Skip to main content

[CPANEL-30418] SSL for DNSOnly Server

Comments

38 comments

  • cPanelLauren
    Hello, The hostname SSL should automatically install on DNSOnly pending the hostname resolves. You can check this by going to WHM>>Service Configuration>>Manage Service SSL certificates (I believe that interface is present on DNS only as well, I don't have a server spun up with that on it right now and going off memory)
    0
  • ImperialTrader
    Hello, The hostname SSL should automatically install on DNSOnly pending the hostname resolves. You can check this by going to WHM>>Service Configuration>>Manage Service SSL certificates (I believe that interface is present on DNS only as well, I don't have a server spun up with that on it right now and going off memory)

    I see many certificates are listed here at this page (WHM>>Service Configuration>>Manage Service SSL certificates) but all of them aren't working Check the attached screenshot It's mentioned at the cPanel Docs: (cPanel, L.L.C. does not offer free cPanel-signed hostname certificates for cPanel DNSOnly servers.)
    0
  • cPanelLauren
    Actually, that's been updated on v84 by CPANEL-4727 in relation to the Feature Request here: Change Logs - Change Logs - cPanel Documentation as well:
    • Fixed case CPANEL-4727: Improve support for SSL hostname certificates on DNSONLY.
    0
  • ImperialTrader
    Actually, that's been updated on v84 by CPANEL-4727 in relation to the Feature Request here: Change Logs - Change Logs - cPanel Documentation as well:
    • Fixed case CPANEL-4727: Improve support for SSL hostname certificates on DNSONLY.

    Ok fine, I read the new documentation.. This is the output for this command (/usr/local/cpanel/bin/checkallsslcerts) .. check the attached screenshot. There are many unvalid ssl certificates are found when I press on (Browse Certificates) button, I need to remove all of them and allow the cPanel to generate a new one (self-signed). How can I remove all these certificates? Or which folder is holding the SSL certificates?
    0
  • cPanelLauren
    The errors your received there are a result of port 80 being blocked. I believe we might have talked about this the other day and I told you, you wouldn't need it open, but in this instance (one I didn't think about) if the CNAME (DNS DCV) can't complete then the fallback is the HTTP request which must be completed over port 80. Checking, the DNS record for your hostname there is indeed no CNAME record present. The certs are present at: /var/cpanel/ssl/system/certs
    I'd suggest if you do remove them, running the following immediately after: /scripts/rebuilduserssldb
    /scripts/rebuildinstalledssldb
    0
  • ImperialTrader
    The errors your received there are a result of port 80 being blocked. I believe we might have talked about this the other day and I told you, you wouldn't need it open, but in this instance (one I didn't think about) if the CNAME (DNS DCV) can't complete then the fallback is the HTTP request which must be completed over port 80. Checking, the DNS record for your hostname there is indeed no CNAME record present. The certs are present at: /var/cpanel/ssl/system/certs
    I'd suggest if you do remove them, running the following immediately after: /scripts/rebuilduserssldb
    /scripts/rebuildinstalledssldb

    After I removed all the certificates in (certs & keys) folders, I tried to empty (ssl.db - ssl.db.cache) files too because the certificates were still appearing in WHM Then I used your commands (find the attached screenshot) But now, I still don't have any SSL certificates
    0
  • cPanelLauren
    Right, you should not have tried to remove that database. It should have rebuilt it based on the output though. As far as
    But now, I still don't have any SSL certificates

    Did you resolve the issue with port 80 or the CNAME record which is the reason why the certificate wasn't issued?
    0
  • ImperialTrader
    Right, you should not have tried to remove that database. It should have rebuilt it based on the output though. As far as Did you resolve the issue with port 80 or the CNAME record which is the reason why the certificate wasn't issued?

