when certain items are present, one of those items is 90-day certificates. Your ticket has one of those banners based on the IP address in the ticket and the Company ID which the license is through. This indicates that the provider disabled this through their Manage2 interface. While I understand they are indicating that they did not disable AutoSSL I am certain that 90-day certificates are disabled in that Manage2 interface. I do believe your hosting company may have done this accidentally but none the less this would not have anything to do with the updates that were pushed out, these are unrelated and wouldn't cause the banner we're seeing. This is something they modified in their interface and we cannot change the setting. If they're not sure how to resolve this so that you can use AutoSSL we would be more than happy to assist them through a ticket of their own. Thank you,
    0
  • rivali
    Thanks for that information, cPanelLauren! I will tell them what you said and ask them to double-check. Maybe someone accidentally disabled something and didn't realize it.
    0
  • cPanelLauren
    Hi @rivali Thank you! I am sure that's what happened. Let us know what they say!
    0
  • rivali
    Hi cPanelLauren, You were spot on! The hosting company opened a ticket with cPanel support and it was resolved very quickly. They had never heard of the setting before so it must have been an accidental error. I just ran a test renewal for one of the three domains and it went perfectly. I'm leaving the other two to be picked up by the nightly check, just to make sure that that is also working properly now. Thank you so much for all your help and for your patience with this long thread!
    0
  • cPanelLauren
    hi @rivali I'm just glad they were able to get it resolved for you and it's working properly now! You're very welcome and thank you for the kind words.
    0
  • jessicarose
    For Everyone else - - - If you have a valid cPanel License, and you are getting this error: ERROR AutoSSL failed to request an SSL certificate for "domain.com" because of an error: (XID 76dwkv) The cPanel Store returned an error (X::AuthenticationFailure) in response to the request "POST ssl/certificate/free": Unauthorized You should try this cPanel script: usr/local/cpanel/cpkeyclt If you do not have a valid cPanel license you should do the following:
    • purchase a cPanel license.
    • login your server via SSH.
    • run usr/local/cpanel/cpkeyclt command and wait until its accomplishment.
    Option #1 worked for me!!
    0
  • cPanelLauren
    For Everyone else - - - If you have a valid cPanel License, and you are getting this error: ERROR AutoSSL failed to request an SSL certificate for "domain.com" because of an error: (XID 76dwkv) The cPanel Store returned an error (X::AuthenticationFailure) in response to the request "POST ssl/certificate/free": Unauthorized You should try this cPanel script: usr/local/cpanel/cpkeyclt If you do not have a valid cPanel license you should do the following:
    • purchase a cPanel license.
    • login your server via SSH.
    • run usr/local/cpanel/cpkeyclt command and wait until its accomplishment.
    Option #1 worked for me!!

    Keep in mind that this is pending your license provider hasn't disabled this feature. In this thread @jessicarose we are primarily talking about an issue in which the license provider was a partner that had disabled the ability for people who had purchased a cPanel license through them to obtain SSL certificates. In a lot of cases this is done so that the provider can provide their own offerings.
    0

Please sign in to leave a comment.