AutoSSL not renewing expired certificates
Switching to Let's Encrypt was SUCH a mistake! I guess I didn't have a choice because Sectigo was messing up, but still. I made a thread awhile back on it, I had to switch back to Sectigo because it has a limit of 100 domains per account (including www, non-www, and mail).
(Although Let's Encrypt swears that this limitation doesn't exist)
Well, the domains that still had a cert under Let's Encrypt all had the cert to expire 2 days ago, and AutoSSL didn't renew them under Sectigo! So I have 60 or so accounts that are throwing a cert error for close to 24 hours. Including the main domain that I use to access WHM!
So when I log in to WHM I have to go through the "Safety" checkpoint.
I go to WHM > Manage AutoSSL and see that it's set to Sectigo (as it should be). But when I click on Options, Logs, Manage Users, or Pending Queue, it just refreshes the page. I right-clicked and tried to open that in a new tab, but then I'm giving the Safety checkpoint again. I click to proceed, and it just takes me back to the main page for Manage AutoSSL.
I found the AutoSSL log at /var/cpanel/logs/autossl, though, and at around 5:30pm EST the latest entry said:
The queue contains a request for a certificate for "example""s website "example.com" (order item ID "12345"). The system last polled for this certificate at Sep 25, 2019, 8:12:08 PM UTC. The next poll will be no earlier than Sep 25, 2019, 8:12:08 PM UTC.
Great, fine, OK. But now it's 10:30pm EST and the entry says:
... The system last polled for this certificate at Sep 26, 2019, 1:37:08 AM UTC. The next poll will be no earlier than Sep 26, 2019, 1:37:08 AM UTC.
What the... ? Since it's been 2 full days since the cert expired, it looks like it's just going to keep pushing up the poll time and not install a new one. Which is just wonderful, I lost clients the first time it messed up, and now I'm definitely going to lose a lot more!
Is there a magic trick to make this work?
-
I'm afraid not :-( I was able to run it for all users through WHM, but it didn't create anything. So I ran it through SSH using the command you posted, but still nothing. I also managed to figure this one out (started from the link you gave, then intentionally left off the --all to see documentation): /usr/local/cpanel/bin/autossl_check --user=example For future readers, options are: autossl_check ( --user= | --all | --help ) That was faster to process, but still nothing. Through WHM I deleted 2 of the SSL Hosts that are expired, because that worked to force a renewal last time. Then I ran AutoSSL via command line for the two users. Every few hours last night the log has this: [2019-09-26T03:47:03Z] Setting up for Sectigo"s DCV (Domain Control Validation) for this certificate request " [2019-09-26T03:47:04Z] Polling for "example""s new certificate for "example.com" (order item ID "12345") " [2019-09-26T03:47:04Z] The certificate is not available. (processing) Is Sectigo messing up again? 0 -
Update: I tried to change the provider to Let's Encrypt (temporary, that won't work for my other domains that expire later), but I can't do it through WHM because of the expired cert! I click to Save and it just runs and runs. I let it go for 5 minutes and it never completed. When I refreshed the page it still showed Sectigo as the provider. I found a command line script to install Let's Encrypt: /scripts/install_lets_encrypt_autossl_provider But that didn't help; it's already installed, I just need to change it to the default. I found this: 0 -
Hello, If you are still wanting to set Let's Encrypt as the default provider via the command line, you can use the the API Command below: whmapi1 set_autossl_provider provider=LetsEncrypt Also, can you please ensure that from WHM's Home "SSL/TLS "Manage AutoSSL under the "Options" tab you have the following checkbox enabled: "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates." If the certificates were previously Let's Encrypt, you will be required to have that option enabled. If this is not able to resolve the issue, can you please open a ticket using the link in my signature? You can then post the ticket number in this thread so that we can monitor the ticket and post necessary details and the outcome of the ticket to the thread. Thank you! 0 -
Hi all, I am having the same throuble, the renewing expired certs don't function. All the oriented steps are made, but the issue continue and the domiand still on pending answering: AutoSSL last ran on 12 de abril de 2022. No certificate available. AutoSSL will attempt to secure the domain the next time it runs. I am capture the log bellow too. 10:30:55 AM ERROR TLS Status: Defective ERROR Defect: NO_SSL: No SSL certificate is installed. 10:30:55 AM Attempting to ensure the existence of necessary CAA records " 10:30:55 AM No CAA records were created. 10:30:55 AM Verifying 3 domains" management status " Verifying "cPanel (powered by Sectigo)""s authorization on 3 domains via DNS CAA records " 0 -
@capuano - there should be more to that log that shows the error of why it didn't renew. 0 -
Hi cP Rex, The domain still in pending. All try to autossl to renew the expired cert, results: 10:30:55 AM ERROR TLS Status: Defective ERROR Defect: NO_SSL: No SSL certificate is installed. So, i am install: /scripts/install_lets_encrypt_autossl_provider This action have resolved the throuble for the domain that don't renew, but a read, the lets_encript is very slow, so, I am need is setigo provider came function right again. Whats happen? 0 -
Well, ok, it's function very fast to resolve the issue about the domain that don't renew with sectigo, so, I'll mantain both installed, if necessary, change back to sectigo. Thank you Best regards 0
Please sign in to leave a comment.
Comments
9 comments