[CPANEL-30418] SSL for DNSOnly Server
How can I install SSL for my DNSOnly server?
I heard in other topic that it's not important to install for the DNSOnly. But I don't care about it's cost and just to be in a safe zone!
-
Hello, The hostname SSL should automatically install on DNSOnly pending the hostname resolves. You can check this by going to WHM>>Service Configuration>>Manage Service SSL certificates (I believe that interface is present on DNS only as well, I don't have a server spun up with that on it right now and going off memory) 0 -
Hello, The hostname SSL should automatically install on DNSOnly pending the hostname resolves. You can check this by going to WHM>>Service Configuration>>Manage Service SSL certificates (I believe that interface is present on DNS only as well, I don't have a server spun up with that on it right now and going off memory)
I see many certificates are listed here at this page (WHM>>Service Configuration>>Manage Service SSL certificates) but all of them aren't working Check the attached screenshot It's mentioned at the cPanel Docs: (cPanel, L.L.C. does not offer free cPanel-signed hostname certificates for cPanel DNSOnly servers.)0 -
Actually, that's been updated on v84 by CPANEL-4727 in relation to the Feature Request here: Change Logs - Change Logs - cPanel Documentation as well: - Fixed case CPANEL-4727: Improve support for SSL hostname certificates on DNSONLY.
0 -
Actually, that's been updated on v84 by CPANEL-4727 in relation to the Feature Request here: Change Logs - Change Logs - cPanel Documentation as well:
- Fixed case CPANEL-4727: Improve support for SSL hostname certificates on DNSONLY.
Ok fine, I read the new documentation.. This is the output for this command (/usr/local/cpanel/bin/checkallsslcerts) .. check the attached screenshot. There are many unvalid ssl certificates are found when I press on (Browse Certificates) button, I need to remove all of them and allow the cPanel to generate a new one (self-signed). How can I remove all these certificates? Or which folder is holding the SSL certificates?0 -
The errors your received there are a result of port 80 being blocked. I believe we might have talked about this the other day and I told you, you wouldn't need it open, but in this instance (one I didn't think about) if the CNAME (DNS DCV) can't complete then the fallback is the HTTP request which must be completed over port 80. Checking, the DNS record for your hostname there is indeed no CNAME record present. The certs are present at: /var/cpanel/ssl/system/certs
I'd suggest if you do remove them, running the following immediately after:/scripts/rebuilduserssldb
/scripts/rebuildinstalledssldb
0 -
The errors your received there are a result of port 80 being blocked. I believe we might have talked about this the other day and I told you, you wouldn't need it open, but in this instance (one I didn't think about) if the CNAME (DNS DCV) can't complete then the fallback is the HTTP request which must be completed over port 80. Checking, the DNS record for your hostname there is indeed no CNAME record present. The certs are present at:
/var/cpanel/ssl/system/certs
I'd suggest if you do remove them, running the following immediately after:/scripts/rebuilduserssldb
/scripts/rebuildinstalledssldb
After I removed all the certificates in (certs & keys) folders, I tried to empty (ssl.db - ssl.db.cache) files too because the certificates were still appearing in WHM Then I used your commands (find the attached screenshot) But now, I still don't have any SSL certificates0 -
Right, you should not have tried to remove that database. It should have rebuilt it based on the output though. As far as But now, I still don't have any SSL certificates
Did you resolve the issue with port 80 or the CNAME record which is the reason why the certificate wasn't issued?0 -
Right, you should not have tried to remove that database. It should have rebuilt it based on the output though. As far as Did you resolve the issue with port 80 or the CNAME record which is the reason why the certificate wasn't issued?
