SSL expired, how to force renewal?
I have an account with AutoSSL running, but the certificate expired yesterday, anyway:
AutoSSL last ran on June 24, 2019.
Expired on June 23, 2019. The certificate will renew via AutoSSL.
The client is calling me, upset because anyone going to their site now gets an error. How do I force it to renew the certificate NOW instead of waiting until 3am?
-
Tried running it for the user from Manage SSL? Go to Manage AutoSSL and check logs to see what went wrong, if it didn't work. 0 -
The log file didn't have anything unexpected, it just said: 3:40:57 AM Analyzing "example.com" " 3:40:57 AM ERROR TLS Status: Defective ERROR Certificate expiry: 6/24/19, 12:00 AM UTC (0.68 days from now) ERROR Defect: ALMOST_EXPIRED: The certificate will expire very soon. I went under "Manage Users" and clicked to check this domain, generating a new log for it. This one had a new error: 3:28:54 PM Analyzing "example.com" " 3:28:54 PM ERROR TLS Status: Defective ERROR Certificate expiry: 6/24/19, 12:00 AM UTC (0.81 days ago) ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL"s verification (0:10:CERT_HAS_EXPIRED). I've been Googling for anything on the OPENSSL_VERIFY error message, but haven't found anything helpful. I can confirm that the domain is in the Pending queue, but that's not going to run for another 9+ hours. The client is already very angry with me because it's had an error all day, and just hanging out for 9 hours is probably going to result in losing them. 0 -
Please feel free to open a ticket to cPanel Technical Support. No need to wait if you're having some sort of pressing issue like this. 0 -
Try removing the old expired ssl and run autossl again. 0 -
@Infopro, I tried to submit a ticket but had an error message. When it go to the point of "Prepare Server for Support" I kept getting an error that said: A fatal error or timeout occurred while processing this directive. I clicked on Next, anyway, and then got the following error: Unhandled exception string: Can't use an undefined value as a HASH reference at /home/support/lib/API/V3/Tickets/Submission.pm line 207. It looks like the ticket went through anyway, but there's an estimated time of 22 hours for a reply. FWIW, the SSL didn't renew last night, either, so I'm still having the same problem. 0 -
[quote]Try removing the old expired ssl and run autossl again.
I would, but I can't see any way to do either. How do I delete the SSL and manually force it to create a new one?0 -
What's present in WHM>>SSL/TLS>>Manage AutoSSL -> Logs for the account/domain in question? Any time a certificate isn't issued prior to the expiration with AutoSSL is due to an error. What is the ticket ID for your ticket? 0 -
[quote]What's present in WHM>>SSL/TLS>>Manage AutoSSL -> Logs for the account/domain in question?
I ran a check on the account, and here's the entire log for it. Note that I have 2 subdomains for the account, and they both renewed just fine; it's only the main account having an issue.Log for the AutoSSL run for "example": Tuesday, June 25, 2019 7:36:59 PM GMT-0400 (cPanel (powered by Comodo)) 7:36:59 PM AutoSSL"s configured provider is "cPanel (powered by Comodo)". This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log. Checking websites for "example" " 7:37:00 PM Analyzing "new.example.com" " 7:37:00 PM SUCCESS TLS Status: OK Certificate expiry: 7/26/19, 12:00 AM UTC (30.02 days from now) 7:37:00 PM Analyzing "example.com" " 7:37:00 PM ERROR TLS Status: Defective ERROR Certificate expiry: 6/24/19, 12:00 AM UTC (1.98 days ago) ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL"s verification (0:10:CERT_HAS_EXPIRED). 7:37:00 PM Analyzing "urchin.example.com" " 7:37:00 PM SUCCESS TLS Status: OK Certificate expiry: 7/26/19, 12:00 AM UTC (30.02 days from now) 7:37:00 PM Performing DCV (Domain Control Validation) " 7:37:00 PM Local HTTP DCV OK: example.com Local HTTP DCV OK: www.example.com (via example.com) Local HTTP DCV OK: mail.example.com (via example.com) 7:37:00 PM Analyzing "example.com""s DCV results " 7:37:00 PM AutoSSL will request a new certificate. 7:37:00 PM The system will attempt to renew the SSL certificate for the website (example.com: example.com www.example.com mail.example.com). No CAA record added because there is no CAA record from another provider in the DNS for example.com. 7:37:01 PM The provider "cPanel (powered by Comodo)""s AutoSSL queue already contains a certificate request for "example""s website "example.com". The request"s start time is Jun 24, 2019, 7:38:02 AM UTC, and its last poll time is Jun 25, 2019, 6:54:07 PM UTC. 7:37:01 PM The system has completed the AutoSSL check for "example".
[quote]What is the ticket ID for your ticket?
