Failed update of services SSL certificates.
Hi!
I manage a VPS. CentOS v7.9.2009, cPanel v100.0.5
Lately I receive error warnings after update retry of SSL Certificates of Exim, Dovecot and WHM.
I have 15 more days to solve the problem, or else I assume mail accounts will stop working.
[QUOTE]The system failed to acquire a signed certificate from the cPanel Store. at bin/checkallsslcerts.pl line 654.
There is no checkallsslcerts.pl file to check line 654. I searched entire installation of Centos. I had also error message after command needs-restarting. There were countless lines like this.
Now this error is gone, but still can't update the SSL certificates. Could it be caused by regular use of systemctl daemon-reexec? I try to avoid reboot. Thank you!
There is no checkallsslcerts.pl file to check line 654. I searched entire installation of Centos. I had also error message after command needs-restarting. There were countless lines like this.
http://138.118.173.126/cpanelsync/repos/CentOS/7/cpanel-plugins/x86_64/repodata/99b0ad5f230073f622ec9ed0c4629af674a01a6cf89967b987b69403cab97552-filelists.sqlite.bz2: [Errno 14] HTTP Error 404 - Not Found
Now this error is gone, but still can't update the SSL certificates. Could it be caused by regular use of systemctl daemon-reexec? I try to avoid reboot. Thank you!
-
Can you run this command and see what error you get? /usr/local/cpanel/bin/checkallsslcerts 0 -
Thank you for reply. I used it with --verbose. Same story for other two services. [QUOTE]The system will check for the certificate for the "cpanel" service. The system will attempt to verify that the certificate for the "cpanel" service is still valid using OCSP (Online Certificate Status Protocol). The "cpanel" service"s current certificate comes with the server"s cPanel license. This certificate expires in less than 25 days. The system will attempt to renew and install a new certificate to the "cpanel" service and any other services that use the old certificate. The system will attempt to install a certificate for the "cpanel" service from the system ssl storage. None of the certificates in the system ssl storage were acceptable to use for the "cpanel" service. The system will attempt to install a certificate for the "cpanel" service from the cPanel store. [WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: The system failed to acquire a signed certificate from the cPanel Store. at bin/checkallsslcerts.pl line 654. 0 -
As this doesn't provide enough information the best would be to to look into this for you. @cPanelAnthony 0 -
Thank you, @andrew.n If you could open a ticket an provide the ID, that would be very helpful. 0 -
This is my request number. 94391391 Thanks to both of you! 0 -
Thanks! I am following this ticket. 0 -
ok we have the exact same problem. Same line number, everything. Is there an update what was wrong? Then I can fix it on our server as well. 0 -
Hi everyone! Was this solved, I have exactly the same situation since the latest update: I run a VPS with CentOS v7.9.2009, cPanel v100.0.5 and since the last update I receive error warnings after every update retry of SSL Certificates of FTP, Exim, Dovecot and WHM. I also tried to find the file mentioned in the error report, but there is no checkallsslcerts.pl file to check line 654. I ran /usr/local/cpanel/bin/checkallsslcerts as suggested by andrew.n and ended up having 100% similar message as Remus76. Any help would be appreciated. 0 -
Hi, i have exactly the same problem for 3 dedicated servers out of 10 without finding a solution. Do you have any news? 0 -
It looks like the issue in this ticket was due to a stale CSR file that had to be moved out of the way. It was fixed by moving the file out of the way and re-running AutoSSL. [root@HOST ~]cPs# mv /var/cpanel/hostname_cert_csrs{,.cpbkp} -v "/var/cpanel/hostname_cert_csrs" -> "/var/cpanel/hostname_cert_csrs.cpbkp"
However, this issue can be caused by a variety of problems. It would be best to open a ticket using the link in my signature if anyone is having issues. Otherwise, please reach out to your web hosting provider if you cannot open one with us directly.0 -
We had this exact issue as well. Happy to report the fix by cPanelAnthony worked like a charm. 0 -
Ok the fix works but I think that we know possibly why the csrs is stale: The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request "POST ssl/certificate/whm-license/90-day": We were unable to process your request. Please try again later. But maybe make something in the /usr/local/cpanel/bin/checkallsslcerts that removes stale csrs files... And could it be that because the server is set on autossl => letsencrypt that the queue isn't correctly processed for the cpanel store part? 0 -
Hello! I don't believe that would cause an issue, but that is a good suggestion! 0 -
However, this issue can be caused by a variety of problems. It would be best to open a ticket using the link in my signature if anyone is having issues. Otherwise, please reach out to your web hosting provider if you cannot open one with us directly.
