Skip to main content

[CPANEL-39321] Service SSL Certificates expire in 11 days, but not auto renewing

Comments

51 comments

  • cPanelAnthony
    Hello! Would it be possible for you to open a ticket with cPanel using the link in my signature? If you can't, it's possible your web hosting provider could open one. Provide me with the ticket ID if you do.
    0
  • qcomber
    I just found this:
    0
  • cPanelAnthony
    I just found this:
    0
  • dexus
    I do not understand why is SSL renewal period now lowered to less than 3 days. It should be at least 7 days, or better 15 days.
    0
  • cPanelAnthony
    I do not understand why is SSL renewal period now lowered to less than 3 days. It should be at least 7 days, or better 15 days.

    This is an issue we are actively working on and is known. Please see the
    0
  • qcomber
    Hello! Upon reviewing, either option should be fine. The certificates should renew at three days, but you can do the workaround if you want to get this done early and not have to worry.

    It's now Nov 25th and upcp ran this am at 03:30. Almost as expected, the service SSL certs *have not* been auto renewed. Pls see the log entries: [2021-11-25 03:30:31 +0000] [/usr/local/cpanel/bin/checkallsslcerts] The system will check for the certificate for the "exim" service. [2021-11-25 03:30:31 +0000] [/usr/local/cpanel/bin/checkallsslcerts] The system will attempt to verify that the certificate for the "exim" service is still valid using OCSP (Online Certificate Status Protocol). [2021-11-25 03:30:31 +0000] [/usr/local/cpanel/bin/checkallsslcerts] The "exim" service"s certificate will expire soon (Nov 28, 2021). If this certificate remains installed on Nov 25, 2021, the system will attempt to replace it. [2021-11-25 03:30:31 +0000] - Finished command `/usr/local/cpanel/bin/checkallsslcerts --allow-retry --verbose` in 0.402 seconds [2021-11-25 03:30:31 +0000] Processing: Purging invalid or soon-to-expire Domain TLS entries for service domains [2021-11-25 03:30:31 +0000] 62% complete These appear to say that it has recognised the cert is expiring on the 28th and if it remains installed on the 25th it will try to replace it. This log entry is on the 25th and I can confirm the cert has not been auto updated. I'm therefore forced into the workaround in my last post. I'm very wary of this as if there are any issues we may end up with no certificates on multiple live services.
    0
  • qcomber
    I decided not to proceed with the work around until the weekend to mitigate the risk of interruption to multiple live services which are in constant use. However, during last night's upcp the system did actually attempt the auto-update, hooray! It seems like cPanel need to look at the date conditions in upcp as they obviously don't match the logs or auto gen emails sent. *BUT* the logs returned: [2021-11-26 03:30:27 +0000] - Processing command `/usr/local/cpanel/bin/checkallsslcerts --allow-retry --verbose` [2021-11-26 03:30:28 +0000] [/usr/local/cpanel/bin/checkallsslcerts] The system will check for the certificate for the "cpanel" service. [2021-11-26 03:30:28 +0000] [/usr/local/cpanel/bin/checkallsslcerts] The system will attempt to verify that the certificate for the "cpanel" service is still valid using OCSP (Online Certificate Status Protocol). [2021-11-26 03:30:28 +0000] [/usr/local/cpanel/bin/checkallsslcerts] The system will attempt to replace the certificate for the "cpanel" service with a signed certificate from the cPanel Store because the current certificate expires in less than 2 days. [2021-11-26 03:30:33 +0000] [/usr/local/cpanel/bin/checkallsslcerts] The system will attempt to install a certificate for the "cpanel" service from the system ssl storage. . . . . [2021-11-26 03:30:33 +0000] [/usr/local/cpanel/bin/checkallsslcerts] Succeeded domains: 8 [2021-11-26 03:30:33 +0000] [/usr/local/cpanel/bin/checkallsslcerts] Failed domains: 0 [2021-11-26 03:30:33 +0000] [/usr/local/cpanel/bin/checkallsslcerts] Requesting certificate from cPStore " [2021-11-26 03:30:33 +0000] [/usr/local/cpanel/bin/checkallsslcerts] The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request "POST ssl/certificate/whm-license/90-day": We were unable to process your request. Please try again later. Please can someone confirm whether the cPanel Store is down? If so then the workaround in my earlier post will not work - it uses /usr/local/cpanel/bin/checkallsslcerts... EDIT 1: Or maybe this is related to the license issue I mentioned in my first post. This should not be the case as WHM is now working. I've also checked 'Server Configuration -> WHM Marketplace' and the license status is 'Active' AND the server's primary IP works in
