The certificate chain failed OpenSSL verification
Hello,
I was wondering if someone could help me with this please.
One of our customers had their SSL certificate yesterday. A new one couldn't be installed. Error message from the 'Auto SSL' log is:
I'm worried because the new certificate will not install until tonight so we have a whole day with errors popping up on the web site. Is there anyway we can prevent this from happening again such as trying to get the certificate to renew a week before it is due to expire so that the old certificate remains in place until a new, valid one is installed? Kind regards James
Log for the AutoSSL run for "account-name": Thursday, May 24, 2018 9:45:36 AM GMT+0100 (cPanel (powered by Comodo))
9:45:36 AM AutoSSL"s configured provider is "cPanel (powered by Comodo)".
Checking websites for "account-name" "
9:45:36 AM Checking "account-domain.co.uk" "
9:45:36 AM ERROR TLS Status: Defective
ERROR Certificate expiry: 5/24/18, 12:00 AM UTC (0.36 days ago)
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL"s verification (0:10:CERT_HAS_EXPIRED).
AutoSSL will request a new certificate.
9:45:36 AM The system will attempt to renew the SSL certificate for the website (example.co.uk: example.co.uk www.account-domain.co.uk mail.account-domain.co.uk webmail.account-domain.co.uk cpanel.account-domain.co.uk webdisk.account-domain.co.uk).
9:45:39 AM The system has completed the AutoSSL check for "account-name".
I'm worried because the new certificate will not install until tonight so we have a whole day with errors popping up on the web site. Is there anyway we can prevent this from happening again such as trying to get the certificate to renew a week before it is due to expire so that the old certificate remains in place until a new, valid one is installed? Kind regards James
-
Hello James, Was the previously installed certificate issued by the AutoSSL feature, or was it a third-party SSL certificate? If it was a third-party SSL certificate, the following option is available under the Options tab in WHM >> Manage AutoSSL: Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates. Per it's description: [QUOTE] This option will allow AutoSSL to replace certificates that the AutoSSL system did not issue. When you enable this option, AutoSSL will install certificates that replace users" CA-issued certificates if they are invalid or expire within 3 days. Unless you fully understand this option, do not select it, because the system could unexpectedly replace an expiring or invalid EV or OV certificate with a DV certificate.
Thank you.0 -
Got same error. The option "Allow autossl to replace..." also didn't helped. Here is the error I got. Log for the AutoSSL run for "username": Monday, May 28, 2018 12:04:09 PM GMT+05-45 (cPanel (powered by Comodo)) 12:04:09 PM AutoSSL"s configured provider is "cPanel (powered by Comodo)". Checking websites for "username" " 12:04:09 PM Checking "username.com" " 12:04:09 PM ERROR TLS Status: Defective Certificate expiry: 5/21/19, 12:21 PM UTC (358.25 days from now) ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL"s verification (0:18:DEPTH_ZERO_SELF_SIGNED_CERT). 12:04:11 PM AutoSSL will request a new certificate. 12:04:11 PM The system will attempt to renew the SSL certificate for the website (username.com: username.com www.username.com mail.username.com webmail.username.com cpanel.username.com webdisk.username.com). The provider "cPanel (powered by Comodo)""s AutoSSL queue already contains a request for a certificate for "username""s website "username.com". The request"s start time is May 21, 2018, 12:21:51 PM UTC and its last poll time is May 28, 2018, 12:24:30 AM UTC. 12:04:11 PM The system has completed the AutoSSL check for "username".0 -
Hello Michael, The previous certificate was an AutoSSL issued one and 'Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates' is selected. Kind regards James 0 -
