CPanel error being sent regularly " doesnt match non-SSL vhost IP"
Hi, Hope everyone is well. We're trying to keep up maintenance on our certs and we're getting this error daily. Not sure why. Hoping you all could lend a hand. Thank you!
/usr/local/cpanel/bin/process_ssl_pending_queue encountered an error:
The system retrieved the SSL certificate for "example.com", but failed to
install it because of an error: The certificate could not be installed on
the domain "example.com". Given "ip" (42.10.10.5 our cpanel ip) doesn"t
match non-SSL vhost IP (10.7.7.7).. The system will attempt to fetch the
certificate and to install it again. at
/usr/local/cpanel/Cpanel/SSL/PendingQueue/Run.pm line 181.
-
Are you using 1:1 NAT | cPanel & WHM Documentation here? 0 -
Check the dns & its correctly propagating to this ip or not. 0 -
anoopk350 andrew.n Thanks for the responses ! I'll check them out. Andrew, the document you sent says clearly "Do not run on production environments" What will this do as this is a production environment? 0 -
I suspect that 1:1 NAT is enabled on the server and that is causing the issues. If the server is not on a local network using NAT then make sure this is disabled: you can do so by checking /var/cpanel/cpnat file. If it exist its enabled. 0 -
You shouldn't set up NAT routing on a production server, no but if it's already configured but the NAT routing isn't being recognized you can run 1:1 NAT | cPanel & WHM Documentation though if there is an issue with the configuration this script will not help. 0 -
Awesome andrew.n cPanelLauren that makes sense now :) I'll let you know how it goes. Thank you! 0 -
Hi @andrew.n @cPanelLauren , I removed the cpnat file and restarted services but we're still getting the error. I finally have full access to the server so what would be a good next step? Should I try to reinstall certs manually somehow? I tried looking for the error message but can't seem to locate it in a log file. Thank you! 0 -
Hi, any one run into this issue? I haven't been able to locate much on this error and I already turned off NAT on the cpanel server. " /usr/local/cpanel/bin/process_ssl_pending_queue encountered an error: The system retrieved the SSL certificate for "example.com", but failed to install it because of an error: The certificate could not be installed on the domain "example.com". Given "ip" (42.10.10.5 our cpanel ip) doesn"t match non-SSL vhost IP (10.7.7.7).. The system will attempt to fetch the certificate and to install it again. at /usr/local/cpanel/Cpanel/SSL/PendingQueue/Run.pm line 181. " Thank you. 0 -
So if you go to List Accounts do you see the IP 10.7.7.7 in line with example.com or 42.10.10.5? Can you try to rebuild http config and see how it goes? /scripts/rebuildhttpdconf 0 -
So if you go to List Accounts do you see the IP 10.7.7.7 in line with example.com or 42.10.10.5? Can you try to rebuild http config and see how it goes? /scripts/rebuildhttpdconf
Hi Andrew, I looked for "list accounts" in WHM and can not find the link . Is this available somewhere in cpanel or WHM? Thank you!0 -
Just look at the accounts with their IP address. What IP address do you see for the domain example.com? 0 -
Just look at the accounts with their IP address. What IP address do you see for the domain example.com?
