Skip to main content

Browser certificate error during initial installation (first WHM login)

Comments

12 comments

  • cPRex Jurassic Moderator
    Hey there! I don't think there's a way to overcome this - we can only issue the certificates so quickly. And yes, you would have to get a license, but were you not automatically issued a trial license? If that doesn't happen, you can always contact our Customer Service team at cs@cpanel.net to get one issued if you weren't ready to purchase, but normally those happen automatically if the IP hasn't been previously licensed.
    0
  • wildman
    Hey there! I don't think there's a way to overcome this - we can only issue the certificates so quickly. And yes, you would have to get a license, but were you not automatically issued a trial license? If that doesn't happen, you can always contact our Customer Service team at cs@cpanel.net to get one issued if you weren't ready to purchase, but normally those happen automatically if the IP hasn't been previously licensed.

    Thanks for the reply! In my experience, a trial license is typically generated after logging into WHM for the first time and running through the initial setup. A user won't be able to run through that process since they can't log in to WHM with the certificate issue and since a valid certificate can't be generated without a license, we're stuck in a loop.
    0
  • wildman
    Is there a way to generate a trial license without logging in to WHM? When I log in to the cPanel store, I don't see an option to create a trial license (only purchase a license). Since I'm just running through tests at the moment for documentation purposes, I shouldn't need to purchase a license.
    0
  • cPRex Jurassic Moderator
    The trial is unrelated to the WHM setup. The only way to get one is to contact our Customer Service team directly so they can set that up for you. Those licenses are good for 15 days.
    0
  • wildman
    The trial is unrelated to the WHM setup. The only way to get one is to contact our Customer Service team directly so they can set that up for you. Those licenses are good for 15 days.

    When I have previously tested WHM/cPanel, a trial license can be obtained when logging into WHM for the first time. Is this only possible if someone previously has contacted customer service directly to set up the ability to obtain trial licenses? Regardless, trial license or not, there should be a way to generate a valid certificate for the system's FQDN hostname so that a user can log into WHM for the initial set up (and beyond). As of right now, when configuring a system with an FQDN (as recommended in the instructions to bypass the need for a temporary cprapid domain), the only way to sort out this certificate issue is to perform the following steps. If you have any insight into shortening or automating this process, I'm all ears! 1. Log into the cPanel store and obtain a license (or transfer an existing license) for the new system's IP addresss 2. Log into the new system's shell and run `/usr/local/cpanel/cpkeyclt` to install the license 3. Run `/usr/local/cpanel/bin/checkallsslcerts` to obtain the IP addresses. This may take some time after obtaining the license to work correctly (or is just unreliable) as it failed multiple times with the error `(X::TemporarilyUnavailable)`. The third time running the command after successfully validating the license worked. After running through that process, I'm not able to log in to WHM without issue.
    0
  • wildman
    I guess one way to sort this is to set up the license or trial and assign it to the system's IP address prior to running the installation script. Not ideal, especially since obtaining a license is a feature of the WHM initial set up (which can't be accessed until you obtain a license). I believe this should be filed as a bug report (either documentation-wise or product-wise).
    0
  • cPRex Jurassic Moderator
    I think there is some misunderstanding about the process. The cprapid domain is specifically designed to ensure that users don't need to have their hostname preconfigured in order to access the server securely, to work around the new browser requirements that you've run into. The trial license doesn't have anything to do with the initial setup process - it happens during the installation. If it didn't, you wouldn't be able to login to WHM at all as the license is required to get to those pages. We also require a license, trial or not, in order to issue the hostname certificate. If we didn't, we'd just be giving out free SSLs to servers that weren't connected to the cPanel network, which would tarnish our SSL reputation. Your plan of changing the hostname to your custom solution will only work if you can also preconfigure the DNS for the hostname to resolve to your server. If not, it's best to let the cprapid hostname stay in place until you get the server configured.
    0
  • wildman
    Appreciate your time and responses here!
    The trial license doesn't have anything to do with the initial setup process - it happens during the installation. If it didn't, you wouldn't be able to login to WHM at all as the license is required to get to those pages.

    Here's the process that currently works for me. The dozen or so times that I've installed cPanel without first purchasing a license on the cPanel store and without specifying an FQDN as the hostname, here's been the behavior: 1. I spin up a new instance on Ubuntu 20.04 2. I run the installation script. This outputs the URLs I can use to access the WHM panel. This is the "installation". 3. I navigate to one of those URLs. The initial WHM setup appears. This is the start of the "initial setup process". 4. I accept the legal agreements 5. The license screen appears with a message similar to "Get Started with a Free cPanel Trial!". 6. Using the on-screen prompts, I log in to the cPanel store to activate my free trial license. This is outlined here: How to Sign Up for a Trial License | cPanel & WHM Documentation 7. I can continue with initial name server set up and proceed to the main WHM interface. Now I'm trying to set the hostname in advance as per the system requirements (under Networking requirements > Hostname section to warn folks that to do what is recommended (setting the hostname to an FQDN), users need to log in to the cPanel store and purchase a license (or contact cPanel for a trial license), assign the license to their server IP, all before running the installation script. If they don't do this, they'll need to obtain a license and run the previously mentioned commands (outlined above in a prior post) to activate the license and generate a certificate before they can log in to WHM.
    0
  • cPRex Jurassic Moderator
    Let me do some testing with this and I'll get back to you in a bit!
    0
  • cPRex Jurassic Moderator
    Okay, I have some answers, but I'm not entirely happy with them. I'm going to see if I can speak with some of the AutoSSL team tomorrow to see if we have a better plan moving forward. Once I do that, I'll post some official details.
    0
  • cPRex Jurassic Moderator
    Alright, I have some actual thoughts about this now. I did some testing on my end and confirmed that your initial findings are correct. The problem is that we can't run AutoSSL until the license is in place, but that happens too late in the installation process, leading to the catch-22 situation you've described. What needs to happen NOW - in order for the SSL to get created as part of the installation process, you'd need to pre-configure the hostname and the supporting DNS for it, AND also have a license, either purchased or trial, in place before the installation starts. If those things happen, the URL will work and the SSL will be in place by the time the installation completes. What's going to happen in the FUTURE - the short version is we're going to fix this, because this just isn't a good user experience. We plan to make some changes to the AutoSSL system that will get the certificate for the hostname installed earlier in the installation process. I'm not certain when these changes will be implemented, but it's part of some larger work that will likely see an announcement of some sort. I hope that's helpful, even though the current answer is "it's not ideal"
    0
  • wildman
    This is helpful. Thanks for verifying the behavior and confirming the workaround. Also appreciate you working with your team on fixing this. For now, setting the hostname before-hand won't work for us with the current behavior, so we'll not follow the instructions in
    0

Please sign in to leave a comment.