Errors from cPanel Store API when requesting autossl certs

Nick Bagley

November 08, 2016 13:54

Whenever I try to provision SSL certs from AutoSSL I get back errors such as the following:

7:25:00 PM ERROR AutoSSL failed to request an SSL certificate for "propelflorist.thrivehivesite.com" because of an error: Cpanel::Exception::cPStoreError/(XID bw85ua) The cPanel Store returned an error (X::UnknownError) in response to the request "POST ssl/certificate/free": Service Unvailable at /usr/local/cpanel/Cpanel/Exception/CORE.pm line 77. Cpanel::Exception::create("cPStoreError", HASH(0x41d2970)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 231 Cpanel::cPStore::__ANON__(Cpanel::Exception::HTTP::Server=HASH(0x45510c8)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 103 Try::Tiny::try(CODE(0x42a2238), Try::Tiny::Catch=REF(0x4295630)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 239 Cpanel::cPStore::_request(Cpanel::cPStore::LicenseAuthn=HASH(0x41ad780), "post", "ssl/certificate/free", "item_params", HASH(0x42a21c0)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 178 Cpanel::cPStore::post(Cpanel::cPStore::LicenseAuthn=HASH(0x41ad780), "ssl/certificate/free", "item_params", HASH(0x42a21c0)) called at /usr/local/cpanel/Cpanel/SSL/Auto/Provider/cPanel.pm line 169 Cpanel::SSL::Auto::Provider::cPanel::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80 eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71 Try::Tiny::try(CODE(0x3a8dcc8), Try::Tiny::Catch=REF(0x42a0cb0)) called at /usr/local/cpanel/Cpanel/SSL/Auto/Provider/cPanel.pm line 193 Cpanel::SSL::Auto::Provider::cPanel::renew_ssl_for_vhosts(Cpanel::SSL::Auto::Provider::cPanel=HASH(0x3780e80), "propelfl", "propelflorist.thrivehivesite.com", ARRAY(0x1925e68)) called at bin/autossl_check.pl line 259 bin::autossl_check::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80 eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71 Try::Tiny::try(CODE(0x3b6dd08), Try::Tiny::Catch=REF(0x3b6a5b0)) called at bin/autossl_check.pl line 266 bin::autossl_check::__ANON__() called at /usr/local/cpanel/Cpanel/PIDFile.pm line 101 Cpanel::PIDFile::do("Cpanel::PIDFile", "/var/cpanel/autossl_check.pid", CODE(0x3781288)) called at bin/autossl_check.pl line 287 bin::autossl_check::_run_maybe_captured("--all") called at bin/autossl_check.pl line 109 bin::autossl_check::__ANON__() called at /usr/local/cpanel/Cpanel/CaptureFH.pm line 50 Cpanel::CaptureFH::do_with_output_captured_to_path_if_non_tty("/usr/local/cpanel/logs/error_log", CODE(0x374dc48)) called at bin/autossl_check.pl line 110 bin::autossl_check::run("--all") called at bin/autossl_check.pl line 78

Any thoughts? I can upload the entire log file if needed.

Comments

29 comments

cPanelMichael

November 08, 2016 19:12
Hello, The AutoSSL feature requires outbound access to the store.cpanel.net server over port 443. Could you verify that no firewall rules are blocking outgoing traffic over port 443 to store.cpanel.net? Thank you.
0
Jcats

November 08, 2016 22:13
I've got the same problem: [root@pim /]# /usr/local/cpanel/bin/checkallsslcerts The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID 752jpd) The cPanel Store returned an error (X::UnknownError) in response to the request "GET ssl/certificate/whm-license" The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID ndwqsk) The cPanel Store returned an error (X::UnknownError) in response to the request "GET ssl/certificate/whm-license" ^C [root@pim /]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
0
Jcats

November 09, 2016 00:35
I have another server doing the same exact thing, both are fresh installs
0
Tomorrow's Retail LLC

November 09, 2016 01:18
Same problem here.... I came on to ask about it but looks like I'm not alone. Fresh install from 2 days ago. Just started moving sites over today when I ran into this.
0
thee1xz

November 09, 2016 05:00
Same problem here, I've already opened a ticket with cPanel relative to this, no certificates are being issued and expired certificates aren't being process - exact same error as OP.
0
EneTar

