AutoSSL Will Not Replace This Certificate
I'm running WHM 60 build 17, and I have Auto SSL enabled for several accounts, including some that have valid, private CA certs installed. In Manage AutoSSL -> Options, I have "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates" checked.
The account without a private CA cert is working fine, and the log shows that "all websites" on that account have valid SSL certificates. The log says nothing about the "mail" subdomain on that account.
The accounts that have valid, private CA certs are all showing messages like this in the logs:
This website"s SSL certificate lacks the following domain: mail.thedomain.com. However, AutoSSL will not replace this certificate, because the certificate does not appear to come from an installed AutoSSL provider.
I'm confused. Does that mean that when the private SSL cert expires, AutoSSL won't replace it even though I have that option enabled, or is AutoSSL just not attempting to replace that certificate because it's valid and the "mail" domain is a red herring?
I'm confused. Does that mean that when the private SSL cert expires, AutoSSL won't replace it even though I have that option enabled, or is AutoSSL just not attempting to replace that certificate because it's valid and the "mail" domain is a red herring?
-
I'm confused. Does that mean that when the private SSL cert expires, AutoSSL won't replace it even though I have that option enabled, or is AutoSSL just not attempting to replace that certificate because it's valid and the "mail" domain is a red herring?
Hello, You shouldn't see that warning message once the private certificate expires and is replaced with a certificate generated by the AutoSSL feature. AutoSSL will automatically generate a certificate for the mail subdomain at that time. Thank you.0 -
Thanks, Michael. I get it. The message would be much more clear if it were to say: However, AutoSSL will not replace this certificate until seven days before it expires, because the certificate does not appear to come from an installed AutoSSL provider. 0 -
Hello, It may actually work better with the current message, because it's an accurate description of why AutoSSL did not replace the certificate during that specific AutoSSL check. If it were to include a statement such as "AutoSSL will not replace this certificate until X days before it expires", then it's potentially incorrect information in the event an administrator disables "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates". Thank you. 0 -
I didn't think of it that way. Either one will work now that I know what's going to happen. :) 0 -
I have the same issue with a certificate that will expire in 6 days, will AutoSSL be happy to generate a replacement certificate so that there is no gap between the previous and new certificates coming into effect? 0 -
I have the same issue with a certificate that will expire in 6 days, will AutoSSL be happy to generate a replacement certificate so that there is no gap between the previous and new certificates coming into effect?
Yes, but if this is a non-AutoSSL certificate, then it's only replaced if you enable "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates." under the "Options" tab in "WHM >> Manage AutoSSL". It should actually replace it on the next AutoSSL run after enabling this option because six days is within the window where expiring certificates are replaced: AutoSSL will attempt to renew certificates that cPanel, Inc. provides when they expire within 15 days. AutoSSL will attempt to renew certificates that Let's Encrypt provides when they expire within 29 days. Thank you.0 -
Hi Michael, I should have clarified, that I do have the "Allow Auto-SSL to replace invalid or expiring non-AutoSSL certificates." option checked. I have raised a support ticket as to why this certificate/domain does not seem to be refreshing the AutoSSL ticket. 0 -
Add me to the list of folks confused by this. I have "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates." checked. I have a user enabled for AutoSSL. They have an existing SSL certificate from RapidSSL for one of their domains, that expires in a couple weeks. They do NOT have an SSL certificate for another parked domain. It would be nice that both domains have SSL. So... why is cPanel giving my this confusing and conflicting error message: " 11:23:22 PM This website"s SSL certificate lacks the following domains: example.net, www.example.net, mail.example.net, mail.example.org. However, AutoSSL will not replace this certificate, because the certificate does not appear to come from an installed AutoSSL provider." Keep in mind, I have "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates." checked. So, who cares if the certificate does not appear to come from an AutoSSL provider? By checking the box, I've given cPanel permission to replace it. Right? - Scott 0 -
Hello @sneader, Currently, the AutoSSL logs will show a message like this, even when the "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates" option is enabled: However, AutoSSL will not replace this certificate, because the certificate does not appear to come from an installed AutoSSL provider."
This is confusing, as AutoSSL will in-fact eventually replace the certificate if "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates" is enabled. Internal case CPANEL-10103 will address this by improving the message to note that AutoSSL will replace the certificate once it's in the 3-day expiry window. The case is already included in the cPanel version 62 development branch (Edge build tier), and I'll update this thread again once it's published to a cPanel 60 build. Thank you.0 -
Thanks @cPanelMichael !! - Scott 0 -
Hello, To update, CPANEL-10103 was included with cPanel version 60.0.31: Fixed case CPANEL-10103: Update AutoSSL message when a cert will be replaced in the 3 days window. Thank you. 0
Please sign in to leave a comment.
Comments
11 comments