[CPANEL-33077] Letsencrypt transition to ISRGs Root (Important!!!!!)
-
My own experience - didnt go sectigo. However WHM -> Install SSL Certificate and then choosing the account/domain you want to 'reinstall', make sure you choose a previous letsencrypt thats valid. Select it. Then delete/emtpy the CA box at the bottom so it will retireve the latest, click 'install' and it will update the SSL for the domain. Doing this seems to have positive results for my case scenarios. Only users on apple devices (macOS / ios) are having problems it seems but after doing this, they're working and conencting without issues once again. Some mac mail users did have to 'right click' and 'take account online' again to get it operational. Obviously this is not a good solution for those of you with thousands of accounts, however I found this helpful to triage my larger clients to get them back online asap. 0 -
Should be noted - accounts with letsencrypt wildcard cannot be fixed with the above method that cpanel suggests. You will get an error. The domain "*.XXXX.com.au" is not managed on this server. You must specify an IP address to install SSL for "*.XXXX.com.au" or set up this domain on a new account, or create it as parked domain, a subdomain, or an addon domain of an existing account, and try again. 0 -
Should be noted - accounts with letsencrypt wildcard cannot be fixed with the above method that cpanel suggests. You will get an error. The domain "*.XXXX.com.au" is not managed on this server. You must specify an IP address to install SSL for "*.XXXX.com.au" or set up this domain on a new account, or create it as parked domain, a subdomain, or an addon domain of an existing account, and try again.
This will happend if your domain is over cloudflare just select the ip from the menu below0 -
Update - at this point we've removed the recommendation to switch to Sectigo as that just seems to be causing more issues. I'll keep this thread updated with details as I get them. 0 -
Was there something cPanel could have done before to avoid this?
Yes, they had more than a year to check this and make a proper update in time....So glad to have the new f***ing themes though. Glad that's where our ever-increasing money is going.
Exactly... the increased prices definitely does not reflect the updates and work that cPanel has been made in the past two years, pure joke and makeup, there are so many interesting, useful and needed things on the feature requests FOR YEARS and they remain in discussions and ignored...but themes0 -
Update - at this point we've removed the recommendation to switch to Sectigo as that just seems to be causing more issues. I'll keep this thread updated with details as I get them.
Interesting and useful update, now everything is fixed with this update... :rolleyes: it was obvious that switch to another provider was going to cause more issues... :rolleyes::rolleyes::rolleyes: where is the common sense and the "experience" cPanel have? This update just as the latest two years cPanel relases is a joke... we need a fix and real updates ASAP, this problem is very very annoying and every minute that passes is more desperate...0 -
Hello - just adding that we are also experiencing the same issue - have searched everywhere and besides switching to the cPanel, Inc. issued Certificate there does not seem to be a resolution to the issue - which is a little unbelievable as the problem is the new Lets Encrypt intermediate certificate is not installed on cPanel replacing the old expired R3 certificate. Surely with 10's maybe 100's of thousands of cPanel uses affected this issue would be a top priority for resolution? It just does not seem to be that way, which is most disappointing. 0 -
However WHM -> Install SSL Certificate and then choosing the account/domain you want to 'reinstall', make sure you choose a previous letsencrypt thats valid. Select it. Then delete/emtpy the CA box at the bottom so it will retireve the latest, click 'install' and it will update the SSL for the domain.
I've just tested this on one of our domains and it worked, many thanks :)0 -
Switching AutoSSL selection to cPanel/Sectigo and running a check on all users seems to be fixing it for me. Tried on two WHM servers and I'm no longer getting cert warnings from my email program for the accounts hosted there. But I don't have any wildcard certs or anything else other than 'standard' cPanel cert setups. 0 -
Any useful update? We have almost 12hours with this issue (in my country laboral hours) and when i notice this 8am to 8pm... :rolleyes: 0 -
Almost 12 hours of problem and any fix, any patch, any solution... 0 -
@Rhuan there are fixes/workarounds available right now ^^ see my posts above, ive gotten all but my wildcard hosts back online now. 0 -
It is very frustrating and annoying be infront on the computer and hit f5 on this thread every 10 minutes because I cannot receive email updates about this thread because my email DOES NOT WORK and NOT FIND A USEFUL UPDATE AND/OR THE PATCH WITH EVERY SITE REFRESH It is very frustrating and annoying not to be able to use my phone because I am receiving a certificate identity error alert every 10 seconds as soon as I unlock it because the mail DOES NOT WORK 0 -
It is very frustrating and annoying be infront on the computer and hit f5 on this thread every 10 minutes because I cannot receive email updates about this thread because my email DOES NOT WORK and NOT FIND A USEFUL UPDATE AND/OR THE PATCH WITH EVERY SITE REFRESH It is very frustrating and annoying not to be able to use my phone because I am receiving a certificate identity error alert every 10 seconds as soon as I unlock it because the mail DOES NOT WORK
Using you server's hostname instead of mail.example.com doesn't work for you?0 -
Using you server's hostname instead of mail.example.com doesn't work for you?
