Update to v60 changed SSL certs to self-signed

jndawson

• October 12, 2016 12:34

We auto-updated to v60.0.3 last night. One of our servers got self-signed certs installed on all services. The real CA certs don't expire until 11/23/16. We re-installed the CA server cert on all services, the cert shows up in 'Manage Service SSL Certificates' and as the Apache cert. All of the autossl settings were turned off before this happened. The installed certs in /var/cpanel/ssl/system/certs/ are all CA certs, and there aren't any self-signed certs listed. Where are the self-signed certs located and how do we get rid of them?

• 

  cPanelMichael

  • October 12, 2016 18:08

  Hello @jndawson, Can you confirm that self-signed, and not cPanel-signed certificates were issued? The cPanel-signed hostname certificate is issued independently of the options you have configured in "WHM >> Manage AutoSSL". Here's the document that explains how this works:

  0
• 

  jndawson

  • October 12, 2016 18:51

  Hello @jndawson, Can you confirm that self-signed, and not cPanel-signed certificates were issued?

  
  Yes, as I noted, it is self-signed. It is also one we created in 11/2014 (exp 11/15) while setting up that server, which was replaced by a CA cert (which expires 11/23/16).

  The cPanel-signed hostname certificate is issued independently of the options you have configured in "WHM >> Manage AutoSSL". Here's the document that explains how this works:

  0
• 

  cPanelMichael

  • October 12, 2016 19:08

  Could you open a support ticket using the link in my signature so we can take a closer look and determine what happened during the update process? You can post the ticket number here and we will update this thread with the outcome. Thank you.

  0
• 

  jndawson

  • October 12, 2016 19:34

  tkt 7779973

  0
• 

  cPanelMichael

  • October 12, 2016 20:50

  Hello, To update, the support ticket is still in-progress, however it looks like this is potentially related to an internal case (CPANEL-9214). This case is open to address an issue where expired SSL certificates are copied over to "/var/cpanel/ssl/domain_tls/" during the update to cPanel 60. The invalid certificates take priority over valid service certificates, resulting in the replacement of the valid certificates. The current workaround is to manually install the valid certificates via "WHM >> Manage Service SSL Certificates" and then remove the expired/invalid certificates from the "/var/cpanel/ssl/domain_tls/" directory. I'll update this thread again once the resolution is published. Thank you.

  0
• 

  jndawson

  • October 12, 2016 22:32

  Followup: It appears the culprit is case CPANEL-9214 as cPanelMichael mentioned. The odd thing is that it didn't happen to any of the other cPanel boxes we have. We're still checking things out, but it looks like that was it.

  0
• 

  cPanelNick

  • October 12, 2016 23:55

  Followup: It appears the culprit is case CPANEL-9214 as cPanelMichael mentioned. The odd thing is that it didn't happen to any of the other cPanel boxes we have.

  
  The system copied the installed certificates into the Domain TLS storage when the update happened in order to enable SNI on cpsrvd and other services that now use Domain TLS. It is likely you didn't have any expired or self-signed certificates installed any other machines. Before the changes in CPANEL-9214 the system assumed that if you had installed the certificate it should be used. The changes in CPANEL-9214 will pass each installed certificate though a verification to ensure its not expired, self-signed, or invalid before copied it over to Domain TLS.

  0
• 

  cPanelMichael

  • October 14, 2016 00:39

  Hello, The resolution to this case is now published to the "Current" build tier as part of cPanel version 60.0.4: Fixed case CPANEL-9214: Make the Apache->DomainTLS copy script ignore invalid certificates. An explanation of our release tiers is available on our

  0

Please sign in to leave a comment.