Skip to main content

[COBRA-13435] AutoSSL not renewing domain certificate when some hosts fail DCV

Comments

25 comments

  • Legin76
    We are also getting this issue.. When we run a check on the domains waiting we get a message like the one below on all of them. We currently have 4 accounts that have expired ssl certificates that are stuck in the queue. The provider "cPanel (powered by Sectigo)""s AutoSSL queue already contains a certificate request for "accountname""s website "domain.com". The request"s start time is Jan 4, 2022, 12:35:06 AM UTC. Two of them use cloudflare but the other two do not.
    0
  • Legin76
    Update to this but cloudflare appears to be unrelated. We currently have 45 domains and sub domains with expired certificates all waiting in Sectigo's queue.
    0
  • quietFinn
    Update to this but cloudflare appears to be unrelated. We currently have 45 domains and sub domains with expired certificates all waiting in Sectigo's queue.

    You see those in WHM -> SSL/TLS -> Manage AutoSSL -> Pending Queue ? We had that kind of problem in one server, and after waiting about 1-2 hours I switched to Let's Encrypt, removed the expired certificates and Let's Encrypt installed them in a few seconds. :rolleyes:
    0
  • Legin76
    You see those in WHM -> SSL/TLS -> Manage AutoSSL -> Pending Queue ? We had that kind of problem in one server, and after waiting about 1-2 hours I switched to Let's Encrypt, removed the expired certificates and Let's Encrypt installed them in a few seconds. :rolleyes:

    Yes.. This is now up to 86 :(
    0
  • cPanelAnthony
    Hello! I will inquire to see if I can get more information about these ongoing AutoSSL issues.
    0
  • Legin76
    I opened a ticket with cpanel and it appears to be down to this. Which isn't ideal for me our server is now end of life.
    0
  • Legin76
    As a temporary fix I changed from Sectigo to Lets Encrypt, which works for the moment but I suspect it might not for long. It at least gives us time to migrate the sites to a newer server.
    0
  • cPanelAnthony
    Thank you so much for the updates and your patience.
    0
  • DennisMidjord
    cPanel definitely changed something in a recent update. A lot of clients has been contacting us the last few weeks because they received emails about some domains failing DCV. These domains have always failed DCV but the certificate was still issued. This is no longer the case. Even though AutoSSL says the certificate will be renewed (while excluding the domains that failed DCV), renewal doesn't work. This is a huge issue since we have a lot of clients who's using an external DNS provider. They haven't created the cpcalendar, webmail, cpcontacts and autodiscover subdomains. cPanel can no longer renew these certificates - we have to exclude the subdomains from AutoSSL before the certificate can be renewed. The past month, I've basically just been excluding domains from AutoSSL and telling our clients about the issue all day long. What a headache!
    0
  • cPanelAnthony
    cPanel definitely changed something in a recent update. A lot of clients has been contacting us the last few weeks because they received emails about some domains failing DCV. These domains have always failed DCV but the certificate was still issued. This is no longer the case. Even though AutoSSL says the certificate will be renewed (while excluding the domains that failed DCV), renewal doesn't work. This is a huge issue since we have a lot of clients who's using an external DNS provider. They haven't created the cpcalendar, webmail, cpcontacts and autodiscover subdomains. cPanel can no longer renew these certificates - we have to exclude the subdomains from AutoSSL before the certificate can be renewed. The past month, I've basically just been excluding domains from AutoSSL and telling our clients about the issue all day long. What a headache!

    Hello! Which specific DCV errors were you seeing in the logs?
    0
  • DennisMidjord
    Hello! Which specific DCV errors were you seeing in the logs?

    Either that the DNS record doesn't exist or that it's pointing to an external IP. We have clients that have had made no changes to DNS for years, and renewal of SSL certificates has always worked. Just not any more.
    0
  • cPanelAnthony
    Either that the DNS record doesn't exist or that it's pointing to an external IP. We have clients that have had made no changes to DNS for years, and renewal of SSL certificates has always worked. Just not any more.