Nope, i dont want to change my settings to use my hostname because if you change the incoming/outgoing server on email client it download everything again so you will end with thousands of duplicated emails and all emails are treated like new0 -
I had logged into one of my customer's systems that has about 10 accounts, each running a Worppress Multisite setup with 25-75 domains on each account. For a particular email domain that was having issues, they were tied to a cert which was covering multiple domains. I didn't want to just UNinstall it and then hope to get AutoSSL to reinstall it without error / throttling. so, I was playing around inside the actual cPanel interface, navigated to SSL/TLS, found the cert that had that domain on it and clicked on the option to Update Certificate. I clicked on that, then clicked Autofill by Domain, and noted that the new / proper CA bundle was in there already. I clicked on Install Certificate and it re-installed the cert and added all the email domains tied to that cert back into /var/cpanel/ssl/domain_tls and the incoming email SSL connections started working for those domains immediately. So I didn't even have to monkey around in WHM. Nice for this particular instance, where one hosting account has a bunch of certs, each with a bunch of domains on it. Mike 0 -
+1 to the above work-around steps. We've trialed this with a couple of accounts and it seems to be working well so far. Here's a simpler breakdown of the steps you can follow: 1. Log into cPanel 2. Go to "SSL/TLS Status" 3. Click the "View Certificate" link next to any of the domain/host lines in the table 4. Select any domain from the dropdown 5. Erase/wipe the Certificate Authority Bundle (CABUNDLE) text area 6. Click "Install Certificate" 0 -
Update - the first patch we had in place didn't properly resolve the issue. A second patch has been created and is currently being reviewed by our QA team. I have already set up a plan for one of the technicians working the overnight shift to post updates to this thread so anyone watching this can be kept informed. We completely understand this is a frustrating experience for everyone, and I plan to post a full post-mortem tomorrow if one of the overnight techs doesn't do that first. 0 -
Thanks hopefully they do since its only 2pm here UTC+10. 0 -
That's part of the reason we're encouraging people to wait for an official fix - we're getting some reports of AutoSSL not properly replacing certificates, maybe due to ratelimiting, or maybe due to other issues.
Might be a good idea to add a 3rd CA provider like ZeroSSL. For my own usage switching from Letsencrypt to ZeroSSL via acme.sh client was painless.0 -
Update - The second patch has completed testing and has been released to resolve this issue. This will automatically be applied when the next cPanel update occurs. You can manually initiate an update or use the autorepair command below to apply this immediately. /scripts/autorepair update_lets_encrypt_cabundles
0 -
Hi, is the script currently available? Tested from various locations and it seems to stucks on Requesting script ... 0 -
Executed this script and it picked up a few accounts that I had missed. Which is good except for the one wildcard account where I deleted their ssl to try 'build it again' :( doh and letsencrypt wont let me grab new one 0 -
Update - The second patch has completed testing and has been released to resolve this issue. This will automatically be applied when the next cPanel update occurs. You can manually initiate an update or use the autorepair command below to apply this immediately.
/scripts/autorepair update_lets_encrypt_cabundles
Hi, Anybody can confirm us that this patch works correctly and solve the problem?. Thank you very much.0 -
Yes confirmed, you have to wait a while for the script to start but its working :) 0 -
Hi, Anybody can confirm us that this patch works correctly and solve the problem?. Thank you very much.
I can confirm, just ran on 5 servers and solved all the problems very fast!0 -
I can confirm, just ran on 5 servers and solved all the problems very fast!
Thank you very much friend.0 -
Hi, Anybody can confirm us that this patch works correctly and solve the problem?. Thank you very much.
In our end it's working properly. Some accounts were switched to Sectigo, but others not, as Sectigo seems to be too busy. After applying script, returning to Let's Encrypt and run AutoSSL for all users, remaining accounts seems to be SSL protected again. BTW, affected server is a cPanel v86 with CentOS 6.0 -
I just ran the update on a batch of 20 servers with no problems. 0
Please sign in to leave a comment.
Comments
203 comments