I have a backup from (ssl.db), I can restore it and run the script commands again if you want. I didn't do anything yet with the port 80 or the CNAME. Now I found that the SSL certificate has been issued automatically. But when I tried to install it, it needs to restarts "cpsrvd" service, and unfortunately it always failing to restart it so I restarted the server (Check the attached screenshot). After restarting the server, I see the certificate is not installed yet.0 -
@cPanelLauren I have received also this email when I tried to install the SSL yesterday. 0 -
@ImperialTrader Is it attempting to install a self-signed certificate? If all the preflight checks are failing then I don't see how you were able to obtain a valid SSL? What is output in the cPanel error log in regard to the cPsrvd restart issue? 0 -
@ImperialTrader Is it attempting to install a self-signed certificate? If all the preflight checks are failing then I don't see how you were able to obtain a valid SSL? What is output in the cPanel error log in regard to the cPsrvd restart issue?
Yes, it was attempting to install a self-signed certificate. How can I find the cPanel error log? I can purchase a sentigo/commodo SSL and use it in the DNS server if there is an issue with the self-signed certificate..!0 -
cPanel error log should be located at /usr/local/cpanel/logs/error_log
I can purchase a sentigo/commodo SSL and use it in the DNS server if there is an issue with the self-signed certificate..!
You certainly can, if that's what you'd like to do. DCV checks would still need to be done as well as cPsrvd would still need to be started though so you'd run into the same issue you are experiencing with the Free Signed Sectigo certificate the system is attempting to provision.0 -
cPanel error log should be located at
/usr/local/cpanel/logs/error_log
You certainly can, if that's what you'd like to do. DCV checks would still need to be done as well as cPsrvd would still need to be started though so you'd run into the same issue you are experiencing with the Free Signed Sectigo certificate the system is attempting to provision.
Ok, I understand you. Kindly find the attached screenshot for the cPanel error when I try to install the certificate0 -
That last line shows cpsrvd running. What is the output of the following: /scripts/restartsrv_cpsrvd --status
0 -
That last line shows cpsrvd running. What is the output of the following:
/scripts/restartsrv_cpsrvd --status
check the screenshot0 -
That last line shows cpsrvd running.
I tried to install the certificate again, here is the error log0 -
Where are you going to install the certificate? Are you attempting to install it for apache? 0 -
Where are you going to install the certificate? Are you attempting to install it for apache?
This one0 -
@cPanelLauren any update? :) 0 -
Hi @ImperialTrader My apologies I missed your last response. I was able to replicate the apache error on a standalone DNSOnly server. Looking at the case that enabled support for this, there are detailed test instructions and the portion relevant to your case are as follows: - able DNS clustering (in WHM or via CLI WHM API) on all servers
- Generate an API key/token on each DNSONLY server
- Via your (full license) cPanel&WHM server, add a trust relationship to each DNSONLY server, using the API key/token from your DNSONLY server, and set to Synchronize
- Synchronize DNS zones to your DNSONLY servers
- Sanity Check: Your DNSONLY server hostname(s) should resolve in DNS. If not, verify the accuracy of steps and actions performed. Make certain your server hostname(s) resolve in DNS to the appropriate IPv4/IPv6 address(es). If the hostnames do not resolve, you can expect failure.
- Via CLI/SSH on each DNSONLY server, execute the following
/usr/local/cpanel/bin/checkallsslcerts --allow-retry --verbose - In v84 DNSONLY you should see the "DNS DCV preflight check" result in success
- In v84 DNSONLY you may see and should be able to safely ignore a one-time warning that the "Apache TLS index database" does not yet not exist after a new installation. Can you run through these steps and ensure everything is configured as indicated here?
0 -
Hi @ImperialTrader My apologies I missed your last response. I was able to replicate the apache error on a standalone DNSOnly server. Looking at the case that enabled support for this, there are detailed test instructions and the portion relevant to your case are as follows:
- able DNS clustering (in WHM or via CLI WHM API) on all servers
- Generate an API key/token on each DNSONLY server
- Via your (full license) cPanel&WHM server, add a trust relationship to each DNSONLY server, using the API key/token from your DNSONLY server, and set to Synchronize
- Synchronize DNS zones to your DNSONLY servers
- Sanity Check: Your DNSONLY server hostname(s) should resolve in DNS. If not, verify the accuracy of steps and actions performed. Make certain your server hostname(s) resolve in DNS to the appropriate IPv4/IPv6 address(es). If the hostnames do not resolve, you can expect failure.
