Skip to main content

"The “cPanel (powered by Sectigo)” provider cannot currently accept incoming requests."

Comments

231 comments

  • Nathan Lyle
    @Nathan Lyle - in my ideal world, there would be some level of automated failover between the two providers. Both providers issue DV certificates, so there would not be any difference in coverage, although Let's Encrypt does have lower limits if you have a very large number of domains on one account.

    Honestly I've just reached the point where I'm going to be recommending my clients purchase SSL certificates from another provider. This last year and a half or so has been one SSL headache after another, with sites essentially "going down" due to browser security warnings. My clients end up thinking I'm providing a crappy hosting service as a result of it. There's no notification from WHM that a certificate has gone defective or not renewed for the handful of reasons they keep seeming to. The "Auto" in AutoSSL is unfortunately a bit misleading, since it requires constant eyes-on vigilance. It's one less reason for me to use cPanel, honestly. With the increased license fees, it's not hard to imagine that I'll be looking at alternatives in the near future. The market is certainly open for a good alternative. From what I've read, small folks like myself aren't cPanel's target market anyway. As prices have gone up, the features that were the main reasons I liked using cPanel have been slowly falling apart. :-(
    0
  • yatesf
    @zhongshan - in version 108 we're adding default support to Let's Encrypt to work alongside Sectigo. They certificates will be issued just the same with either provider, and right now that is the best workaround. I don't have any other option available.

    If I'm correct, Let's Encrypt is slightly different from Sectigo in that it does not issue a hostname certificate. Is this right? Also, I hope there is a better future solution than just offering both providers side by side. The root issue with Sectigo is that their rate limit is being exceeded at the time when many cPanel users are requesting SSL renewals. Can cPanel negotiate a higher rate limit with Sectigo that's congruent with it's increased number of clients querying it's service? Or could cPanel perhaps stagger the timeframes at which the majority of cPanel clients are querying Sectigo for their SSL renewals? From what I've seen, it looks like cPanel is bogging down the Sectigo rate limit by bombarding most of it's client requests around 5:45am EST. Perhaps simply spreading out the time-frame of Sectigo SSL requests more fluidly across cPanel's client demographic will alleviate alot of the rate-limit being exceeded during a few choice/bottlenecked time-frames.
    0
  • Jheroen
    What now then..... 10:30:03 AM ERROR AutoSSL failed to request an SSL certificate for "xxx" because of an error: (XID qx42bq) The response to the HTTP (Hypertext Transfer Protocol) "POST" request from " indicated an error (504, Gateway Timeout):

    504 Gateway Tim" :mad:

    0
  • cPRex Jurassic Moderator
    @yatesf - you're correct that Let's Encrypt still doesn't handle the hostname certificate. We're looking into all those options you've mentioned. @Jheroen - was that from this morning? I haven't heard of any issues on my end yet, but that doesn't mean things can't be happening.
    0
  • PeteS
    @yatesf - you're correct that Let's Encrypt still doesn't handle the hostname certificate. We're looking into all those options you've mentioned.

    So switching to LE will handle everything except the hostname, which will continue to be "handled" through Sectigo? Curretly all my servers are, or just fiiiiinally succeeded, negotiating a hostname cert with Sucktigo... :/ Save me a few minutes of searching and point me to the script manually to run for host certs, so I can address it on servers that are expired. Please and thank you! Is this the thinking behind offering both side-by-side. LE for everything but hostname cert, and Sectigo still for hostname? That it will spread out the load and lessen the grief (temporarily)?
    @Jheroen - was that from this morning? I haven't heard of any issues on my end yet, but that doesn't mean things can't be happening.

    You're kidding, right? I see this error all-the-time! Along with "Sucktigo's too busy to care." From right now: "10:43:49 PM ERROR AutoSSL failed to request an SSL certificate for "....com" because of an error: (XID 8wp6mp) The response to the HTTP (Hypertext Transfer Protocol) "POST" request from " indicated an error (504, Gateway Timeout):

    504 Gateway Tim" " "10:45:22 PM The "cPanel (powered by Sectigo)" provider cannot currently accept incoming requests. The system will try again later." "10:46:10 PM The "cPanel (powered by Sectigo)" provider cannot currently accept incoming requests. The system will try again later." "10:52:02 PM WARN (XID zdp9ra) The response to the HTTP (Hypertext Transfer Protocol) "GET" request from " indicated an error (504, Gateway Timeout):

    504 Gateway Tim" " ---- Regarding this whole issue 1- Let me tell you how for over a month (when things went to crap again, after being "ok" for a while) I have been babysitting tons of expired cert requests, repeating until they finally succeed. Grrr... what a pain! Why don't I go to LE, you ask? Last time I heard, cPanel was "addressing the issue" and I relied on that to come through... Until about a month ago, and since then have too busy to get on here and yell about it. (...and see the Sectigo dumpster fire.) 2- I can get ALL KINDS of cert notifications, EXCEPT expired certs What on earth?! Why? I went to turn that on so I could not miss an expired cert (until a client complains) but there's no such thing. Please explain this silliness! (I looked. Twice. If you show me it's there I'll apologize.