Recently I am having the same problem for all of my accounts - before the SSL certificate would be renewed well before the expiration date - now it just fails every day until the SSL expires and my custome then calls me and says "what is going on ....." I then log into the WHM and run the check for that account (via Manage SSL Hosts) and the certificate is then renewed .... I should not have to do this - it is supposed to be automatically renewed - not manually renewed .... Thanks, JerryB October 12 2022 log: 2:21:02 AM ERROR TLS Status: Defective ERROR Certificate expiry: 10/14/22, 12:00 AM UTC (1.69 days from now) ERROR Defect: ALMOST_EXPIRED: The certificate will expire very soon. October 13 2022 log: 2:21:03 AM ERROR TLS Status: Defective ERROR Certificate expiry: 10/14/22, 12:00 AM UTC (0.69 days from now) ERROR Defect: ALMOST_EXPIRED: The certificate will expire very soon. Oct 14 2022 log: 2:21:03 AM ERROR TLS Status: Defective ERROR Certificate expiry: 10/14/22, 12:00 AM UTC (0.31 days ago) ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL"s verification (0:10:CERT_HAS_EXPIRED). Then when I run the auto ssl check manually it then works .... Log for the AutoSSL run for "mnsite06": Friday, October 14, 2022 1:25:09 PM GMT-0500 (cPanel (powered by Sectigo)) 1:25:09 PM AutoSSL"s configured provider is "cPanel (powered by Sectigo)". This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log. Analyzing "mnsite06""s domains " 1:25:09 PM Analyzing "hilonesome.missourimasternaturalist.org" (website) " 1:25:09 PM ERROR TLS Status: Defective ERROR Certificate expiry: 10/14/22, 12:00 AM UTC (0.77 days ago) ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL"s verification (0:10:CERT_HAS_EXPIRED). 1:25:09 PM Attempting to ensure the existence of necessary CAA records " 1:25:09 PM No CAA records were created. 1:25:09 PM Verifying 8 domains" management status " Verifying "cPanel (powered by Sectigo)""s authorization on 8 domains via DNS CAA records " 1:25:09 PM "mail.hilonesome.missourimasternaturalist.org" is managed. "www.hilonesome.missourimasternaturalist.org" is managed. "hilonesome.missourimasternaturalist.org" is managed. "cpanel.hilonesome.missourimasternaturalist.org" is managed. "webdisk.hilonesome.missourimasternaturalist.org" is managed. "webmail.hilonesome.missourimasternaturalist.org" is managed. "cpcontacts.hilonesome.missourimasternaturalist.org" is managed. "cpcalendars.hilonesome.missourimasternaturalist.org" is managed. All of this user"s 8 domains are managed. CA authorized: "hilonesome.missourimasternaturalist.org" CA authorized: "mail.hilonesome.missourimasternaturalist.org" CA authorized: "www.hilonesome.missourimasternaturalist.org" CA authorized: "cpanel.hilonesome.missourimasternaturalist.org" CA authorized: "webdisk.hilonesome.missourimasternaturalist.org" CA authorized: "webmail.hilonesome.missourimasternaturalist.org" CA authorized: "cpcontacts.hilonesome.missourimasternaturalist.org" CA authorized: "cpcalendars.hilonesome.missourimasternaturalist.org" "cPanel (powered by Sectigo)" is authorized to issue certificates for 8 of this user"s 8 domains. 1:25:09 PM Performing HTTP DCV (Domain Control Validation) on 8 domains " 1:25:09 PM Local HTTP DCV OK: hilonesome.missourimasternaturalist.org Local HTTP DCV OK: www.hilonesome.missourimasternaturalist.org Local HTTP DCV OK: mail.hilonesome.missourimasternaturalist.org Local HTTP DCV OK: cpanel.hilonesome.missourimasternaturalist.org Local HTTP DCV OK: webdisk.hilonesome.missourimasternaturalist.org Local HTTP DCV OK: webmail.hilonesome.missourimasternaturalist.org Local HTTP DCV OK: cpcontacts.hilonesome.missourimasternaturalist.org Local HTTP DCV OK: cpcalendars.hilonesome.missourimasternaturalist.org 1:25:09 PM No local DNS DCV is necessary. 1:25:09 PM Processing "mnsite06""s local DCV results " 1:25:09 PM Analyzing "hilonesome.missourimasternaturalist.org""s DCV results " 1:25:10 PM SUCCESS "cPanel (powered by Sectigo)" HTTP DCV OK: hilonesome.missourimasternaturalist.org SUCCESS "cPanel (powered by Sectigo)" HTTP DCV OK: www.hilonesome.missourimasternaturalist.org SUCCESS "cPanel (powered by Sectigo)" HTTP DCV OK: mail.hilonesome.missourimasternaturalist.org SUCCESS "cPanel (powered by Sectigo)" HTTP DCV OK: webmail.hilonesome.missourimasternaturalist.org SUCCESS "cPanel (powered by Sectigo)" HTTP DCV OK: cpanel.hilonesome.missourimasternaturalist.org SUCCESS "cPanel (powered by Sectigo)" HTTP DCV OK: webdisk.hilonesome.missourimasternaturalist.org SUCCESS "cPanel (powered by Sectigo)" HTTP DCV OK: cpcontacts.hilonesome.missourimasternaturalist.org SUCCESS "cPanel (powered by Sectigo)" HTTP DCV OK: cpcalendars.hilonesome.missourimasternaturalist.org AutoSSL will request a new certificate. 1:25:10 PM The system will attempt to renew the SSL certificate for (hilonesome.missourimasternaturalist.org: hilonesome.missourimasternaturalist.org www.hilonesome.missourimasternaturalist.org mail.hilonesome.missourimasternaturalist.org webmail.hilonesome.missourimasternaturalist.org cpanel.hilonesome.missourimasternaturalist.org webdisk.hilonesome.missourimasternaturalist.org cpcontacts.hilonesome.missourimasternaturalist.org cpcalendars.hilonesome.missourimasternaturalist.org). 1:25:13 PM The cPanel Store received "hilonesome.missourimasternaturalist.org""s certificate order. (Order Item ID: 1975913525) The system will periodically poll the cPanel Store for the issued certificate and then install it after a successful retrieval. The system has completed "mnsite06""s AutoSSL check. 0 -