November 09, 2016 06:05
Here is the log for those accounts This log is from two days ago.
11:46:38 AM This system has AutoSSL set to use "cPanel (powered by Comodo)". 11:46:38 AM Checking websites for accountusername " 11:46:38 AM The website "mydomain.com", owned by accountusername, has a faulty SSL certificate (NOT_ALL_DOMAINS ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate. 11:46:39 AM The system will attempt to renew SSL certificates for the following websites: 11:46:39 AM mydomain.com (mydomain.com www.mydomain.com mail.mydomain.com) 11:46:39 AM The system has completed the AutoSSL check for accountusername. 11:46:39 AM The system has finished checking 1 user.
And here is the log for the second account from yesterday.
7:57:41 PM This system has AutoSSL set to use "cPanel (powered by Comodo)". 7:57:41 PM Checking websites for "accountusername2" " 7:57:42 PM The website "ar.mydomain2.com", owned by "accountusername2", has a faulty SSL certificate (ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate. 7:57:42 PM The website "fa.mydomain2.com", owned by "accountusername2", has a faulty SSL certificate (ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate. 7:57:42 PM The website "mydomain2.com", owned by "accountusername2", has a faulty SSL certificate (NOT_ALL_DOMAINS ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate. 7:57:42 PM The website "tr.mydomain2.com", owned by "accountusername2", has a faulty SSL certificate (ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate. 7:57:43 PM The system will attempt to renew SSL certificates for the following websites: 7:57:43 PM ar.mydomain2.com (ar.mydomain2.com www.ar.mydomain2.com) 7:57:43 PM fa.mydomain2.com (fa.mydomain2.com www.fa.mydomain2.com) 7:57:43 PM mydomain2.com (mydomain2.com www.mydomain2.com mail.mydomain2.com) 7:57:43 PM tr.mydomain2.com (tr.mydomain2.com www.tr.mydomain2.com) 7:57:48 PM The system has completed the AutoSSL check for "accountusername2". 7:57:48 PM The system has finished checking 1 user.
I used to have http to https redirects for those accounts a few days ago but the latest autossl logs don't have any errors or warnings. Should I wait? The websites are down now. Is there any way to force the renewal?
0
EneTar

November 09, 2016 07:56
I tried this for the domains above and I get the output as I should
curl --user-agent "COMODO DCV" --insecure --max-time 10 --retry 0 http://YOUR_DOMAIN.TLD/THE_TEXT_FILE.txt
and the output of /usr/local/cpanel/bin/autossl_check_cpstore_queue is
Polling for "username1""s new certificate for "tr.domain1.com" (order item ID "17874741") " The certificate is not available. (processing) Polling for "username1""s new certificate for "ar.domain1.com" (order item ID "17874753") " The certificate is not available. (processing) Polling for "username1""s new certificate for "fa.domain1.com" (order item ID "17874725") " The certificate is not available. (processing) Polling for "username1""s new certificate for "domain1.com" (order item ID "17734253") " The certificate is not available. (processing) Polling for "username2""s new certificate for "domain2.com" (order item ID "17874701") " The certificate is not available. (processing) Polling for "username3""s new certificate for "domain3.com" (order item ID "22239587") " The certificate is not available. (processing)
Any ideas? Comodo ips are whitelisted in csf
tcp|in|d=80|s=178.255.81.12 # Comodo SSL Resolver tcp|in|d=443|s=178.255.81.12 # Comodo SSL Resolver tcp|in|d=80|s=178.255.81.13 # Comodo SSL Resolver tcp|in|d=443|s=178.255.81.13 # Comodo SSL Resolver tcp|in|d=80|s=91.199.212.132 # Comodo DCV Server tcp|in|d=443|s=91.199.212.132 # Comodo DCV Server tcp|in|d=80|s=199.66.201.132 # Comodo DCV Server tcp|in|d=443|s=199.66.201.132 # Comodo DCV Server
0
thee1xz

November 09, 2016 10:07
Hi EneTar, refer too: Errors from Cpanel Store API when requesting autossl certs
0
Benito