Ok I see the info on the right hand side in cpanel. Primary Domain (DV Certificate) example.com Shared IP Address: I see the expected public facing, direct IP address. I don't see the private address .0 -
So I kept at it and took the action of manually reinstalling the cert (good until 2021) via cpanel. I get the exact message we're getting via email. I inherited this domains setup. Could the cause of this be because the cert was created with reference to the 10.7.7.7 ip when it was NAT enabled? Would the resolve be creating a new cert and installing that one? 0 -
I also got this: You don"t have a dedicated IP address. Browsers that were released before 2013 may not support SNI. Because of this, users may see false security warnings when they visit your SSL-secured websites. 0 -
No, probably this is not the reason. The best would be open a ticket at the link provided earlier so cPanel support could have a closer look at this issue with the login information provided. 0 -
Wait, I want to point out that if your server was NAT routed to begin with you should not remove the cpnat file. I was indicating that you should not create a NEW NAT configuration on a server that was not previously NAT routed. What the issue is most likely here is a NAT misconfiguration but removing the cpnat file is not the solution. What is the output of the following: /scripts/build_cpnat
0 -
Wait, I want to point out that if your server was NAT routed to begin with you should not remove the cpnat file. I was indicating that you should not create a NEW NAT configuration on a server that was not previously NAT routed. What the issue is most likely here is a NAT misconfiguration but removing the cpnat file is not the solution. What is the output of the following:
/scripts/build_cpnat
Hi, So I ran the script and it just rebuilt the file the way it was before.info [build_cpnat] 10.7.7.7 => 42.10.10.5 info [build_cpnat] Updating /etc/wwwacct.conf primary IP (ADDR) from 42.10.10.5 to 10.7.7.7 . Local IPs, not public should be stored in most configuration files. # cat cpnat 42.10.10.5 10.7.7.7
0 -
I was advising this because in multiple cases cPanel though it's on NAT and wrongly configured itself which led to issues later on. 0 -
And @andrew.n you're most likely correct. NAT misconfiguration is almost always the issue, not the fact that the server is NAT routed at all but the fact that when these configurations are created they're done so incorrectly. I'd advise you to open a ticket so that our analysts can look at this further and hopefully let you know where the issue lies. 0 -
The files /var/cpanel/userdata/natmaws/example.com and /var/cpanel/userdata/natmaws/example.com_SSL needed updating. It contained the 10.7.7.7 entry. Once I changed it to the servers IP, the new cert was installed. One thing to note, where as all the sub domains were green and secure, it seems the majority of the list were then http and not SSL secured. The cert we installed is indeed a *. 0 -
Soo Im back, it did not quite solve the issue. The sites ended up going down and I had to revert the changes including the IP address. I'll work through it and update. 0 -
Keep us updated! 0 -
Hi, thanks Andrew. Youre a cpanel soldier! Im trying to get the apache config sorted out as it has the private IP posted all around. All the files (apache config and user/domain & domain_ssl) contain the private IP address. Apache config: ServerName example.com ServerAlias mail.example.com www.example.com DocumentRoot /home/user/public_html ServerAdmin webmaster@example.com -- ServerName example.com ServerAlias mail.example.com www.example.com cpcontacts.example.com webdisk.example.com cpanel.example.com webmail.example.com cpcalendars.example.com whm.example.com
This cpanel server looks direct ? (non NAT). We only have a private ip and a public IP to access the cpanel server.1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 9001 qdisc mq state UP group default qlen 1000 link/ether 09:xx:1c:xx:cd:8d brd ff:ff:ff:ff:ff:ff inet 10.7.7.7/24 brd 10.7.7.255 scope global dynamic eth0 valid_lft 2363sec preferred_lft 2363sec inet6 kv92::8d:1cff:fea2:dd93/64 scope link valid_lft forever preferred_lft forever
Thus far, every other cpanel error references the public IP when I try to install the cert, should I be updating : a) all references be updated to public IP including the apache config and domain files, b) the cpnat file be deleted c) try to reinstall the cert d) restart apache and cpanel What I didnt do in the 1st attempt, when it broke, was change the apache config details manually. I believe they may have still been private IPs as they are now (see above) I did remove the cpnat file but everything broke during the cpanel scripted apache rebuild config script.0 -
Okay there is a way to rebuild all the configs as I recall I hope I remember all the steps here: 1. First backup the userdata folder mv /var/cpanel/userdata /var/cpanel/userdata.backup 2. Re-create the folder mkdir /var/cpanel/userdata 3. Re-generate the content /usr/local/cpanel/bin/userdata_update "reset 4. Fix permissions /usr/local/cpanel/bin/fix_userdata_perms 4. Update internal cache /scripts/updateuserdatacache 5. Now rebuild apache config /scripts/rebuildhttpdconf 6. Restart apache to take affect the changes /scripts/restartsrv_httpd Let me know how it works out 0
Please sign in to leave a comment.
Comments
25 comments