Skip to main content

Failed update of services SSL certificates.

Comments

29 comments

  • andrew.n
    Can you run this command and see what error you get? /usr/local/cpanel/bin/checkallsslcerts
    0
  • Remus76
    Thank you for reply. I used it with --verbose. Same story for other two services. [QUOTE]The system will check for the certificate for the "cpanel" service. The system will attempt to verify that the certificate for the "cpanel" service is still valid using OCSP (Online Certificate Status Protocol). The "cpanel" service"s current certificate comes with the server"s cPanel license. This certificate expires in less than 25 days. The system will attempt to renew and install a new certificate to the "cpanel" service and any other services that use the old certificate. The system will attempt to install a certificate for the "cpanel" service from the system ssl storage. None of the certificates in the system ssl storage were acceptable to use for the "cpanel" service. The system will attempt to install a certificate for the "cpanel" service from the cPanel store. [WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: The system failed to acquire a signed certificate from the cPanel Store. at bin/checkallsslcerts.pl line 654.
    0
  • andrew.n
    As this doesn't provide enough information the best would be to to look into this for you. @cPanelAnthony
    0
  • cPanelAnthony
    Thank you, @andrew.n If you could open a ticket an provide the ID, that would be very helpful.
    0
  • Remus76
    This is my request number. 94391391 Thanks to both of you!
    0
  • cPanelAnthony
    Thanks! I am following this ticket.
    0
  • timmit
    ok we have the exact same problem. Same line number, everything. Is there an update what was wrong? Then I can fix it on our server as well.
    0
  • Bayern
    Hi everyone! Was this solved, I have exactly the same situation since the latest update: I run a VPS with CentOS v7.9.2009, cPanel v100.0.5 and since the last update I receive error warnings after every update retry of SSL Certificates of FTP, Exim, Dovecot and WHM. I also tried to find the file mentioned in the error report, but there is no checkallsslcerts.pl file to check line 654. I ran /usr/local/cpanel/bin/checkallsslcerts as suggested by andrew.n and ended up having 100% similar message as Remus76. Any help would be appreciated.
    0
  • Cyrtocara
    Hi, i have exactly the same problem for 3 dedicated servers out of 10 without finding a solution. Do you have any news?
    0
  • Jean-Paul Bleau
    I also have the same issue. Except for the IP address:
    0
  • cPanelAnthony
    It looks like the issue in this ticket was due to a stale CSR file that had to be moved out of the way. It was fixed by moving the file out of the way and re-running AutoSSL. [root@HOST ~]cPs# mv /var/cpanel/hostname_cert_csrs{,.cpbkp} -v "/var/cpanel/hostname_cert_csrs" -> "/var/cpanel/hostname_cert_csrs.cpbkp"
    However, this issue can be caused by a variety of problems. It would be best to open a ticket using the link in my signature if anyone is having issues. Otherwise, please reach out to your web hosting provider if you cannot open one with us directly.
    0
  • jhawkins003
    We had this exact issue as well. Happy to report the fix by cPanelAnthony worked like a charm.
    0
  • timmit
    Ok the fix works but I think that we know possibly why the csrs is stale: The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request "POST ssl/certificate/whm-license/90-day": We were unable to process your request. Please try again later. But maybe make something in the /usr/local/cpanel/bin/checkallsslcerts that removes stale csrs files... And could it be that because the server is set on autossl => letsencrypt that the queue isn't correctly processed for the cpanel store part?
    0
  • cPanelAnthony
    Hello! I don't believe that would cause an issue, but that is a good suggestion!
    0
  • astroud
    However, this issue can be caused by a variety of problems. It would be best to open a ticket using the link in my signature if anyone is having issues. Otherwise, please reach out to your web hosting provider if you cannot open one with us directly.

    We encountered this same issue over the weekend. I've got a ticket open as well. #94392338 Are the renewals now contingent on using a hostname with a domain name that you can manage? Right now we have a couple of VPSes using subdomains that our hosting provider provided, example: vps1234.hosting.com To the best of my"albeit relatively new"knowledge, this wasn't a problem in the past.
    0
  • cPanelAnthony
    We encountered this same issue over the weekend. I've got a ticket open as well. #94392338 Are the renewals now contingent on using a hostname with a domain name that you can manage? Right now we have a couple of VPSes using subdomains that our hosting provider provided, example: vps1234.hosting.com To the best of my"albeit relatively new"knowledge, this wasn't a problem in the past.

