[CPANEL-33077] Letsencrypt transition to ISRGs Root (Important!!!!!)
-
The issue exists when you use client domain name as smtp server not the hostname of your server
And I'm saying that I and my clients aren't having any issues using mail.clientdomain1.com, mail.clientdomain2.com or primary.host.name . Exim has all the matching cert info to allow them to connect without any warnings.0 -
Facing the same problem here. The security certificate for this server is invalid or expired. Therefore, connection to this server is not secure. Do you wish to continue anyway?
Did you read through this whole thread?0 -
There are still some clients experiencing SNI issues. Some aren't. It seems to depend on ratelimiting and exactly how/when/what certs were issued. We're working on some further tweaks that I'll post about soon. 0 -
Update - if users are still experiencing issues with Exim, could those users please open a ticket so we can do some more investigation? 0 -
@cPRex Id #94368789 already did 6 hours ago 0 -
Seems it was a permission issue on some certs for us fixed with : find /var/cpanel/ssl/domain_tls/* -type d -not -perm 755 -exec chmod -v 755 {} \; 0 -
Seems it was a permission issue on some certs for us fixed with : find /var/cpanel/ssl/domain_tls/* -type d -not -perm 755 -exec chmod -v 755 {} \;
YES YES YES!! Thanks, confirmed fixed!!0 -
Seems it was a permission issue on some certs for us fixed with : find /var/cpanel/ssl/domain_tls/* -type d -not -perm 755 -exec chmod -v 755 {} \;
Yes!!! That did it ! Run permission change and it solved the problem!0 -
While the permissions command does work in some specific situations, I would excercise caution in copy/pasting commands. Specifically, that command could potentially change the permissions of the pending_delete directory, which is not ideal. Something like this would be more effective: find /var/cpanel/ssl/domain_tls/ -mindepth 1 -maxdepth 1 -name .pending_delete -prune -o -type d -not -perm 755 -exec chmod -v 755 {} \;
but it's important to note we're still researching all these implications on our side before we provide an official update.0 -
While the permissions command does work in some specific situations, I would excercise caution in copy/pasting commands. Specifically, that command is also changing the permissions of the pending_delete directory, which is not ideal. Something like this would be more effective:
find /var/cpanel/ssl/domain_tls/ -mindepth 1 -maxdepth 1 -name .pending_delete -prune -o -type d -not -perm 755 -exec chmod -v 755 {} \;
but it's important to note we're still researching all these implications on our side before we provide an official update.
PLEASE tell me you werent sitting on this fix and holding it back the entire day!!! Changing the permissions back is as easy asfind /var/cpanel/ssl/domain_tls/* -type d -not -perm 644 -exec chmod -v 644 {} \;
I looked at the permissions before, change it to 755, ran openssl check, works... changed back to 644, ran openssl, broken... change to 755 again.... AND SUCCESSS!!!0 -
@TFyre - of course not - I'm posting information that is verified as soon as I get it. @monarobase submitted a ticket and was provided that command by our team recently. 0 -
Update - our team is pushing out two updates soon. One is a new version of the Let's Encrypt plugin for WHM. The second is a slightly updated autofixer. We're still investigating the root cause of the permission problems that some users have experienced, and I'll be sure to post more about that as soon as I have details. 0 -
The new Let's Encrypt plugin has been released. The updated version is cpanel-letsencrypt-v2-1.02-1.2.1.cpanel.noarch.rpm 0 -
The second autofixer has cleared our QA team and will be released shortly as well. 0 -
we have same issue all of our hosting site over 2,000 site cert expired (Lets Encrypt) i removed lets encrypt script and re-installed it and new letsencrypt version is installed. but we have an error: MASTER DCV: A rate limit prevents DCV. This is while the letsencrypt says that it has removed the rate limit. 0 -
Hello there, We think this is the right place to report this bug. The Autofixer you have published does not work correctly on servers older than v94. The output is as follows; [root@server ~]# /scripts/autorepair update_lets_encrypt_cabundles2 Requesting script ... info [autorepair] Successfully verified signature for cpanel (key types: release). Done Auto Repair is running......Auto Repair is done.
Since Autofixer does not work correctly, requests are constantly sent to Let's Encrypt APIs and cause us to hang on rate limits. Can you start a case on this? Thanks.0 -
The new Let's Encrypt plugin has been released. The updated version is cpanel-letsencrypt-v2-1.02-1.2.1.cpanel.noarch.rpm
Update automatically? Greetings Andrew0 -
@Elephantino - that's correct - it will update automatically. @HostLABTR - versions of cPanel older than the LTS version of 94.0.16 are not supported, so I would not expect the autofixer to work in those cases. 0 -
Thanks for the updates @cPRex. The previous command to fix permissions, is it included on the official fix, or should we run it if problems persists after running the fix? 0 -
While the command is safe to run, we're still looking into *how* those permissions become corrupt in the first place for some users. 0 -
While the command is safe to run, we're still looking into *how* those permissions become corrupt in the first place for some users.
I run the command in dozens of servers and only 1/10 had the issue and were fixed. Maybe it happened due to some bug in previous versions.0 -
our server is 100% up to date, we've run /scripts/autorepair update_lets_encrypt_cabundles2 and we're not seeing any progress. Around 50% of our clients are without ssl certificates :/ this Monday when they all realise their sites are effective offline, this is going to be a nightmare. 0 -
/scripts/autorepair update_lets_encrypt_cabundles2 command unfortunately did not repair all certificates. To repair corrupted certificates, it is necessary to whm > install certificate > autofill one by one. I was able to fix the broken certificates this way, but it is very challenging to do this for thousands of domains one by one. If it is a new certificate, we still cannot receive it, we are constantly seeing the error 429, at least we are waiting for an urgent solution for mass correction of existing certificates. Instead of license price with a raise, produce a quick solution to this issue. 0 -
thanks @vacancy .. installing one by one will at least save us a lot of angry customers! good to finally have a fix for this 0 -
@Elephantino - that's correct - it will update automatically. @HostLABTR - versions of cPanel older than the LTS version of 94.0.16 are not supported, so I would not expect the autofixer to work in those cases.
However, this is a problem, causing the servers involved to constantly send requests to Let's Encrypt and get stuck at rate limits. Let's Encrypt detects traffic as an attack. We don't expect you to add a new feature, it's just that it shouldn't be that difficult to make the released fix compatible with previous versions.0 -
Be careful about that. As cPRex said that command could potentially change the permissions of the pending_delete directory. 0
Please sign in to leave a comment.
Comments
198 comments