    Thank you for the clarification. As there have been multiple AutoSSL issues, would it be possible to open a ticket with the link in my signature so we can investigate?
    0
  • 4u123
    This has become a serious issue for us now. Happens every day. It's not just domains that have their DNS hosted elsewhere - it's all of them. Every day a client will contact us to say their certificate didn't get renewed automatically. We have found that running the following does seem to provide some improvement but not always... /usr/local/cpanel/bin/autossl_check --all Often we will see the error mentioned below... "The "cPanel (powered by Sectigo)" provider cannot currently accept incoming requests. The system will try again later." I think there are various other threads on the go about these issues.
    0
  • swbrains
    Not a solution, but it may help in the meantime to change the server's AutoSSL cron file (/etc/cron.d/cpanel_autossl) to run the AutoSSL check more frequently. cPanel support suggested this, and although I still see a number of "cannot accept incoming requests" messages in the daily logs, I'm not aware of any cases of SSL certs expiring before renewal on our server since modifying AutoSSL to run more frequently. I set it to run every 6 hours. I guess this quadruples the chances that the AutoSSL checking process will issue the request during a time when Sectigo's server actually can accept requests. The other workaround is to ensure AutoSSL is configured to NOT replace existing valid certs and switch to Let's Encrypt as your SSL provider, which seems to be more reliable but has the downside of rate limits. If those are an issue for you, you can appeal to LE to increase your specific rate limit. I did request an increase last week but have yet to hear back from them. The best solution, of course, would be if Sectigo's service could simply be corrected to work as reliably as it did in the past. They have a number of recent reports of certificate issuance delays/issues on their site (Sectigo) and each one is marked as resolved after clearing the backlog. But the same issue appears several times in the past few months, so it seems that it is not truly resolved.
    0
  • cPRex Jurassic Moderator
    @swbrains - I wish I had more positive things to say, but it's definitely not resolved.
    0
  • Ali Poonawala
    I was able to resolve the problem for now by moving to LetsEncrypt as our AutoSSL provider. Instructions: Step 1 : Install Lets Encrypt cpanel plugin Run the following command in ssh : /usr/local/cpanel/scripts/install_lets_encrypt_autossl_provider Step 2: In WHM -> Manage AutoSSL -> Providers tab -> Select Lets Encrypt and click save. Step 3: Run AutoSSL For All Users (Alternatively you may just do it for the domain where ssl did not renew)
    0
  • swbrains
    I was able to resolve the problem for now by moving to LetsEncrypt as our AutoSSL provider. Instructions:

    A tip for those that do this: Ensure that the AutoSSL option to replace existing valid certs is OFF before running a check-all operation under Lets Encrypt, particularly if you have a lot of accounts. I did this and quickly ran into the Lets Encrypt rate limit. Had to wait a week to try again after turning off the replacement setting. :(
    0
  • cPRex Jurassic Moderator
    That's a good tip, @swbrains, as the Let's Encrypt limits are much lower than Sectigo and can cause issues for some users.
    0
  • celiac101
    I was able to resolve the problem for now by moving to LetsEncrypt as our AutoSSL provider. Instructions: Step 1 : Install Lets Encrypt cpanel plugin Run the following command in ssh : /usr/local/cpanel/scripts/install_lets_encrypt_autossl_provider Step 2: In WHM -> Manage AutoSSL -> Providers tab -> Select Lets Encrypt and click save. Step 3: Run AutoSSL For All Users (Alternatively you may just do it for the domain where ssl did not renew)