We encountered this same issue over the weekend. I've got a ticket open as well. #94392338 Are the renewals now contingent on using a hostname with a domain name that you can manage? Right now we have a couple of VPSes using subdomains that our hosting provider provided, example: vps1234.hosting.com To the best of my"albeit relatively new"knowledge, this wasn't a problem in the past.0 -
We encountered this same issue over the weekend. I've got a ticket open as well. #94392338 Are the renewals now contingent on using a hostname with a domain name that you can manage? Right now we have a couple of VPSes using subdomains that our hosting provider provided, example: vps1234.hosting.com To the best of my"albeit relatively new"knowledge, this wasn't a problem in the past.
Thank you for the update. I am looking into your question here and will get back to you.0 -
Thank you for the update. I am looking into your question here and will get back to you.
Thanks Anthony. Looks like our issue was entirely related to the Sectigo outage. Everything's good now.0 -
I'm also glad to confirm that the fix by cPanelAnthony worked. Thanks! 0 -
I just ran into this problem. Below is the timeline of things I did: 1. Tried running # /usr/local/cpanel/bin/checkallsslcerts
which resulted in the error message:[WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: The system failed to acquire a signed certificate from the cPanel Store. at bin/checkallsslcerts.pl line 654.
2. Tried @cPanelAnthony fix, which DID remove the stale CSR 3. Tried running again:# /usr/local/cpanel/bin/checkallsslcerts
which resulted in the error message:[WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID 649yf2) The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request "POST ssl/certificate/whm-license/90-day": We were unable to process your request. Please try again later.
How can I fix this?0 -
I tried again this morning and the query went through. What was going on with the store? 0 -
I tried again this morning and the query went through. What was going on with the store?
I am not aware of specific cPanel store issues at this time. If the error happens again, can you open a support ticket immediately using the link in my signature and then update me with the ticket ID?0 -
Having this same issue. Does whm/cpanel use a specific port for ssl issuance for the hostname interface? There's no problem with the autossl for domains, but we have this server behind a hardware firewall with very limited ports open. 0 -
Update, it was a firewall issue with us that gave this exact error. Not sure what ports are being used but apparently blocking some prevents the server from properly requesting a certificate for the hostname. 0 -
Update, it was a firewall issue with us that gave this exact error. Not sure what ports are being used but apparently blocking some prevents the server from properly requesting a certificate for the hostname.
I really wish the cPanel devs did a better job of communicating what ports and IP's are necessary for various essential functions on servers that have to live in a more locked down state. We ran into a similar issue with WordPress Toolkit. Some parts of it just don't work correctly behind a restrictive firewall, and when we attempted to get some clarity on what we would need to whitelist we just kinda got a "\_(?)_/".0 -
I really wish the cPanel devs did a better job of communicating what ports and IP's are necessary for various essential functions on servers that have to live in a more locked down state. We ran into a similar issue with WordPress Toolkit. Some parts of it just don't work correctly behind a restrictive firewall, and when we attempted to get some clarity on what we would need to whitelist we just kinda got a "\_(?)_/".
I agree, we generally have no need to keep some of the cpanel services ports open because we don't use them ever and they are a potential security risk. Even if there isn't a direct vulnerability, if they're publicly available, people with be bashing at them 24/7. I have one server that we use CSF/LFD on and leaving the cpanel or webmail or other ports open will result in literally tens of thousands of blocked IP's in a matter of hours. But, it's definitely not clear enough what ports are needed both in and out for basic functionality, seems common to run into processes that use a port that is unexpected or undocumented. Apparently some services either use their own ports or don't use the cpanel licensing or normal ones. I didn't bother to monitor the process when I was able to successfully run it. I'll probably do that next time just so I know what things are going out on and coming back in on.0 -
Here's what worked for me - I added the server's domain as an account
- Installed a wildcard certificate using Let's Encrypt
- Assigned it to the cPanel/cPanel services under Manage Service SSL Certificates --> Browse Certificates --> Apache (then selected the wildcard *.serverdomain.com from step 2)
0 -
This worked for me It looks like the issue in this ticket was due to a stale CSR file that had to be moved out of the way. It was fixed by moving the file out of the way and re-running AutoSSL.
[root@HOST ~]cPs# mv /var/cpanel/hostname_cert_csrs{,.cpbkp} -v "/var/cpanel/hostname_cert_csrs" -> "/var/cpanel/hostname_cert_csrs.cpbkp"
0
Please sign in to leave a comment.
Comments
29 comments