    Thank you for the update. I am looking into your question here and will get back to you.
    0
  • astroud
    Thank you for the update. I am looking into your question here and will get back to you.

    Thanks Anthony. Looks like our issue was entirely related to the Sectigo outage. Everything's good now.
    0
  • Bayern
    I'm also glad to confirm that the fix by cPanelAnthony worked. Thanks!
    0
  • coursevector
    I just ran into this problem. Below is the timeline of things I did: 1. Tried running # /usr/local/cpanel/bin/checkallsslcerts
    which resulted in the error message: [WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: The system failed to acquire a signed certificate from the cPanel Store. at bin/checkallsslcerts.pl line 654.
    2. Tried @cPanelAnthony fix, which DID remove the stale CSR 3. Tried running again: # /usr/local/cpanel/bin/checkallsslcerts
    which resulted in the error message: [WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID 649yf2) The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request "POST ssl/certificate/whm-license/90-day": We were unable to process your request. Please try again later.
    How can I fix this?
    0
  • coursevector
    I tried again this morning and the query went through. What was going on with the store?
    0
  • cPanelAnthony
    I tried again this morning and the query went through. What was going on with the store?

    I am not aware of specific cPanel store issues at this time. If the error happens again, can you open a support ticket immediately using the link in my signature and then update me with the ticket ID?
    0
  • jestep
    Having this same issue. Does whm/cpanel use a specific port for ssl issuance for the hostname interface? There's no problem with the autossl for domains, but we have this server behind a hardware firewall with very limited ports open.
    0
  • jestep
    Update, it was a firewall issue with us that gave this exact error. Not sure what ports are being used but apparently blocking some prevents the server from properly requesting a certificate for the hostname.
    0
  • jhawkins003
    Update, it was a firewall issue with us that gave this exact error. Not sure what ports are being used but apparently blocking some prevents the server from properly requesting a certificate for the hostname.

    I really wish the cPanel devs did a better job of communicating what ports and IP's are necessary for various essential functions on servers that have to live in a more locked down state. We ran into a similar issue with WordPress Toolkit. Some parts of it just don't work correctly behind a restrictive firewall, and when we attempted to get some clarity on what we would need to whitelist we just kinda got a "\_(?)_/".
    0
  • jestep
    I really wish the cPanel devs did a better job of communicating what ports and IP's are necessary for various essential functions on servers that have to live in a more locked down state. We ran into a similar issue with WordPress Toolkit. Some parts of it just don't work correctly behind a restrictive firewall, and when we attempted to get some clarity on what we would need to whitelist we just kinda got a "\_(?)_/".

    I agree, we generally have no need to keep some of the cpanel services ports open because we don't use them ever and they are a potential security risk. Even if there isn't a direct vulnerability, if they're publicly available, people with be bashing at them 24/7. I have one server that we use CSF/LFD on and leaving the cpanel or webmail or other ports open will result in literally tens of thousands of blocked IP's in a matter of hours. But, it's definitely not clear enough what ports are needed both in and out for basic functionality, seems common to run into processes that use a port that is unexpected or undocumented. Apparently some services either use their own ports or don't use the cpanel licensing or normal ones. I didn't bother to monitor the process when I was able to successfully run it. I'll probably do that next time just so I know what things are going out on and coming back in on.
    0
  • cPRex Jurassic Moderator
    We have a full list of firewall options here:
    0
  • jhawkins003
    We have a full list of firewall options here:
    0
  • chadreitsma
    Here's what worked for me
    • I added the server's domain as an account
    • Installed a wildcard certificate using Let's Encrypt
    • Assigned it to the cPanel/cPanel services under Manage Service SSL Certificates --> Browse Certificates --> Apache (then selected the wildcard *.serverdomain.com from step 2)
    0
  • interwave
    This worked for me
    It looks like the issue in this ticket was due to a stale CSR file that had to be moved out of the way. It was fixed by moving the file out of the way and re-running AutoSSL. [root@HOST ~]cPs# mv /var/cpanel/hostname_cert_csrs{,.cpbkp} -v "/var/cpanel/hostname_cert_csrs" -> "/var/cpanel/hostname_cert_csrs.cpbkp"

    0

Please sign in to leave a comment.