    Thank you for this! I have no idea why suddenly my AutoSSL stopped working, but this fix worked. I have only one question related to the authority of LetsEncrypt vs cPanel. Do you think that using a LetsEncrypt certificate for my subdomains vs. a cPanel certificate would impart anything negative to google or other search engines? I know this may seem like a silly question, but I've heard that the quality of your SSL certificate issuer is important, but then again, this could all be just marketing BS.
    0
  • cPRex Jurassic Moderator
    The SSLs issued by both providers are the same type of domain-validated certificate, so I don't see why there would be a difference. cPanel certificates are provided by Sectigo.
    0
  • Mise
    Have the same problem here. I have received a complaint and It forces to enter inside WHM to renew it manually and restart Apache & php-fm. Yesterday 22 the certificate of the domain (here domain1.com) was expired. And this the log from today 23 before my manual renew: 02:08:03 Analyzing "domain1""s domains " 02:08:03 Analyzing "domain1.com" (website) " 02:08:03 ERROR TLS Status: Defective ERROR Certificate expiry: 22/6/22 0:00 UTC (1,01 days ago) ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL"s verification (0:10:CERT_HAS_EXPIRED). 02:08:03 Attempting to ensure the existence of necessary CAA records " 02:08:03 No CAA records were created. 02:08:03 Verifying 8 domains" management status " Verifying "cPanel (powered by Sectigo)""s authorization on 8 domains via DNS CAA records " 02:08:03 "cpanel.domain1.com" is managed. "mail.domain1.com" is managed. "cpcontacts.domain1.com" is managed. "webmail.domain1.com" is managed. "cpcalendars.domain1.com" is managed. CA authorized: "domain1.com" CA authorized: "www.domain1.com" CA authorized: "mail.domain1.com" CA authorized: "cpanel.domain1.com" CA authorized: "webdisk.domain1.com" CA authorized: "webmail.domain1.com" CA authorized: "cpcontacts.domain1.com" CA authorized: "cpcalendars.domain1.com" "cPanel (powered by Sectigo)" is authorized to issue certificates for 8 of this user"s 8 domains. "www.domain1.com" is managed. "webdisk.domain1.com" is managed. "domain1.com" is managed. All of this user"s 8 domains are managed. 02:08:03 Performing HTTP DCV (Domain Control Validation) on 8 domains " 02:08:03 Local HTTP DCV OK: domain1.com Local HTTP DCV OK: www.domain1.com Local HTTP DCV OK: mail.domain1.com Local HTTP DCV OK: cpanel.domain1.com Local HTTP DCV OK: webdisk.domain1.com Local HTTP DCV OK: webmail.domain1.com Local HTTP DCV OK: cpcontacts.domain1.com Local HTTP DCV OK: cpcalendars.domain1.com 02:08:03 No local DNS DCV is necessary.
    The tabs config: Providers: AutoSSL providers: (x) cPanel (powered by Sectigo) Options: (x) Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates. Manage users: (x) Reset function list configuration ------- it seems the certificates are not renewed at the scheduled day of expiration
    0
  • cPRex Jurassic Moderator
    The original COBRA-13435 case was resolved in all versions of 102, so I wouldn't expect this to be happening on any supported version of cPanel at this point. I also wouldn't expect PHP-FPM to be involved at all in the AutoSSL process. The only error I'm seeing from your log is that the SSL has expired, but I don't see anywhere showing the actual problem with the renewal not working. Are there any additional logs that show why AutoSSL failed?
    0
  • celiac101
    The solution is that you need to add a CAA text record to your DNS zone for that domain. The record should look like this, and it allows the SSL issuer to modify your DNS zone:
    domain1.com. 14400 CAA Flags: 0 Tag: issue Value: sectigo.com
    0
  • Mise
    The only error I'm seeing from your log is that the SSL has expired, but I don't see anywhere showing the actual problem with the renewal not working. Are there any additional logs that show why AutoSSL failed?

    no errors inside /usr/local/cpanel/logs . Just it seems day 22 was finished and the certificate was not renewed. Are there more logs to look? I will wait for the next domain to be renewed to see what happens.
    The solution is that you need to add a CAA text record to your DNS zone for that domain. The record should look like this, and it allows the SSL issuer to modify your DNS zone:

    thank you. I save your message in case this is repeated in the future.
    0

Please sign in to leave a comment.