Trouble purchasing new SSL through WHM Wizard, possible nameserver issue
Good morning,
For the past few years we have used the built-in SSL/TLS Wizard to purchase and install our server's OV wildcard SSL certificate. We have used both Comodo and cPanel options and have been happy with the service. This time around we're having issues and now am under a time crunch so I'd like to post here for help from the community as I only have until next Wednesday to get this sorted.
October 10: Our current certificate expires next Wednesday, November 8, so about a month prior on October 10 I began the process of renewing it. I encountered some issues with the website wherein we both paid for and received successful order confirmation emails with order # from cPanel's system, yet day-after-day the Wizard never listed pending or anything else. I figured we just need to wait a bit and went about my own business...
...and after waiting a week to see if the cert would process, I reached out to customer support. cPanel employee 'Chris B' identified an issue on their end that was preventing the order from processing, and refunded our credit card and asked that we resubmit the order. His email was informative and I was happy with the service.
October 23: I placed a second order (duplicate of the first, OV with wildcard option), like before we were both charged and a new order confirmation invoice was generated with order #, and we waited. This time there were no site errors and we received the usual "Order received / SSL order Pending" type message. Still having more than half a month until our current cert expires I was feeling good.
October 31: Finally the status changed from "Pending..." to "This order is taking longer than expected. Click here to get help with this order." so clicked the link which led to email customer support, and sent a letter. The next day employee 'Mae K' responded, also a very informative and helpful email, but with unfortunate news in that they have to again cancel our SSL request and refund us.
Issue we need to resolve: She pointed out that the SSL provider they use, Sectigo, has increased it's SSL requirements to now require our server control our DNS through custom nameservers (DNS-based DCV validation) as described in another article, which goes over how to configure nameservers on our server. If I'm following properly, Sectigo requires our nameservers to match the IP of our machine before they'll issue a cert for us.
Help: I have followed the directions but need additional help. I have replied to Mae but she has not responded yet, and now with only 5 days remaining I have become extremely nervous that we won't get new certs up in time (we'll have to shut down a large e-commerce store) so I'd like to reach out here for community support.
Our configs:
Service Configuration > Nameserver Selection: PowerDNS
Server Configuration > Basic WebHost Manager Setup:
Nameserver 1: ns1.ourdomainname.com (substituting 'ourdomainname' for our actual domain name)
Nameserver 2: ns2.ourdomainname.com
Nameserver 3: blank
Nameserver 4: blank
When I click Configure Address Records, our ns1. has our machine's main IP for it's IPv4 'A' record -- however, our ns2. nameserver is using a different IPv4 'A' record IP. So I tried changing this IP to match the same IP as ns1, click the blue 'Configure Address Records' bottom below to save it, which results with:
[QUOTE]
Configure Address Records for nameserver "ns2.ourdomainname.com".
Configuring Address Records for nameserver...
...Done
The following IP addresses have been assigned to the ns2.ourdomainname.com nameserver:
ourmain.ip.sameas.ns1
So that looks good with a green checkmark, but when I reload the page and view the record again for ns2., the change did NOT occur: It still lists a different IP. IP Functions > Show IP Address Usage: This shows the two IPs, the first which is what ns1. is configured for, lists our all our subdomains and a few other domains our server runs. The second IP, which is configured for ous ns2. nameserver, lists both '*.ourdomainname.com' and 'ourdomainname.com'. So it seems to make sense that Sectigo rejected us since this IP that is running the wildcard cert that we are trying to purchase is NOT the same IP as our machine. IP Functions > Show or Delete Current IP Addresses: This shows similar as the usage, and includes the first/main IP as 'eth0' and the second IP as 'eth0:cp1' IP Functions > Show/Edit Reserved IPs: This page is interesting. It only shows the second IP (not our server's IP), dedicated to 'ourdomainname.com', BUT with nameserver 'ns4.ourdomainname.com'. NS4? Where did this 4th nameserver come from?? So I am in a bit of a pickle because obviously I don't know what I'm doing and I need to get this resolved in time to submit a third SSL Wizard for OV wildcard cert order, wait the few days for it to process, and get it instated on or I think actually before November 8(!) Any help would be GREATLY appreciated, thank you so very much!! Regards, Huusoku
So that looks good with a green checkmark, but when I reload the page and view the record again for ns2., the change did NOT occur: It still lists a different IP. IP Functions > Show IP Address Usage: This shows the two IPs, the first which is what ns1. is configured for, lists our all our subdomains and a few other domains our server runs. The second IP, which is configured for ous ns2. nameserver, lists both '*.ourdomainname.com' and 'ourdomainname.com'. So it seems to make sense that Sectigo rejected us since this IP that is running the wildcard cert that we are trying to purchase is NOT the same IP as our machine. IP Functions > Show or Delete Current IP Addresses: This shows similar as the usage, and includes the first/main IP as 'eth0' and the second IP as 'eth0:cp1' IP Functions > Show/Edit Reserved IPs: This page is interesting. It only shows the second IP (not our server's IP), dedicated to 'ourdomainname.com', BUT with nameserver 'ns4.ourdomainname.com'. NS4? Where did this 4th nameserver come from?? So I am in a bit of a pickle because obviously I don't know what I'm doing and I need to get this resolved in time to submit a third SSL Wizard for OV wildcard cert order, wait the few days for it to process, and get it instated on or I think actually before November 8(!) Any help would be GREATLY appreciated, thank you so very much!! Regards, Huusoku
-
So it seems to make sense that Sectigo rejected us since this IP that is running the wildcard cert that we are trying to purchase is NOT the same IP as our machine.