November 09, 2016 11:33
Same error here.
0
cPanelMichael

November 09, 2016 14:22
Hello, We've received a few reports about systems failing to acquire signed certificates from the cPanel Store. The issue is currently under investigation, and I'll update this thread with more information as it becomes available. Thank you.
0
Jcats

November 09, 2016 15:09
Seems to be working as of this morning, at least for the 2 servers I was having issues with.
0
thee1xz

November 09, 2016 16:15
Some of our servers issued the certificates, however there's a lot which are still 'processing' with the same errors.
0
cPanelMichael

November 09, 2016 20:51
Hello, I don't have an update to report at this time, however I do see reports that certificates have processed. Your server will automatically order the free signed certificate when the server runs the /usr/local/cpanel/bin/checkallsslcerts tool as part of the upcp maintenance script. However, you can run the script manually if you'd like to see if the error messages still appear:
/usr/local/cpanel/bin/checkallsslcerts
Keep in mind that certificates are not issued instantly, and processing times can sometimes take up to 24 hours. Thank you.
0
thee1xz

November 10, 2016 01:22
Correction to Michael's command above, add an 's' to the end. /usr/local/cpanel/bin/checkallsslcerts
0
4u123

November 10, 2016 13:42
Did you resolve this, I'm having the same problem...
2:41:37 PM ERROR AutoSSL failed to request an SSL certificate for "removed.com" because of an error: Cpanel::Exception::cPStoreError/(XID 72y2aw) The cPanel Store returned an error (X::Item::ActivationFailure) in response to the request "POST ssl/certificate/free": Generic exception at /usr/local/cpanel/Cpanel/Exception/CORE.pm line 77. Cpanel::Exception::create("cPStoreError", HASH(0x4d030c0)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 231 Cpanel::cPStore::__ANON__(Cpanel::Exception::HTTP::Server=HASH(0x4fd61e0)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 103 Try::Tiny::try(CODE(0x4d03588), Try::Tiny::Catch=REF(0x4d0a228)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 239 Cpanel::cPStore::_request(Cpanel::cPStore::LicenseAuthn=HASH(0x46ad708), "post", "ssl/certificate/free", "item_params", HASH(0x4d0a420)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 178 Cpanel::cPStore::post(Cpanel::cPStore::LicenseAuthn=HASH(0x46ad708), "ssl/certificate/free", "item_params", HASH(0x4d0a420)) called at /usr/local/cpanel/Cpanel/SSL/Auto/Provider/cPanel.pm line 169 Cpanel::SSL::Auto::Provider::cPanel::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80 eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71 Try::Tiny::try(CODE(0x46ad420), Try::Tiny::Catch=REF(0x4d195d0)) called at /usr/local/cpanel/Cpanel/SSL/Auto/Provider/cPanel.pm line 193 Cpanel::SSL::Auto::Provider::cPanel::renew_ssl_for_vhosts(Cpanel::SSL::Auto::Provider::cPanel=HASH(0x3b2a298), "removed", "removed.com", ARRAY(0x1926b20)) called at bin/autossl_check.pl line 259 bin::autossl_check::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80 eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71 Try::Tiny::try(CODE(0x469f7d8), Try::Tiny::Catch=REF(0x469f208)) called at bin/autossl_check.pl line 266 bin::autossl_check::__ANON__() called at /usr/local/cpanel/Cpanel/PIDFile.pm line 101 Cpanel::PIDFile::do("Cpanel::PIDFile", "/var/cpanel/autossl_check.pid", CODE(0x43c48f0)) called at bin/autossl_check.pl line 287 bin::autossl_check::_run_maybe_captured("--user", "removed") called at bin/autossl_check.pl line 109 bin::autossl_check::__ANON__() called at /usr/local/cpanel/Cpanel/CaptureFH.pm line 50 Cpanel::CaptureFH::do_with_output_captured_to_path_if_non_tty("/usr/local/cpanel/logs/error_log", CODE(0x4390f28)) called at bin/autossl_check.pl line 110 bin::autossl_check::run("--user", "removed") called at bin/autossl_check.pl line 78
0
Nick Bagley

November 10, 2016 20:25
Still periodically seeing this with certain domains. Still waiting for an actual resolution
0
cPanelMichael