@pineyscripter - have you possibly changed SSL providers, such as moving from Sectigo to Let's Encrypt? If so, the server may not be configured to overwrite certificates issued by other providers. You can check this setting in WHM >> Manage AutoSSL using the "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates" setting under the "Options" tab. 0 -
@pineyscripter - have you possibly changed SSL providers, such as moving from Sectigo to Let's Encrypt? If so, the server may not be configured to overwrite certificates issued by other providers. You can check this setting in WHM >> Manage AutoSSL using the "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates" setting under the "Options" tab.
Nothing has changed .... been using the same Auto Host SSL process via WHM for years all using the CPANEL provider and they had been successfully renewing every 3 months like clockwork - but now they all seem to be failing until I log into WHM and run the process manually .... I have a domain that is supposed to renew on the 19th - so let's see what happens .....0 -
So if nothing else I can now figure out what these logs are doing ..... but there was a problem with the provider not accepting incoming requests ..... Reading the logs I could see that for weeks when the process got to the point of attempting to contact the provider the process failed: AutoSSL will request a new certificate. 2:21:09 AM The "cPanel (powered by Sectigo)" provider cannot currently accept incoming requests. The system will try again later. That is when I got a call from my users that the certificate was no longer valid ..... Looked at the log and saw that the auto ssl was not successfull I then ran the Auto SSL check for that account and it was successful ? So the question becomes why did it just keep failing before that ...... I then checked all 3 of my servers and sure enough they were all doing the somes thing .... failing every night with the same issue: The "cPanel (powered by Sectigo)" provider cannot currently accept incoming requests. The system will try again later. So the certificate that was due to expire on the 19th that I mentioned above: Failed every day since October 3d (2022): The "cPanel (powered by Sectigo)" provider cannot currently accept incoming requests. The system will try again later. This evening's run (Oct 16 2022) it succeeded ..... that's 15 straight days that it failed ..... I did find a new error on one of the attempts that was different: On October 6th instead if the "The "cPanel (powered by Sectigo)" provider cannot currently accept incoming requests. The system will try again later.' error the log showed this error: 8:26:07 PM ERROR AutoSSL failed to request an SSL certificate for "campbrimshire.org" because of an error: (XID 952der) The response to the HTTP (Hypertext Transfer Protocol) "POST" request from " indicated an error (500, Internal Server Error): 0 -
@pineyscripter - that's definitely odd, and 15 days is too much. Could you make a ticket with our team so we can check this out? 0 -
@pineyscripter - that's definitely odd, and 15 days is too much. Could you make a ticket with our team so we can check this out?
Doesn't seem like I have the ability to create a ticket ?0 -
That's odd - you should be able to do it from WHM >> Create a Support Ticket. If not, you can email cs@cpanel.net to start that process. 0 -
Sent the follow cs@cpanel.net Thanks, JerryB =========================================================================== Per the reply that I got from my post I am emailing you to get a ticket started on my issue: alt="cPRex"]https://forums.cpanel.net/data/avatars/s/586/586151.jpg?1425885439
cPRexJurassic ModeratorStaff member Oct 19, 2014 11,938 1,898 363 cPanel Access Level indicated an error (500, Internal Server Error): That's odd - you should be able to do it from WHM >> Create a Support Ticket. If not, you can email cs@cpanel.net to start that process.
=========== also added my server ip and Support Access ID from my WHM login screen - wasn't sure that I should include that here in a public post ....0 -
Sounds good! 0
Please sign in to leave a comment.
Comments
13 comments