- Via CLI/SSH on each DNSONLY server, execute the following
/usr/local/cpanel/bin/checkallsslcerts --allow-retry --verbose - In v84 DNSONLY you should see the "DNS DCV preflight check" result in success
- In v84 DNSONLY you may see and should be able to safely ignore a one-time warning that the "Apache TLS index database" does not yet not exist after a new installation. Can you run through these steps and ensure everything is configured as indicated here?
I already have all these steps except point 3, in my (full license) WHM server, I added a trust relationship to my DNSONLY server using the API from DNSONLY server but set to (Write-Only) and in the DNSONLY server, I added a trust relationship to all my other (full license) servers as (Standalone). But just for now, I changed both servers to (Synchronize) to each other and I run the command/usr/local/cpanel/bin/checkallsslcerts --allow-retry --verbose 0 -
@cPanelLauren What does this error means (Neither HTTP nor DNS DCV preflight checks succeeded)? 0 -
Hello, The issue is the DNS DCV is not completed. You can check for the DNS record yourself as well (or for any of them for that matter) I only see an A record, and NS that point to AWS. It would seem that this may not be possible if you're hosting DNS outside the server. The HTTPS DCV preflight check is expected to fail on DNSOnly (IMO it shouldn't even be attempted to run which I'm going to open an improvement case for) because apache is not needed on those systems and is disabled. 0 -
Hello, The issue is the DNS DCV is not completed. You can check for the DNS record yourself as well (or for any of them for that matter) I only see an A record, and NS that point to AWS. It would seem that this may not be possible if you're hosting DNS outside the server. The HTTPS DCV preflight check is expected to fail on DNSOnly (IMO it shouldn't even be attempted to run which I'm going to open an improvement case for) because apache is not needed on those systems and is disabled.
Yes, my server is in AWS and I'm using Route53 for DNS Management. And what is the solution now? :)0 -
I don't believe you'd be able to use the free certificate. I need to confirm this tomorrow, but as far as I can tell without http dcv and remotely hosted ns there'd be no way to perform the DCV check. I'll update here with my findings, tomorrow. If you do end up needing to purchase a certificate, you'll want to make sure that cpsrvd can restart without issues. 0 -
I don't believe you'd be able to use the free certificate. I need to confirm this tomorrow, but as far as I can tell without http dcv and remotely hosted ns there'd be no way to perform the DCV check. I'll update here with my findings, tomorrow. If you do end up needing to purchase a certificate, you'll want to make sure that cpsrvd can restart without issues.
Ok, I'm waiting for you, and I'm ready to purchase the SSL now!0 -
Hi @ImperialTrader I'm discussing this with the team that implemented this feature and they're asking if you would please open a ticket with us so they can investigate the issue further and hopefully get you a resolution for this. I did find an open case about HTTP DCV failing on DNSOnly - CPANEL-30418 but that only addresses part of the issue. If you do open the ticket with us please update here with the ticket ID so I can update the ticket as well as the team. Thanks! 0 -
Hi @ImperialTrader I'm discussing this with the team that implemented this feature and they're asking if you would please open a ticket with us so they can investigate the issue further and hopefully get you a resolution for this. I did find an open case about HTTP DCV failing on DNSOnly - CPANEL-30418 but that only addresses part of the issue. If you do open the ticket with us please update here with the ticket ID so I can update the ticket as well as the team. Thanks!
I created a ticket. The Support Ticket ID is: 934435060 -
I created a ticket. The Support Ticket ID is: 93443506
Thanks alot @ImperialTrader I'll let them know0 -
Thanks alot @ImperialTrader I'll let them know
They have informed me that this issue will be solved on version 86. I'm gonna wait for this version, no problem.0
Please sign in to leave a comment.
Comments
38 comments