when I reload the page and view the record again for ns2., the change did NOT occur: It still lists a different IP.
Still trying to figure this out. What is the process to change a nameserver IP address? I went to DNS Functions > Nameserver Record Report and see ns2. with the non-server main IP (and also now see ns3. and ns4. entries, all with this alternative IP address), clicked Edit Zones for ns2. which led to the DNS Functions > DNS Zone Manager page, clicked Manage for ns2.ourdomainname.com, see the alternate IP for the ns2. 'A' record, clicked Edit and entered our machine's main IP address, changed the IP to our main IP, clicked Save Record, and then Restarted DNS Server. Then on every page that shows the IP for ns2. the save did NOT go into effect, it still lists some other IP address. Do we need to restart the server for ns2. address changes to process/become permanent? Thanks EDIT: The IP change DID get saved on the DNS Zone Manager page for our ns2. nameserver's 'A' record. Even fresh F5+Reload of browser verifies the IP address was successfully changed. But everywhere else, such as IP Functions > Show IP Address Usage, still shows the old IP address that Sectigo doesn't like...0 -
What is the process to change a nameserver IP address?
Ah! I think I figured it out! Lol this was seemingly (so far) so easy. For others, go to Account Functions > Change Site"s IP Address, select your domain, click Change, set the new address to your server's main shared IP, then click Change again. You can then verify that the change was done by visiting IP Functions > Show IP Address Usage and the domainname will now fall under your main IP address. I'll keep this updated with the process of the new SSL cert Regards, Huusoku0 -
New (third attempt) certificate has been ordered. Hopefully Sectigo is happy this time. Our site went offline during this process, with the SORRY! page appearing. Our domain name is through GoDaddy so I updated the IP address to ns2. to our main server IP (and interestingly enough the IP for ns1. was ALSO the alternate IP, not the matching main IP as configured on our server all this time). So now both ns1. and ns2. nameservers at GoDaddy point to our server's main IP, which matches now what's shown all across WHM. Interestingly, despite flushing DNS cache on machines here at work, some systems (like my laptop) load our site just fine (and not cache copies, I can save edits and make changes, everything functions normally) while other machines only still continue to receive the SORRY! page even despite restarts. Had I know this I would have waited until tonight to make the IP change. I've learned a lot so hopefully caches will get updated soon this afternoon, the SSL order will go through, and everything will be golden once again Have a nice day! Huusoku 0 -
Thanks for posting your experience here, and I'm glad you got things working! 0 -
Thanks for the reply cPRex. Got into work and checking me email I see Mae responded saying that our third SSL certificate order attempt (order # 2672385793) is ALSO "stuck in a pending state." So now she is escalating this issue to technical support. Ohh man we only have 2 days left on our cert that I've been trying to renew for 27 days One idea I had over the weekend is that because the OV process is more involved, perhaps we should, for the time being, order a DV cert, assuming it gets approved sooner, and then when we eventually work out the issue and get the preferred OV cert signed, then switch over to it. Thoughts? Thanks Huusoku 0 -
You could, or you could always use AutoSSL if that's an option. The OV certificates do take a while to complete all the validation they do. 0 -
You could, or you could always use AutoSSL if that's an option. The OV certificates do take a while to complete all the validation they do.
Thank you again for the reply. Yes, we have AutoSSL and I've clicked the button from time to time over the years but after your reply I looked into this further and found the options to enable AutoSSL on our domains and to have it take over if our current cert expires in 3 days or less, and now the system is auto generating Let"s Encrypt" DV certs across our domains! WHEW. This is SUCH a relief, thank you so much!! Now no more extreme pressure to get the OV within 48 hrs. Will update the thread once we do get the OV cert installed with the reason for why tech support is required Regards, Huusoku0 -
You're very welcome! 0
Please sign in to leave a comment.
Comments
8 comments