    I have a backup from (ssl.db), I can restore it and run the script commands again if you want. I didn't do anything yet with the port 80 or the CNAME. Now I found that the SSL certificate has been issued automatically. But when I tried to install it, it needs to restarts "cpsrvd" service, and unfortunately it always failing to restart it so I restarted the server (Check the attached screenshot). After restarting the server, I see the certificate is not installed yet.
    0
  • ImperialTrader
    @cPanelLauren I have received also this email when I tried to install the SSL yesterday.
    0
  • cPanelLauren
    @ImperialTrader Is it attempting to install a self-signed certificate? If all the preflight checks are failing then I don't see how you were able to obtain a valid SSL? What is output in the cPanel error log in regard to the cPsrvd restart issue?
    0
  • ImperialTrader
    @ImperialTrader Is it attempting to install a self-signed certificate? If all the preflight checks are failing then I don't see how you were able to obtain a valid SSL? What is output in the cPanel error log in regard to the cPsrvd restart issue?

    Yes, it was attempting to install a self-signed certificate. How can I find the cPanel error log? I can purchase a sentigo/commodo SSL and use it in the DNS server if there is an issue with the self-signed certificate..!
    0
  • cPanelLauren
    cPanel error log should be located at /usr/local/cpanel/logs/error_log
    I can purchase a sentigo/commodo SSL and use it in the DNS server if there is an issue with the self-signed certificate..!

    You certainly can, if that's what you'd like to do. DCV checks would still need to be done as well as cPsrvd would still need to be started though so you'd run into the same issue you are experiencing with the Free Signed Sectigo certificate the system is attempting to provision.
    0
  • ImperialTrader
    cPanel error log should be located at /usr/local/cpanel/logs/error_log
    You certainly can, if that's what you'd like to do. DCV checks would still need to be done as well as cPsrvd would still need to be started though so you'd run into the same issue you are experiencing with the Free Signed Sectigo certificate the system is attempting to provision.

    Ok, I understand you. Kindly find the attached screenshot for the cPanel error when I try to install the certificate
    0
  • cPanelLauren
    That last line shows cpsrvd running. What is the output of the following: /scripts/restartsrv_cpsrvd --status
    0
  • ImperialTrader
    That last line shows cpsrvd running. What is the output of the following: /scripts/restartsrv_cpsrvd --status

    check the screenshot
    0
  • ImperialTrader
    That last line shows cpsrvd running.

    I tried to install the certificate again, here is the error log
    0
  • cPanelLauren
    Where are you going to install the certificate? Are you attempting to install it for apache?
    0
  • ImperialTrader
    Where are you going to install the certificate? Are you attempting to install it for apache?

    This one
    0
  • ImperialTrader
    @cPanelLauren any update? :)
    0
  • cPanelLauren
    Hi @ImperialTrader My apologies I missed your last response. I was able to replicate the apache error on a standalone DNSOnly server. Looking at the case that enabled support for this, there are detailed test instructions and the portion relevant to your case are as follows:
    • able DNS clustering (in WHM or via CLI WHM API) on all servers
    • Generate an API key/token on each DNSONLY server
    • Via your (full license) cPanel&WHM server, add a trust relationship to each DNSONLY server, using the API key/token from your DNSONLY server, and set to Synchronize
    • Synchronize DNS zones to your DNSONLY servers
    • Sanity Check: Your DNSONLY server hostname(s) should resolve in DNS. If not, verify the accuracy of steps and actions performed. Make certain your server hostname(s) resolve in DNS to the appropriate IPv4/IPv6 address(es). If the hostnames do not resolve, you can expect failure.
    • Via CLI/SSH on each DNSONLY server, execute the following
      /usr/local/cpanel/bin/checkallsslcerts --allow-retry --verbose
    • In v84 DNSONLY you should see the "DNS DCV preflight check" result in success
    • In v84 DNSONLY you may see and should be able to safely ignore a one-time warning that the "Apache TLS index database" does not yet not exist after a new installation. Can you run through these steps and ensure everything is configured as indicated here?
    0
  • ImperialTrader
    Hi @ImperialTrader My apologies I missed your last response. I was able to replicate the apache error on a standalone DNSOnly server. Looking at the case that enabled support for this, there are detailed test instructions and the portion relevant to your case are as follows:
    • able DNS clustering (in WHM or via CLI WHM API) on all servers
    • Generate an API key/token on each DNSONLY server
    • Via your (full license) cPanel&WHM server, add a trust relationship to each DNSONLY server, using the API key/token from your DNSONLY server, and set to Synchronize
    • Synchronize DNS zones to your DNSONLY servers
    • Sanity Check: Your DNSONLY server hostname(s) should resolve in DNS. If not, verify the accuracy of steps and actions performed. Make certain your server hostname(s) resolve in DNS to the appropriate IPv4/IPv6 address(es). If the hostnames do not resolve, you can expect failure.
    • Via CLI/SSH on each DNSONLY server, execute the following
      /usr/local/cpanel/bin/checkallsslcerts --allow-retry --verbose
    • In v84 DNSONLY you should see the "DNS DCV preflight check" result in success
    • In v84 DNSONLY you may see and should be able to safely ignore a one-time warning that the "Apache TLS index database" does not yet not exist after a new installation. Can you run through these steps and ensure everything is configured as indicated here?