12682573; someone literally JUST replied and said that cPanel is having an issue connecting with Sectigo servers to perform the DCV check, so the problem appears to be on Sectigo's end. If that's the case then I'm surprised that no one else has reported this issue. I may have no choice but to move to LetsEncrypt for the AutoSSL provider. I'm going to wait until 2am, and if I haven't heard anything more than I'll have to do that before going to bed.0 -
Just to update... I had the client call and was pretty upset, so I went ahead and moved over to Let's Encrypt. It took about 3 minutes, and now it's all good :-) For those that read this later and choose to go that route, just SSH to your server as root and use the command: /scripts/install_lets_encrypt_autossl_provider
This takes about a minute to run. Then when it's done, log in to WHM and go to "Manage AutoSSL". Under "Providers", select "Let's Encrypt", then "Save". Then go to "Manage Users", select the user that needs an immediate update, and click the "Check 'example'" button next to their username. Or, you can click on "Run AutoSSL For All Users" at the top of the page and it will renew certificates for all that are pending.0 -
Nice, glad to hear that it was sorted out. 0 -
Hi @GoWilkes I just checked in on that ticket and you were definitely affected by the issue with communicating with sectigo. I know that this is something to do with a communication error on their end and we've made them aware, we're also working with them to resolve it. In the meantime, the workaround is indeed to switch to Let's Encrypt and I'm glad that it worked for you and your clients have gotten their SSL's issued. 0 -
@cPanelLauren, do you know if the issue with Sectigo is resolved? I just learned that Let's Encrypt has a maximum of 100 certificates per account... I have 50+ domains parked on one account so I thought it was OK, but it's also generating certificates for mail and other services that I didn't realize counted toward the quota. So now I'm getting warnings that I have 159 domains and that 59 of them aren't being secured. If Sectigo isn't resolved, is there a way to control which domains Let's Encrypt creates certificates for? I don't have mail accounts on any of the parked domains (they all redirect to the main account), so I don't need a certificate on mail.parked[1-50].com 0 -
Hi @GoWilkes The issues with Sectigo in respect to this thread should have been resolved some time ago. You can switch over to Sectigo and run the AutoSSL check to make sure as well. 0 -
I changed it to Sectigo on the 29th, but the domains that were throwing errors are still throwing errors! The AutoSSL log doesn't show any errors for them, but when I go to the site I still see: NET::ERR_CERT_COMMON_NAME_INVALID It's not my computer, I've tried from 3 computers on separate networks. When I view the certificate details, it shows: Issued by: Let's Encrypt Authority X3 Valid from 7/28/2019 to 10/26/2019 So a certificate exists, it's just not valid. And even though I switched to Sectigo and ran "Run AutoSSL For All Users", and the parked domains are showing up in the log with no errors... it's still trying to use an invalid certificate. Please help, what do I do to fix it? I'm losing about $10 /day on each of these parked domains :'-( 0 -
@GoWilkes The fastest and most efficient way to get assistance with this is going to be to open a ticket - it's a lot easier to diagnose and troubleshoot issues with access to the server. If you've got a Let's Encrypt Certificate installed and you're getting that error it's not related to Sectigo at all. If you remove the Let's Encrypt Certificate and run the AutoSSL check again does the issue persist? 0 -
To clarify... do I need to go to Manage SSL Hosts, delete the certificate from the account, then go to Manage AutoSSL and click to Run AutoSSL Check on the account? With what appears to be 189 certificates installed on that account, would that delete all of them and then reinstall them? I deleted the certificate on a subdomain that I just use for a sandbox, and it took close to 2 hours to reinstall the cert. I disabled CSF about 15 minutes before it finished up, but I'm not sure if that helped or if it was coincidence. So I'm wary of essentially taking all of my sites offline for that long (or more if it takes that long for each certificate). 0 -
I wanted to let you guys and gals know that I've gotten it resolved, and I wanted to post some details for future readers. There was no need for a ticket, really, the problem is a lack of documentation on how to do this. First off, Softlayer was NO help. I submitted a ticket for assistance at 9:37pm on 7/31/19, but have not yet had a reply. They used to be great when they were The Planet, and were OK after Softlayer took over. Now IBM has taken over, and their support is worthless. But I digress. Last night, in WHM I went to Manage SSL Hosts and deleted the host account that's giving me trouble. This deleted the certificates for all of my parked domains. Then I went to Manage AutoSSL > Manage Users, found the account name, and clicked "Check [example]". The system ran for a minute before giving the following message: [quote]Checking websites for "example" " 4:02:09 AM Analyzing "example.com" " 4:02:09 AM ERROR TLS Status: Defective ERROR Defect: NO_SSL: No SSL certificate is installed.
But then at the end it gave: [quote]The provider "cPanel (powered by Sectigo)""s AutoSSL queue already contains a certificate request for "example""s website "example.com". The request"s start time is Jul 29, 2019, 9:09:45 PM UTC, and its last poll time is Aug 2, 2019, 9:02:03 PM UTC. 3:18:54 AM The system has completed the AutoSSL check for "example".
So for whatever reason, the system thought that the certificate existed, when it did not! I waited for about 2 hours, and there were no further updates and the certificate wasn't working. Then I noticed that when I viewed one of my sites and got a certificate error, it said that a certificate existed but that it was for another account on my server. That's when I saw that Manage SSL Hosts had listed that account as "Primary" (presumably because, alphabetically, it was the first on the list of accounts). So I then deleted THAT host, too, and then went back to Manage Users and clicked for it to check both accounts; the one I've been working with all along, and the one that had formerly been listed as the Primary. Within a few minutes, the log file showed that a new certificate was being installed for both accounts. And within about 10 minutes, all of my accounts were working perfectly again :-D So I THINK that the key notes here were: - Go to Manage SSL Hosts and delete the host - Go to Manage AutoSSL > Manage Users and click "Check [account name]" to get it to reinstall. If it's going to work then it should be reinstalled within 5-10 minutes, max - If the system thinks that another account's certificate matches the one you deleted and isn't installing the new one, then deleting that host and clicking to reinstall it MAY help. At least, it worked for me.0 -
Hi @GoWilkes I'm glad you were able to get this issue resolved and thanks for letting us know what worked for you! 0
Please sign in to leave a comment.
Comments
18 comments