    0
  • PeteS
    Save me a few minutes of searching and point me to the script manually to run for host certs, so I can address it on servers that are expired. Please and thank you!

    NM this one, I stumbled on it in another post, and then in my own cPanel install notes. ;) /usr/local/cpanel/bin/checkallsslcerts
    0
  • kdean
    Yeah, I'm seeing Gateway timeouts as well when manually run. Also, the usual try again later messages. Last time I used Let's Encrypt, one thing I didn't like is if you inspected the SSL information in your browser, it exposed all sub-domains for the site that you may not want to make so easily found. To change the time AutoSSL runs, edit the cronjob in /etc/cron.d/cpanel_autossl Doing so as generally helped with the auto-runs, it's just manual runs or when I add a new sub-domain, that is very difficult. I've been trying for over a day now to get SSL on a new sub-domain when first setup and subsequent manual runs. Maybe the next auto run will work. Who knows anymore. Seems that cPanel needs to pay Sectigo more since clearly they don't think they have a good enough deal at the moment to allow the bandwidth.
    0
  • swbrains
    I had been having issues a while back with Sectigo errors like this (not accepting requests -- try later), but in the second half of 2022 things were fairly good. Sometimes it would fail, but then successfully issue the cert before it expired. Over the past two weeks, I've had a couple of certs that actually expired and forced me to switch temporarily to Lets Encrypt due to certs that were not able to be renewed before expiring. The problem I've had with LE -- and the reason I switched to Sectigo in the first place -- was due to hitting LE limits. I even requested an increase in my rate limit and was told it was granted, but I still experienced hitting my limit (this is for ~700 hosted accounts). So I stuck with Sectigo but now it's getting worse as certs are actually expiring before they can be renewed. My only recourse is to switch to LE temporarily, force a re-check to generate the required certs, then switch back to avoid hitting LE's rate limit. :confused:
    0
  • PeteS
    My only recourse is to switch to LE temporarily, force a re-check to generate the required certs, then switch back to avoid hitting LE's rate limit. :confused:

    Not a bad work-around... but no work-around should be needed in the first place! I share your frustration.
    0
  • swbrains
    Given that this issue has been occurring for over a couple of years with no longer term solution (and I've not heard of a definitive planned solution), one "workaround" -- in order to keep AutoSSL as a "hands-off" solution for hosting providers -- might be to add an option to AutoSSL that says "Use alternative provider if certificate expires without successful renewal". If enabled, the AutoSSL system could catch the Sectigo failures to renew, and if the cert is already expired (or will before the next renewal attempt), then issue a one-time request to the "alternate provider" (Let's Encrypt in this case) for that domain's certificate. This would occur without switching the user's primary provider setting in cPanel, so future attempts would still occur through the primary selected provider (Sectigo in these cases). But failures that would result in a loss of active SSL status for a site could "fall back" to using the other provider to ensure the site is not left without an valid, active certificate in the meantime.
    0
  • swbrains
    As a workaround to this issue to avoid expiring certs, I've written a Perl script that I intend to run once per day at a time that is NOT coinciding with the running of the AutoSSL check-all script. Most likely this will be a couple of hours after that check runs, but still preferably overnight when the server is least busy. The script will basically do the following: change ssl provider to 'LetsEncrypt' get list of all hosted accounts on server for each account { get list of parked domains for account for each domain in parked-domain-list { get expiration date of certificate containing this domain if expiration date is less than one day away (i.e. it has likely failed recent cPanel renewal checks) { initiate the AutoSSL check for that account (with Let's Encrypt as the active provider) } } } change ssl provider back to 'cPanel'
    Since Let's Encrypt seems to be fairly reliable (but I have issues with rate limiting so I can't switch to it for all accounts every time), my hope is that this will catch the accounts that have trouble renewing in time under cPanel/Sectigo and simply do what I've been doing manually -- Going into Manage AutoSSL, switching to Let's Encrypt, running a check for that one user, then switching back to cPanel/Sectigo.
    0
  • Jheroen
    So switching to LE will handle everything except the hostname, which will continue to be "handled" through Sectigo? Curretly all my servers are, or just fiiiiinally succeeded, negotiating a hostname cert with Sucktigo... :/ Save me a few minutes of searching and point me to the script manually to run for host certs, so I can address it on servers that are expired. Please and thank you! Is this the thinking behind offering both side-by-side. LE for everything but hostname cert, and Sectigo still for hostname? That it will spread out the load and lessen the grief (temporarily)? You're kidding, right? I see this error all-the-time! Along with "Sucktigo's too busy to care." From right now: "10:43:49 PM ERROR AutoSSL failed to request an SSL certificate for "....com" because of an error: (XID 8wp6mp) The response to the HTTP (Hypertext Transfer Protocol) "POST" request from " indicated an error (504, Gateway Timeout):