November 10, 2016 20:35
Hello, This can happen if your server's firewall is blocking access attempts from Comodo to validate the certificate, but validation is also sometimes delayed for a few hours during manual steps sometimes required by Comodo during the validation process. Anyone experiencing an issue with certificate issuance where it's been over 24 hours since the initial request for the certificate was made can open a support ticket using the link in my signature so we can check on the status of the order. Thank you.
0
Nick Bagley

November 11, 2016 14:00
What should I do to ensure that the firewall is not blocking Comodo?
0
EneTar

November 12, 2016 10:01
All my certs have been renewed and currently it doesn't seem to be any problem at all.
0
AM2015

November 12, 2016 20:24
I am seeing this problem on some, but not all, users & domains. The problem has persisted for more than 24 hours. I don't think it could be a firewall issue as some of the domains have been issued the Comodo AutoSSL certificates. I will submit a support request as indicated above.
0
PenguinInternet

November 12, 2016 20:51
We're seeing this as well across all servers. Definitely not firewall related as some are completing correctly.
0
verdon

November 14, 2016 19:12
I'm having similar issues mentioned here AutoSSL was successful and now failing. Definitely not firewall, and I can't find it in /usr/local/cpanel/logs/error_log though I could just be looking for the wrong thing.
0
cPanelMichael

November 15, 2016 01:30
Hello, Here's an update for anyone noticing the following error message when attempting to generate SSL certificates via the AutoSSL feature:
"ERROR AutoSSL failed to request an SSL certificate for "$example.com" because of an error: Cpanel::Exception::cPStoreError/(XID 2a5jjx) The cPanel Store returned an error (X::Item::ActivationFailure) in response to the request "POST ssl/certificate/free": Generic exception"
This error message occurs when the cPanel Store is unable make a connection with Comodo. Specifically, this happens when Comodo is congested and unable to accept requests for new certificates. Comodo is currently aware of this problem, and has begun to implement changes to prevent this from happening. There's currently no specific time frame to offer on the completion of these changes, but I'll update this thread with more information as it becomes available. The current resolution is to wait for the next automatic run of the "/usr/local/cpanel/bin/checkallsslcerts" script during the nightly upcp maintenance, or to try manually running the following command for an individual account:
/usr/local/cpanel/bin/autossl_check --user $username
The above command can sometimes take two or three attempts to work, depending on the level of congestion Comodo is experiencing. We also have an internal case open (CS-941) that aims to provide a more descriptive error output when this happens. Thank you.
0
linux4me2

November 15, 2016 16:47
I got the same error on an account last night, and I ran the command:
/usr/local/cpanel/bin/autossl_check --user $username
three times (Comodo must love me) but all I got was the following output:
This system has AutoSSL set to use "cPanel (powered by Comodo)". Checking websites for "username" " The website "thedomain.com", owned by "username", has no SSL certificate. AutoSSL will attempt to obtain a new certificate and install it. The system will attempt to renew SSL certificates for the following websites: thedomain.com (thedomain.com www.thedomain.com mail.thedomain.com) The system has completed the AutoSSL check for "username". The system has finished checking 1 user.
There was no SSL cert installed. I was about to give up, but I tried the command one more time, and got the following:
This system has AutoSSL set to use "cPanel (powered by Comodo)". Checking websites for "username" " All websites owned by "username" have valid SSL certificates. The system has completed the AutoSSL check for "username". The system has finished checking 1 user.
I verified that the site does indeed have a valid SSL cert installed now, so it took me four attempts. Although the command appears to do the same thing as WHM -> SSL/TLS -> Manage AutoSSL -> Manage Users -> check $username, it works much better to run it via the command line because it gives you immediate feedback and you don't have to wait for the next upcp to run.
0
verdon

November 15, 2016 17:03
Although the command appears to do the same thing as WHM -> SSL/TLS -> Manage AutoSSL -> Manage Users -> check $username, it works much better to run it via the command line because it gives you immediate feedback and you don't have to wait for the next upcp to run.

