autossl - The cPanel Store returned an error (X::TemporarilyUnavailable)
Started receiving these notification emails yesterday and would like to figure out what the issue is and take care of it. If I look at 'Manage AutoSSL' in WHM the logs look fine so I am guessing this message is related to hostname services cert? There isn't a whole lot of information being given here other than 'cpanel' so I have to assume it is related to the hostname since things appears fine for the domains according to the 'Manage AutoSSL' logs. I am NOT using the cloud service.
Ideas, things to check, etc? Being SSL related I'd like to take care of this as soon as possible as it will likely affect services on the server if a cert expires.
---------
Subject: [hostname.example.com] ? 1 service generated warnings while checking SSL certificates.
The following cPanel service generated warnings from the checkallsslcerts script.
? cpanel
The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID d92cxd) The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request "POST ssl/certificate/whm-license/90-day": We were unable to process your request. Please try again later.
This notice is the result of a request from "/usr/local/cpanel/bin/checkallsslcerts".
The system generated this notice on Tuesday, April 12, 2022 at 9:02:08 AM UTC.
"cPanel service SSL certificate warnings" notifications are currently configured to have an importance of "Medium". You can change the importance or disable this type of notification in WHM"s Contact Manager at:
-
Hey there! There's a few threads about this already, but the short story is there are rate limits from our SSL provider causing this. There's nothing wrong with the server that you need to fix, and it will check for the SSL again and get it installed. Similar issue here, although I don't think this user's was with the hostname: 0 -
Hey there! There's a few threads about this already, but the short story is there are rate limits from our SSL provider causing this. There's nothing wrong with the server that you need to fix, and it will check for the SSL again and get it installed. Similar issue here, although I don't think this user's was with the hostname:
0 -
If it gets too close for comfort, feel free to submit a ticket to our team and we can take a look! 0 -
Four days in a row now with the same error. How long does it usually take to correct itself due to the rate limiting with the provider? 0 -
I'm not sure it will - the issues with Sectigo have been happening off and on since January. If it gets too close to the renewal date, submit a ticket so our team can check it out directly. 0 -
Trust me this is just going to be forever with Sectigo, I had this in January and just go with Lets Encrypt here I just ran into another issue with Sectigo 0 -
Here I responded to one other This is just annoying to deal with on a regular basis with your clients.. 0 -
Just to add to the conversation - we're being impacted as well. Would love to see vendor options extended for obtaining hostname certificates. 0 -
Would love to see vendor options extended for obtaining hostname certificates.
Me too! It's definitely something that's on the table.0 -
you need to add these IP's to your firewall. Question What IP addresses do Sectigo DCV requests originate from? Answer Sectigo's DCV request origin IPs are these: 178.255.81.12 178.255.81.13 91.199.212.132 199.66.201.132 To ensure that Sectigo DCV requests for AutoSSL reach your server, you must whitelist these IP addresses for port 53 (TCP & UDP) and port 80 (TCP). 0 -
Can't get new SSL cert for two new accounts tonight. First I simply got the "Sectigo can't accept requests..." message. Now I'm getting this message indicating the same but with an error 500 code and some HTML tags associated with it: 12:39:12 AM ERROR AutoSSL failed to request an SSL certificate for "[xxxxxxxx]" because of an error: (XID up4tzv) The response to the HTTP (Hypertext Transfer Protocol) "POST" request from "https://store.cpanel.net/json-api/ssl/certificate/free" indicated an error (500, Internal Server Error):
Lets Encrypt is much more reliable when issuing/renewing certs, but even with an increase from them, I still hit the limits so they're not really a viable alternative for me.0 -
Can't get new SSL cert for two new accounts tonight. First I simply got the "Sectigo can't accept requests..." message. Now I'm getting this message indicating the same but with an error 500 code and some HTML tags associated with it:
12:39:12 AM ERROR AutoSSL failed to request an SSL certificate for "[xxxxxxxx]" because of an error: (XID up4tzv) The response to the HTTP (Hypertext Transfer Protocol) "POST" request from "https://store.cpanel.net/json-api/ssl/certificate/free" indicated an error (500, Internal Server Error):
Lets Encrypt is much more reliable when issuing/renewing certs, but even with an increase from them, I still hit the limits so they're not really a viable alternative for me.
Have you tried to whitelist these IP"s in your firewall and also Cphulk if you have it on Sectigo's DCV request origin IPs are these: 178.255.81.12 178.255.81.13 91.199.212.132 199.66.201.132 To ensure that Sectigo DCV requests for AutoSSL reach your server, you must whitelist these IP addresses for port 53 (TCP & UDP) and port 80 (TCP). Then try this /usr/local/cpanel/bin/checkallsslcerts Or try running AutoSSL for the 2 new accounts0 -
Have you tried to whitelist these IP"s in your firewall and also Cphulk if you have it on....
Yes, thanks, I did whitelist them (cpHulk is currently off) but the firewall/lfd is active and I added those IPs to the firewall allow lists.0 -
Oddly, in my case, the AutoSSL log shows that the cert was requested for several subdomains (myaccount.example,com, mail.myaccount.example.com, m.myaccount.example.com, etc,...). The log indicates: ERROR AutoSSL failed to request an SSL certificate for "myaccount.example.com" because of an error: (XID knbh2x) The response to the HTTP (Hypertext Transfer Protocol) "POST" request from "https://store.cpanel.net/json-api/ssl/certificate/free" indicated an error (500, Internal Server Error):
But then two minutes later, the log shows:Polling for "sectigo""s new certificate for "m.myaccount.example.com" (order item ID "1617251703") " The certificate is available. Installing "m.myaccount.example.com""s new certificate " 8:43:17 AM SUCCESS Success!
And nothing is in the pending queue. But when I try to access the site, I get the following message from my browser:NET::ERR_CERT_COMMON_NAME_INVALID Subject: *.default.example.com Issuer: R3 Expires on: Jul 20, 2022 Current date: Apr 21, 2022
Which is the certificate installed on "default.example.com" which is the account listed as the "primary" account in Manage SSL Hosts in WHM. So Sectigo somehow either generates a bogus certificate, or the server is installing the wrong certificate on the site. Since the AutoSSL log doesn't show the Sectigo issued a cert containing the base subdomain "myaccount.example.com" that was requested and only produced one for "m.myaccount.example.com", it seems the cert that got installed was not including all the requested subject names, and perhaps the server sees that and tries to use the one from the "primary" account? When I go to Manage SSL Hosts and find this account in the list, it shows that the cert is only issued for "m.myaccount.example.com" and "0 -
@swbrains - if that behavior is consistent, I think we'd like to see that directly if you could make a ticket. 0
Please sign in to leave a comment.
Comments
15 comments