    504 Gateway Tim" " "10:45:22 PM The "cPanel (powered by Sectigo)" provider cannot currently accept incoming requests. The system will try again later." "10:46:10 PM The "cPanel (powered by Sectigo)" provider cannot currently accept incoming requests. The system will try again later." "10:52:02 PM WARN (XID zdp9ra) The response to the HTTP (Hypertext Transfer Protocol) "GET" request from " indicated an error (504, Gateway Timeout):

    504 Gateway Tim" " ---- Regarding this whole issue 1- Let me tell you how for over a month (when things went to crap again, after being "ok" for a while) I have been babysitting tons of expired cert requests, repeating until they finally succeed. Grrr... what a pain! Why don't I go to LE, you ask? Last time I heard, cPanel was "addressing the issue" and I relied on that to come through... Until about a month ago, and since then have too busy to get on here and yell about it. (...and see the Sectigo dumpster fire.) 2- I can get ALL KINDS of cert notifications, EXCEPT expired certs What on earth?! Why? I went to turn that on so I could not miss an expired cert (until a client complains) but there's no such thing. Please explain this silliness! (I looked. Twice. If you show me it's there I'll apologize.


    When is this BS system fixed!!!!!!!!!!!!!! The system will try again later means the system won't do anything other than NOT work!
    0
  • ITHKBO
    We received a notification from cpanel.net that there was planned maintenance last weekend for Sectigo. I have no idea if it resolved the above as we no longer use Sectigo, Comodo for exactly the same reasons. We gave up on it about 6 months ago. I have attached the notification below. Further more usability score in the interface has been bumped down for Sectigo so though I can not confirm this it can be a indication that the official solution is get rid of Sectigo. Based on that the cPanel trademark has been removed. 106 vs 108
    0
  • PeteS
    I can report that where I am using Sectigo, it is once again working pretty well. I suspect it is a lightening of the load of time as servers switch to LE? I don't know that anything was "fixed" but it is working better and the baked in LE option is also a good thing.
    0
  • perplex
    @cPRex This is absolutely ridiculous "2:07:46 AM The "Sectigo" provider cannot currently accept incoming requests. The system will try again later." When is someone going to take action and provide a fix? The cPanel Sectigo Auto-SSL service is currently NOT FIT FOR USE!
    0
  • slim
    Switch to lets encrypt - Its easy in the 'Manage AutoSSL' section of WHM - Just switch from Sectigo -> Lets Encrypt and your problems will be solved. It works identically and the switch over for me was seamless. SSL's are almost instant.
    0
  • perplex
    Switch to lets encrypt - Its easy in the 'Manage AutoSSL' section of WHM - Just switch from Sectigo -> Lets Encrypt and your problems will be solved. It works identically and the switch over for me was seamless. SSL's are almost instant.

    Thanks but Lets encrypt is unable to handle the volume of domains (10,000+) I have due to their limits eg. " You can combine multiple hostnames into a single certificate, up to a limit of 100 Names per Certificate." cPanel AutoSSL renew continues to throw a variation of crappy errors, again today "11:14:48 PM ERROR AutoSSL failed to request an SSL certificate for "example.com" because of an error: (XID pdaias) The cPanel Store returned an error (X::UnknownError) in response to the request "POST ssl/certificate/free": Service Unavailable!"
    0
  • cPRex Jurassic Moderator
    Yes, the one drawback with Let's Encrypt for some users is the domain limit.
    0
  • SlapHappy
    It's clear that Sectigo and Let's Encrypt cannot sustain a free giveaway for every domain indefinitely due to the costs associated with running and maintaining the infrastructure, which has become increasingly strained due to the growing demand for free certificates. This issue has persisted for at least two/three years, indicating that the free model is not sustainable long-term. Most of us discarded a small amount of revenue in exchange for upset clients and smug (move your hosting to us) SEO agencies asking why their eCommerce sites are scaring customers off.... for a freebie. Don't mistake me free is great, but free is never forever. Sell certificates, make some money, end the pain. and now, this: Google Announces Intentions to Limit TLS Certificates to 90 Days: Why Automated CLM is Crucial ..the arrogance
    0
  • mvandemar
    It's clear that Sectigo and Let's Encrypt cannot sustain a free giveaway

