Intermediary CA Certificate Expiration

cPanelLauren

• May 30, 2020 20:11

Hi Everyone, This post is to provide you with essential and timely information about an unexpected incompatibility that began to unfold in the early morning hours on May 30, 2020, when an intermediary CA certificate used by Sectigo expired and some older versions of OpenSSL could not validate the certificate chain. This event reduced compatibility with a wide range of software and services. Some of the impacted software was:

• New installations
• Updates for cPanel & WHM
• EasyApache

Several other services were affected as well. We have since installed an updated intermediate certificate provided by Sectigo to restore functionality. Action may be required by you to ensure your SSL certificates, and those of your customers, issued by Sectigo before May 1, 2020, continue to function. You can find more information here:

• 

  AndyB78

  • May 31, 2020 10:03

  Hello, I believe there is one more intermediate certificate that is expired: Common name: COMODO RSA Certification Authority Organization: COMODO CA Limited Location: Salford, Greater Manchester, GB Valid from May 30, 2000 to [COLOR=rgb(255, 0, 0)]May 30, 2020 Serial Number: 2766ee56eb49f38eabd770a2fc84de22 Signature Algorithm: sha384WithRSAEncryption Issuer: AddTrust External CA Root This comes up when I interrogate with SSL Checker for any cPanel server on different ports than 443 (like 993 or 2087). I found out about this due to a problem with a script that connects to the IMAP server (we have OpenSSL 1.0.1e-fips on the server). On one of the servers I did try to upcp --force and then update_sectigo_cabundles and checkallsslcerts --force but it didn't help. Regards!

  0
• 

  GOT

  • May 31, 2020 12:16

  Is there some reason you can't push this fix out in an update so we do not have to manually fix all these servers?

  0
• 

  Benito

  • May 31, 2020 16:14

  I can't find any invalid CRT on my servers, maybe its automatically updated?

  0
• 

  cPanelLauren

  • June 01, 2020 06:01

  Is there some reason you can't push this fix out in an update so we do not have to manually fix all these servers?

  
  That autorepair should be running automatically actually - we're just providing you a way to run it on your own should you need to.

  Hello, I believe there is one more intermediate certificate that is expired: Common name: COMODO RSA Certification Authority Organization: COMODO CA Limited Location: Salford, Greater Manchester, GB Valid from May 30, 2000 to [COLOR=rgb(255, 0, 0)]May 30, 2020 Serial Number: 2766ee56eb49f38eabd770a2fc84de22 Signature Algorithm: sha384WithRSAEncryption Issuer: AddTrust External CA Root This comes up when I interrogate with which I believe might be the cause of your issue?

  I can't find any invalid CRT on my servers, maybe its automatically updated?

  
  If your certs were issued AFTER May 1 2020 they wouldn't have been affected or they were already fixed if they were.

  0
• 

  ffeingol

  • June 01, 2020 12:48

  The cert you're linking IS the CA root certificate. This is the issue. I was recently made aware of an issue affecting hostname certificates yesterday

  0
• 

  cPanelLauren

  • June 01, 2020 19:20

  I think there may be some confusion here. 1. The article you're quoting Root CA Certificate Expiration 2. I'm currently viewing this article while not signed into the ticket system and I do not need to be logged in to view it. The article is set to be viewable by everyone

  0
• 

  ffeingol

  • June 01, 2020 19:45

  @cPanelLauren every one of the hosts SSL's that I've tested have a root cert with a valid date of may 30, 2000 to may 30, 2020. Theare all certs for the physical cPanel host, as we use Let's Encrypt certs for all the sites. So far we've had minimal issues with this, but when you check/validate the certs, it's showing the root cert is expired. So based on my checking/testing of our servers, it's failing to 'fix' things on most host certs. The page about the issues with the host cert required a login this morning.

  0
• 

  cPanelLauren

  • June 01, 2020 20:21

  Also noted in that article the reference to the currently open internal case for this CPANEL-32921 but until that's resolved the only method I'm aware of to resolve this is what's listed in the article. I can't speak to what the article's view settings were earlier today but I do know that when I checked it, it was public. I don't think it should be changed from that setting and I did mention this to the guide admin so he is aware.

  0
• 

  wltnet

  • June 02, 2020 19:24

  @cPanelLauren I am having the issues with SSL cert expired on all the websites hosted on the server with Cpanel, and the Cpanel version is 86.0.21, I tried to run /scripts/autorepair update_sectigo_cabundles /scripts/restartsrv_apache But all the websites still having the issues, not only that, now nscd is failed to run after those steps, how can I solve the SSL cert expired and the nscd issues? Thanks

  0
• 

  cPanelLauren

  • June 03, 2020 17:47

  If your certificates themselves are expired (not the CA Root) and you're experiencing other issues i.e., issues with NSCD it does not sound like this issue. I'd suggest you open a ticket with our support team to investigate the issues you're having further. I also want to note that the autofixer for hostname certificates was pushed and any continuing issues with this should be resolved.

  0

Please sign in to leave a comment.