Skip to main content

Defect: OPENSSL_VERIFY

Comments

7 comments

  • cPanelLauren
    Hi @Steven Lukas Is that all that's added to the logs? this is referencing the expired/expiring certificate rather than the current DCV check. Since you're using Let's Encrypt checking the cpstore queue will be fruitless as we don't maintain any control over those certificates. Is the certificate that is currently installed (expired) a Let's Encrypt certificate or was it issued by another provider? Thanks!
    0
  • Steven Lukas
    Yes, I already explained, this was always managed by Letsencrypt, never had any other certificates (I started my thread with that), so it now suddenly failing is a strange problem. We set this server up about 2 years ago and has been running on letsencrypt without problem. I did forget the final rows, just posted the relevant bit, the last bit says it completed (is there a place I can find more logs?) Under the performing dcv there is a warning about an unrelated extra domain. 10:47:03 AM Performing DCV (Domain Control Validation) " 10:47:03 AM The system has completed the AutoSSL check for "example".
    Attached screenshot of the current (expired) certificate
    0
  • cPanelLauren
    Hi @Steven Lukas That Log output does not indicate the DCV check failed, in fact, it looks like it was successful. Why you don't have a certificate issued is up to Let's Encrypt though we have no control over their issuance of certificates. If you have no objections I'd like to see if you can switch the provider to Comodo run the check to see if the certificate is issued or present in the pending queue. Thanks!
    0
  • Steven Lukas
    I tried switching to Comodo, and recheck the domain, this is the log: 3:27:07 PM AutoSSL"s configured provider is "cPanel (powered by Comodo)". This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log. Checking websites for "example" " 3:27:07 PM Analyzing "example.nl" " ERROR TLS Status: Defective ERROR Certificate expiry: 10/9/18, 1:54 AM UTC (2.48 days ago) ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL"s verification (0:10:CERT_HAS_EXPIRED). 3:27:07 PM Performing DCV (Domain Control Validation) " Local HTTP DCV OK: example.nl 3:27:07 PM The system has completed the AutoSSL check for "example".
    I ommitted a few warnings for unrelated subdomains, but one caught my eye that might be causing these problems WARN Failed to modify vps1.exampleserver.nl at /usr/local/cpanel/Cpanel/SSL/DCV/DNS.pm line 250. 11:56:00 AM WARN Not a HASH reference at /usr/local/cpanel/Cpanel/SSL/DCV/DNS.pm line 291.
    For some reason it wants to do the DCV for the server's main uqdn (vps1.exampleserver.nl), but this domain should not have anything to do with it. Any idea if that could be causing problems? And if so, where I should look to correct this? I can find the domain when I get on cPanel under Aliases, but I can't remove it there, it gives me an error about having insufficient rights, thats because it belongs to whm and root. I got no idea how it got there under this account.
    0
  • cPanelLauren
    3:27:07 PM Performing DCV (Domain Control Validation) " Local HTTP DCV OK: example.nl 3:27:07 PM The system has completed the AutoSSL check for "example".
    This portion seems to imply that the DCV check completed successfully - do you have a certificate in the pending queue in Manage AutoSSL?
    For some reason it wants to do the DCV for the server's main uqdn (vps1.exampleserver.nl), but this domain should not have anything to do with it. Any idea if that could be causing problems? And if so, where I should look to correct this?

    That could most certainly cause an issue and I'm actually wondering if the check isn't silently dying after this? Check for the domain at: cd /var/cpanel/userdata/$user/
    then ls -lah
    Check the specific domain files and the file named main and maybe (though not likely) at /var/cpanel/users/$user
    0
  • Steven Lukas
    Hi, I wanted to let you know that I managed to get this fixed with your suggestions. I did a grep on the hostname (vps1.examplehost.nl) inside the /var/cpanel/users/exampleuser to see where it pops up. It was under parked_domains in main, under serveralias in exampledomain.nl_SSL and exampledomain.nl, it was also in the cache variations, but those disappeared after running updateuserdomains / updateuserdatacache. And now, finally, AutoSSL runs without fail, I'm really greatful! I just wanted to know, If you have any idea, how the hell did the hostname become a serveralias/parked domain for a random account domain? I found it listed under parked domains before in whm, but trying to remove it there, gave permission errors. Like I said before, this server was running for over 2 years (and haven't been touched since) and have been renewing its certificates without problem before. So this must happened without our involvement. Any idea if there's anything else I should be looking at? In any case, I'm really happy AutoSSL functions again.
    0
  • cPanelLauren
    Hi @Steven Lukas Some time ago there was an issue with the hostname becoming owned by a user and it's possible it could have still been affecting the server, this in turn with recent updates to the AutoSSL could have further caused an issue. It's hard to say without having access to the system as well as with the issue being resolved now. None the less I'm really happy to see that the issue is resolved and that AutoSSL is working as intended. Thank you very much for updating here that the suggestions I provided helped!
    0

Please sign in to leave a comment.