If you are running it via WHM -> SSL/TLS -> Manage AutoSSL -> Manage Users -> check $username you can get pretty quick feedback in the log tab... click to refresh the log list and you should see your process right away, where you can review it. I think the '+' indicator beside it may mean that it has not completed yet.
0
linux4me2

November 15, 2016 17:53
If you are running it via WHM -> SSL/TLS -> Manage AutoSSL -> Manage Users -> check $username you can get pretty quick feedback in the log tab... click to refresh the log list and you should see your process right away, where you can review it. I think the '+' indicator beside it may mean that it has not completed yet.

Even when run from the command line, entries appear to be added to the logs, which makes sense. Three of the four attempts I made are in the log. Two still have the "+" (processing), and the final one when the certificate was installed does not, so I suspect I could have accomplished the same thing by clicking "Check $username" over and over as you say.
0
kodyxgen

November 20, 2016 03:01
Hello, some updates please? i have the same problem on my and;
3:58:16 AM ERROR AutoSSL failed to request an SSL certificate for "mydomain.com" because of an error: Cpanel::Exception::cPStoreError/(XID 53ghs3) The cPanel Store returned an error (X::Item::ActivationFailure) in response to the request "POST ssl/certificate/free": Generic exception at /usr/local/cpanel/Cpanel/Exception/CORE.pm line 77. Cpanel::Exception::create("cPStoreError", HASH(0x4785170)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 231 Cpanel::cPStore::__ANON__(Cpanel::Exception::HTTP::Server=HASH(0x47857b8)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 103 Try::Tiny::try(CODE(0x4005a98), Try::Tiny::Catch=REF(0x4786590)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 239 Cpanel::cPStore::_request(Cpanel::cPStore::LicenseAuthn=HASH(0x4005840), "post", "ssl/certificate/free", "item_params", HASH(0x46dae98)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 178 Cpanel::cPStore::post(Cpanel::cPStore::LicenseAuthn=HASH(0x4005840), "ssl/certificate/free", "item_params", HASH(0x46dae98)) called at /usr/local/cpanel/Cpanel/SSL/Auto/Provider/cPanel.pm line 169 Cpanel::SSL::Auto::Provider::cPanel::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80 eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71 Try::Tiny::try(CODE(0x4005888), Try::Tiny::Catch=REF(0x46da040)) called at /usr/local/cpanel/Cpanel/SSL/Auto/Provider/cPanel.pm line 193 Cpanel::SSL::Auto::Provider::cPanel::renew_ssl_for_vhosts(Cpanel::SSL::Auto::Provider::cPanel=HASH(0x3c6c228), "camarada", "mydomain.com", ARRAY(0x1926b20)) called at bin/autossl_check.pl line 259 bin::autossl_check::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80 eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71 Try::Tiny::try(CODE(0x3f47a00), Try::Tiny::Catch=REF(0x3f47388)) called at bin/autossl_check.pl line 266 bin::autossl_check::__ANON__() called at /usr/local/cpanel/Cpanel/PIDFile.pm line 101 Cpanel::PIDFile::do("Cpanel::PIDFile", "/var/cpanel/autossl_check.pid", CODE(0x3c6c618)) called at bin/autossl_check.pl line 287 bin::autossl_check::_run_maybe_captured("--user", "camarada") called at bin/autossl_check.pl line 109 bin::autossl_check::__ANON__() called at /usr/local/cpanel/Cpanel/CaptureFH.pm line 50 Cpanel::CaptureFH::do_with_output_captured_to_path_if_non_tty("/usr/local/cpanel/logs/error_log", CODE(0x3c38ee8)) called at bin/autossl_check.pl line 110 bin::autossl_check::run("--user", "camarada") called at bin/autossl_check.pl line 78
0
cPanelMichael

November 21, 2016 17:12
Hello @kodyxgen, There's no new information to report since my last response a few posts earlier: Errors from cPanel Store API when requesting autossl certs Let us know if this helps to clarify the issue. Thanks.
0
cPanelMichael

November 30, 2016 18:33
Hello, To update, we're seeing few occurrences of this issue in the past couple of weeks now that most systems have updated to cPanel version 60 and the AutoSSL requests have decreased. In cPanel version 60.0.26 or newer, the AutoSSL error log will the following message when this happens: "The provider "cPanel (powered by Comodo)" cannot currently accept incoming requests. The system will try again later." The change is referenced under case CPANEL-9958 at
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?