    0
  • qcomber
    After my last post, I reset the upcp cron to run at 3:30am. I received the dreaded 'The SSL certificate for "cpanel" on "host.name.com" will expire in less than 30 days.' at 03:31. BUT, something has auto-installed the certs - WHM Manage Service SSL Certificates screen now shows they are set to expire 2/26/22. The upcp log from 03:30 doesn't confirm successful installation of new certs specifically, but it also doesn't mention retrying the store in an hour, so maybe it was that, but if so then why send the email? What a seat of the pants palaver. Hopefully cPanel can get COBRA-13510 resolved before 26th Feb next year to avoid a month of bricking it to a last minute crescendo - well last few hours. For peace of mind I'm considering a third party wildcard cert with a longer term expiry. Can anyone advise/recommend?
    0
  • Gingerweb
    I have had exactly the same issue, mine were due to expire tomorrow and hadnt renewed 3 days before so i ran: /usr/local/cpanel/bin/checkallsslcerts which i got from
    0
  • Gingerweb
    Disappointed no reply from Cpanel, we had to buy a replacement SSL certificate for the Cpanel server and install it, i thought these were automatically sorted. Nightmare few days with cert warnings
    0
  • galileuNet
    Hello, I have the same problem. For us, and according cPanel supportthe problem is related to recent domain control validation requirements of cPanel free hostname certificate provider, Sectigo. The new requirements essentially dictate that the server be authoritative for the hostname's DNS, and that HTTP DCV validation will no longer function as it used to. More information in this link: Modifications to Available File-Based Methods of Domain Control Validation This is all I Know A solution maybe, it's add NS record pointing to server subdomain (if your register company can), (host IN NS ns.name.com) This will make your cPanel server authoritative for the subdomain. If not works, the last solution is install a third part certificate
    0
  • JoseDieguez
    still no fix for this?
    0
  • cPanelAnthony
    Hello! Our development team has identified the issue and they are working diligently. Please allow just a little more time and I will have an update for this thread soon. It looks like we're shooting for the next cPanel update.
    0
  • ciao70
    Hello, Cpanel 100.0.5 edge Fixed case CPANEL-39321: Adjust hostname SSL certs" DCV for ancestor/implicit DCV change.
    0
  • cPanelAnthony
    Hello, Cpanel 100.0.5 edge Fixed case CPANEL-39321: Adjust hostname SSL certs" DCV for ancestor/implicit DCV change.
    0
  • galileuNet
    Hello! If I undersatand, this problem will be solved on version 100.0.5. (Great!) I don't have to do anynothing on DNS ancestor domain? (I hope this...) :rolleyes:
    0
  • cPanelAnthony
    Hello! If I undersatand, this problem will be solved on version 100.0.5. (Great!) I don't have to do anynothing on DNS ancestor domain? (I hope this...) :rolleyes:

    This is correct; as long as you update to version 100.0.5, you should be good.
    0
  • verdon
    I am running on 100.0.5 and my certificate is not renewing. Should I open a ticket? Thanks :-)
    This is correct; as long as you update to version 100.0.5, you should be good.

    0
  • cPanelAnthony
    I am running on 100.0.5 and my certificate is not renewing. Should I open a ticket? Thanks :)

    If you could! Update me with the ticket once you do so.
    0
  • verdon
    If you could! Update me with the ticket once you do so.

    Thank you. Ticket ID is #94392864
    0
  • verdon
    If you could! Update me with the ticket once you do so.

