Services certificate cannot be fetched due to wrong public IP
Hello,
Recently I moved from cPanel installation that was on a server directly connected to the Internet, to a new server, that has only one IP, which is a private IP and it is connected to a Firewall that holds the public IP and link the two using 1:1 NAT.
The new server started with a temp public IP on the new server, which after the transfer - I swapped the IPs and the new server received the former, public known IP.
Then I tried in the new server to fetch a valid public CA based digital certificate for the cPanel services, using the cPanel script of /usr/local/cpanel/bin/checkallsslcerts, but it gave me an error like:
"
new-server-fqdn: Attempting HTTP DCV preflight check "
The system failed to fetch the DCV (Domain Control Validation) file at
What eventually solved my issue was going, in the WHM UI, to IP Functions > Show or Delete Current IP Addresses, which showed that the private IP has a matching public IP of the old, temp, public IP... so I clicked "Validate" and cPanel checked the current public, correct, IP and updated it in that page.
Now running the SSL script was OK, also removing many errors about the script trying to get certs for the old IP.
I ask of cPanel:
1. Please add a support article about this scenario, it will help folks with the same issue
2. Consider adding a script to once every recurring schedule to check if the actual public IP is the same as noted in the "Show or Delete Current IP Addresses" page, and warn the admin, desired also by email and/or push notification, that there is a mismatch here that cause trouble and how to solve it.
Thank you!
-
Also, I tried to add to this post tags of either certificate or digital certificate, but the system wouldn't let me add new tags. These are basic defenitions, please add them to the list of tags. 0 -
Hey hey! Can you let me know how you performed the IP switch? It would have been necessary to run the /scripts/build_cpnat command after changing the IP address to ensure the NAT configuration was configured properly, which is essentially what happened when you ran the "Validate" tool. I'm not sure what you mean in regards to the tags. If you mean tags when you create the Forum post, they never get used for anything and will be removed when we migrate to the new system later this month. 0 -
Can you post the ticket number here so I can follow along? It seems there is more happening on the ticket side that I'd like to see. 0 -
95149446 Thanks. 0 -
Thanks for the additional details. Here are my thoughts on those: 1 - That shouldn't be happening. I see we didn't have access to the server in the ticket, but I would not expect an old hostname to block a certificate from being issued. 2 - Same answer as 1. If you can reproduce this on your current server, please allow us access to the machine through the ticket so we can do some testing. 3 - According to our documentation at The checkallsslcerts Script | cPanel & WHM Documentation, "If this script detects errors when it runs, it sends an email to the system administrator that contains warnings about those errors." Are you not getting that notification? 4 - I've updated the wording in the article to be this: "The checkallsslcerts script, which orders new hostname certificates used for the cPanel services," so "services" is now present there. 0 -
Thanks for looking into it. 1. Well, I just wanted to know why my cert request is not advancing, so I didn't see a need to grant support access to my server. This is a side effect of not telling customers what is happening with the cert request in the ssl script output... Maybe you can look into the logs of the certs requests and processes that came from my server, as a kind of evidence 2. Next time, which hopefully will not happen, I will grant you access 3. Before I fixed the server's hostname to be the one of the former, "official", server, I received only emails like: " The system failed to acquire a signed certificate from the cPanel Store because of the following error: "old.server.fqdn.value" failed DCV. Cannot proceed. " My issue is what happened once I fixed the hostname and the script only gave me nice output stating it is waiting for the process to complete but nothing was completed. I quoted it in the support case. 4. Thanks for updating the post, I guess it will help. Consider adding a main post for troubleshooting all that is related to this script, with links to all relevant post, and note a link to this main post in the script output Thanks. 0 -
1 - We don't get any such logs on our side 2 - Thanks! 3 - That's interesting, and I'm sorry you ran into that. I'm actually wondering if the root cause is that the hostname didn't get properly updated everywhere. That could be reset manually with this command: /usr/local/cpanel/bin/set_hostname host.domain.com
and that will ensure that the new hostname is properly setup everywhere on the machine that cPanel thinks it should be.0 -
Thanks. 1. This is a major part of the problem, that you have a feature that needs some CP external service provider but you don't know what happens there, hence you cannot update your customers. It is very noticeable at this feature is problematic. 3. I don't know what to say, hostname change is a rather meaningful change, hence you need to spot that change and have a central software process to update it ASAP in all relevant local services 0 -
I'm not sure what you mean by #1 at this point. If you think you have an issue with the software, we'd need access to the system to confirm it. 0 -
You wrote: " We don't get any such logs on our side ", I understand it that you don't have any info about the certificate creation process that is made outside the requesting sever, that it is done at another firm, so you don't have access to it, so it looks like a problem to me 0
Please sign in to leave a comment.
Comments
11 comments