    You seem to be under a misconception. For one, Let's Encrypt isn't having an issue, they just have a limit that some people can't stay under due to the number of sites they have. For another, Sectigo doesn't give away free certificates. These are included with cpanel due to a deal they made, and I promise you that you are in fact paying for them as it has been worked into the various price increases that have been implemented since Oakley Capital bought cpanel back in 2018. If you try and buy a certificate yourself from Sectigo directly via the manual process at no point would they be overloaded and unable to generate one for you. -Michael
    0
  • SlapHappy
    These are included with cpanel due to a deal they made, and I promise you that you are in fact paying for them as it has been worked into the various price increases that have been implemented since Oakley Capital bought cpanel back in 2018.

    Where is this cited by Sectigo, Let's Encrypt or cPanel?
    0
  • mvandemar
    Where is this cited by Sectigo, Let's Encrypt or cPanel?

    What is it you want cited by Let's Encrypt? Their limits? You can read their TOS on that. As far as Sectigo? They do not have a free certificate aside from a trial product, ergo someone is paying for it. This isn't rocket science. -Michael
    0
  • DennisMidjord
    @SlapHappy I hardly doubt Let's Encrypt has any problems running their systems while providing their product free of charge. They have a lot of sponsors: Current Sponsors and Funders - Let's Encrypt They have 8 platinum sponsors. It takes $400,000 to be sponsored every year (or $325,000 in case you sponsor for three years at a time) to be a platinum sponsor.
    0
  • SlapHappy
    @SlapHappy I hardly doubt Let's Encrypt has any problems running their systems while providing their product free of charge. They have a lot of sponsors:
    0
  • mvandemar
    And Sectigo was acquired by GI Partners, a couple of years ago. So for both of them money is not a problem and they definitely don't need cPanel money.

    I'm sorry, are you saying that because they were acquired by another company they decided to give cpanel certificates for free, for no reason at all? Like, GI Partners, a company that purchases other companies specifically because those other companies will make them more money, purchased Sectigo and went, "Nah, we don't need any more money, we'll just give these away to the largest hosting control panel software company in the world for free now." Because if that's not what you're trying to imply then I have no idea what you saying. At all. Let's Encrypt is a non-profit company whose goal is to make ssl certificates available to the entire world, for free. Sectigo is a for profit company whose goal is to make money. Again, this isn't complicated. -Michael
    0
  • david364
    There is a reason why there are so many complaints, and they don't end. In my opinion, Sectigo (and possibly cPanel in collusion), is guilty of fraud. They deliberately use the excuse of "rate limiting" to fail to renew free security certificates. LetsEncrypt does not do this, but Sectigo, in its greed, wants to protect its paid security certificate business any way it can. If Sectigo is "rate-limiting" only free certificate renewals, and NOT paid certificate renewals, then this is fraud, plain and simple. They want to provide an incentive for end-users to pay for certificates that will renew successfully. This is why nobody considers this a bug and will not fix it, no matter how many complaints occur. Please prove me wrong.
    0
  • Nerdbopper
    Ah yes, another weekend; Another morning of logging on to cPanel and seeing Sectigo is not currently renewing any domains for quite some time now. Brilliant.
    0
  • cPRex Jurassic Moderator
    @Nerdbopper - have you tried switching to Let's Encrypt?
    0
  • mvandemar
    @cPRex - 573 days since I opened this ticket. This is obviously just an issue with rate limiting on Sectigo's part, and whatever agreement they made with cpanel not being enough to cover the requests all of the cpanel users are actually sending. How is this not fixed yet? I just got woke up by a client because the server has been unable to renew the certs for a month, which it has been trying to do every night at exactly 9:35:01pm. I just ran it manually and it worked fine. Why not at least let us change the schedule, so if we get caught in peak traffic we can try for a lower traffic time? Why not show what the peak times are? Maybe if we were all more evenly distributed across the clock this wouldn't be such an issue. Or, what if when it gets down to the wire it starts attempting 2-3 times a day. Can't make it any worse if the connections are just getting rejected, right?? Just spitballing here. Obviously I have no idea if that would help at all, since cpanel refuses to give any actual answers here. Might be worth a try though. -Michael
    0

Please sign in to leave a comment.