    Hi @cPanelAnthony, I thought I replied, but I don"t see it now. I must have forgotten to post it. In any case, I did open a ticket #94392864 and received a very quick reply from Thomas. He pointed me to an article about the situation, which I had read. I had mistakenly thought this had been resolved in 100.0.5 but apparently not. So, I now have instruction to force it if I don"t want to wait until the 3 day auto renewal. Seeing how that would be Christmas Day, I'll probably force it ahead of time. Thanks again.
    0
  • cPanelAnthony
    I'm happy to hear you found a solution!
    0
  • Benjamin D.
    Running on 100.0.5 and ever since, some of my customers domains certfs are not renewing. PLEASE HELP.
    0
  • cPanelAnthony
    Running on 100.0.5 and ever since, some of my customers domains certfs are not renewing. PLEASE HELP.

    Can you open a ticket using the link in my signature so we can investigate the SSL issues? If you cannot, your web hosting provider should be able to open one on your behalf.
    0
  • cPanelAnthony
    Just confirming this IS fixed as of version 100!
    0
  • dexus
    Just confirming this IS fixed as of version 100!

    What do you exactly mean by version 100? Bug was introduced in version 100, and it was still not fixed in 100.0.5. What is exact version with a fix and when it will be in release?
    0
  • bethimc
    What do you exactly mean by version 100? Bug was introduced in version 100, and it was still not fixed in 100.0.5. What is exact version with a fix and when it will be in release?

    Just confirmed as well. 100.5 did not autorenew service certs. Account certs are renewing, but with lots of errors. I am excluding a lot of cpanel-generated subdomains from the renewals. Manually running /usr/local/cpanel/bin/checkallsslcerts, per the support article posted above, did renew my service certificates. Off to check my other servers....
    0
  • kingsburyweb
    I'm also running cPanel v100.0.5 and have this issue as well. Last year, I never ran into this problem and everyone's domains certs were automatically renewed. Now I get daily notifications of "Potential reduced AutoSSL coverage" with the following information: AutoSSL would normally renew this certificate now, but 6 of the website"s secured domains just failed DCV. To provide you with more time to resolve these problems, AutoSSL will defer the renewal until Jan 18, 2022 at 12:00:00 AM UTC. After that time, AutoSSL will request a replacement certificate that excludes any domains that fail DCV. At the time of this notice, the certificate will expire in 3 days, 4 hours, 1 minute, and 15 seconds For domains not pointed to our name-servers, however the root and www records are pointed to the server IP, we noticed these warnings as of recently.. webmail. cpcontacts. cpanel. mail. etc.. might not be pointed to our web server in lets say GoDaddy DNS, but the email does validate that the main domain name and www records are. Something is going on here...? Occasionally we are gettin calls from customers that their website is showing a certificate warning?! Again, this has never happened before so a recently cPanel release must have caused these issues.
    0
  • keithl
    Pleased to say the work around - cPanel - worked for me and got my service certificates updated. Worth noting, as much as it shouldn't matter if the certificate isn't renewed until three days before the expiration, in reality it does. Had a call from a customer this afternoon (which is why I became aware of this) because on his Mac it was giving him an error due to the certificate being close to expiring, and it seems in Apple land that makes it dodgy, so without him expressly choosing the "it's OK, I trust this" style option it wouldn't let him collect his email.
    AutoSSL would normally renew this certificate now, but 6 of the website"s secured domains just failed DCV. To provide you with more time to resolve these problems, AutoSSL will defer the renewal until Jan 18, 2022 at 12:00:00 AM UTC. After that time, AutoSSL will request a replacement certificate that excludes any domains that fail DCV. At the time of this notice, the certificate will expire in 3 days, 4 hours, 1 minute, and 15 seconds

    Noticed the same thing over the last couple of months. The work around is to go into the relevant site's cPanel and open the "SSL/TLS Status" app. Within that you can see the status of autossl for each host name, and select to exclude any from being included in AutoSSL that don't actually exist. If you don't see that app, you need to ensure the "SSL Host Installer" feature is enabled for that account, and no as far as I can find there's no way to bulk make the change or do it from within WHM annoyingly.
    0
  • bellwood
    FWIW, lately we've been seeing A LOT of: [quote] The "cPanel (powered by Sectigo)" provider cannot currently accept incoming requests. The system will try again later.
    ...in our AutoSSL logs. Seemingly sticky to certain domains.
    0

Please sign in to leave a comment.