    I already have all these steps except point 3, in my (full license) WHM server, I added a trust relationship to my DNSONLY server using the API from DNSONLY server but set to (Write-Only) and in the DNSONLY server, I added a trust relationship to all my other (full license) servers as (Standalone). But just for now, I changed both servers to (Synchronize) to each other and I run the command
    /usr/local/cpanel/bin/checkallsslcerts --allow-retry --verbose
    Find the attached screenshot with the output.
    0
  • ImperialTrader
    @cPanelLauren What does this error means (Neither HTTP nor DNS DCV preflight checks succeeded)?
    0
  • cPanelLauren
    Hello, The issue is the DNS DCV is not completed. You can check for the DNS record yourself as well (or for any of them for that matter) I only see an A record, and NS that point to AWS. It would seem that this may not be possible if you're hosting DNS outside the server. The HTTPS DCV preflight check is expected to fail on DNSOnly (IMO it shouldn't even be attempted to run which I'm going to open an improvement case for) because apache is not needed on those systems and is disabled.
    0
  • ImperialTrader
    Hello, The issue is the DNS DCV is not completed. You can check for the DNS record yourself as well (or for any of them for that matter) I only see an A record, and NS that point to AWS. It would seem that this may not be possible if you're hosting DNS outside the server. The HTTPS DCV preflight check is expected to fail on DNSOnly (IMO it shouldn't even be attempted to run which I'm going to open an improvement case for) because apache is not needed on those systems and is disabled.

    Yes, my server is in AWS and I'm using Route53 for DNS Management. And what is the solution now? :)
    0
  • cPanelLauren
    I don't believe you'd be able to use the free certificate. I need to confirm this tomorrow, but as far as I can tell without http dcv and remotely hosted ns there'd be no way to perform the DCV check. I'll update here with my findings, tomorrow. If you do end up needing to purchase a certificate, you'll want to make sure that cpsrvd can restart without issues.
    0
  • ImperialTrader
    I don't believe you'd be able to use the free certificate. I need to confirm this tomorrow, but as far as I can tell without http dcv and remotely hosted ns there'd be no way to perform the DCV check. I'll update here with my findings, tomorrow. If you do end up needing to purchase a certificate, you'll want to make sure that cpsrvd can restart without issues.

    Ok, I'm waiting for you, and I'm ready to purchase the SSL now!
    0
  • cPanelLauren
    Hi @ImperialTrader I'm discussing this with the team that implemented this feature and they're asking if you would please open a ticket with us so they can investigate the issue further and hopefully get you a resolution for this. I did find an open case about HTTP DCV failing on DNSOnly - CPANEL-30418 but that only addresses part of the issue. If you do open the ticket with us please update here with the ticket ID so I can update the ticket as well as the team. Thanks!
    0
  • ImperialTrader
    Hi @ImperialTrader I'm discussing this with the team that implemented this feature and they're asking if you would please open a ticket with us so they can investigate the issue further and hopefully get you a resolution for this. I did find an open case about HTTP DCV failing on DNSOnly - CPANEL-30418 but that only addresses part of the issue. If you do open the ticket with us please update here with the ticket ID so I can update the ticket as well as the team. Thanks!

    I created a ticket. The Support Ticket ID is: 93443506
    0
  • cPanelLauren
    I created a ticket. The Support Ticket ID is: 93443506

    Thanks alot @ImperialTrader I'll let them know
    0
  • ImperialTrader
    Thanks alot @ImperialTrader I'll let them know

    They have informed me that this issue will be solved on version 86. I'm gonna wait for this version, no problem.
    0

Please sign in to leave a comment.