AutoSSL has stopped working
AutoSSL has been working great. That's really an awesome feature. Thanks for implementing it.
My problem is it has suddenly stopped working. The queue of pending certificate installs is getting longer and longer and not all of them are because of the usual .htaccess issues or domains not resolving to IP addresses. Brand new accounts with nothing on them at all are just pending forever too. The .txt files are getting created, and they are accessible externally so that's not the issue. I have it set to the cPanel provided by Comodo option. Is there some sort of server wide rate limit that we're exceeding, and that's why the pending queue is piling up? I know the documentation says 200 per virtualhost, but that's not the issue here.
Anyways, I'm going to try switching it to the Let's Encrypt provider to see if that gets the pending queue moving again, but I'm fairly certain that they have rate limits though so I'd like to figure out why Comodo certs have stopped being issued.
Here is an example of a log:
I snipped out the 50 pages of log files where cPanel has checked every 5 minutes for the last 4 days to see if that certificate is ready. Any ideas of something to get this working again? (I'm not going to submit a ticket and grant root access to cPanel technicians to look for themselves. Sorry. I am willing to run any commands for you and post the results though.)
4:17:47 PM The system will attempt to renew SSL certificates for the following websites:
4:17:47 PM example.com (sub1.example.com www.sub1.example.com mail.sub1.example.com etc )
4:17:50 PM The system has completed the AutoSSL check for "krydos".
4:22:03 PM The queue contains a request for a certificate for "krydos""s website "sub1.example.com". The system last polled for this certificate at Jul 31, 2017, 9:17:50 PM UTC. The next poll will be no earlier than Jul 31, 2017, 9:22:50 PM UTC.
...
7:12:02 PM The queue contains a request for a certificate for "krydos""s website "sub1.example.com". The system last polled for this certificate at Aug 3, 2017, 9:12:06 PM UTC. The next poll will be no earlier than Aug 4, 2017, 9:12:06 AM UTC.
I snipped out the 50 pages of log files where cPanel has checked every 5 minutes for the last 4 days to see if that certificate is ready. Any ideas of something to get this working again? (I'm not going to submit a ticket and grant root access to cPanel technicians to look for themselves. Sorry. I am willing to run any commands for you and post the results though.)
-
UPDATE: I switched to Let's Encrypt instead of cPanel (powered by Comodo) and everything is working as expected now. It wiped my entire pending queue out, but the certificates are getting installed/renewed now. I suspect the problem with cPanel/Comodo is some unpublished (or at least for me unfindable) rate limit that I exceeded. If a cPanel rep can confirm that would it be possible to get that limit raised on a case by case basis perhaps? AutoSSL is a huge draw that excites a lot of our users, and I'd hate to have to disable it just because it's too popular. 0 -
Hi, I want you to do one thing: 1) Go to AutoSSL (use Comodo). 2) Select the user and check if mange by AutoSSL is enabled. 3) Initiate the SSL check for this user (wait for a minute). 4) Go to the logs section in the AutoSSL page itself. 5) Hit the refresh button and select the most recent poll from it (User you just initiated the SSL check on).. Check what you see in that log for this user only and send it here.. 0 -
Hello, Feel free to open a support ticket using the link in my signature so we can take a closer look to see why the Comodo certificates were still pending on the system. Thank you. 0 -
1) Go to AutoSSL (use Comodo). 2) Select the user and check if mange by AutoSSL is enabled. 3) Initiate the SSL check for this user (wait for a minute). 4) Go to the logs section in the AutoSSL page itself. 5) Hit the refresh button and select the most recent poll from it (User you just initiated the SSL check on)..
1) Changed back to Comodo. 2) "Reset to Feature List Settings" is selected for every account on the server, and after that it says "Use setting established by the feature list 'default' which is currently set to 'enabled'". 3) Clicked "Check rd". 4) Done. 5) Log:Log for the AutoSSL run for "rd": Friday, August 4, 2017 3:23:48 PM GMT-0500 (cPanel (powered by Comodo)) 3:23:48 PM This system has AutoSSL set to use "cPanel (powered by Comodo)". 3:23:48 PM Checking websites for "rd" " 3:23:49 PM The website "domain.example.tk", owned by "rd", has no SSL certificate. AutoSSL will attempt to obtain a new certificate and install it. 3:23:52 PM The system will attempt to renew SSL certificates for the following websites: 3:23:52 PM domain.example.tk (domain.tk www.domain.tk mail.domain.tk webmail.domain.tk cpanel.domain.tk webdisk.domain.tk) 3:23:52 PM The system has completed the AutoSSL check for "rd".
It's just been sitting there for like an hour now.0 -
Feel free to open a support ticket using the link in my signature so we can take a closer look to see why the Comodo certificates were still pending on the system.
What is the first thing you would check?0 -
Hi, Refresh the AutoSSL log and see if you see any update on issue of SSL.. 0 -
Log for the AutoSSL run for "rzurita": Sunday, August 6, 2017 8:57:45 PM GMT-0500 (cPanel (powered by Comodo)) 8:57:45 PM This system has AutoSSL set to use "cPanel (powered by Comodo)". 8:57:45 PM Checking websites for "rzurita" " 8:57:46 PM The website "woo.rzurita.example.com", owned by "rzurita", has a faulty SSL certificate (OPENSSL_VERIFY:0:18:DEPTH_ZERO_SELF_SIGNED_CERT NOT_ALL_DOMAINS). AutoSSL will attempt to replace this certificate. 8:57:46 PM The website "zureshop.rzurita.example.com", owned by "rzurita", has a valid SSL certificate, but additional SSL coverage may be possible for the domains "www.example.tk" and "example.tk". The system will attempt to replace this certificate with one that includes these additional domains. 8:57:47 PM The system will attempt to renew SSL certificates for the following websites: 8:57:47 PM woo.rzurita.example.com (zureshop.gq www.example.gq mail.example.gq woo.rzurita.example.com www.woo.rzurita.example.com webmail.example.gq cpanel.example.gq webdisk.example.gq) 8:57:47 PM zureshop.rzurita.example.com (mail.example.tk webmail.example.tk cpanel.example.tk webdisk.example.tk zureshop.rzurita.example.com www.zureshop.rzurita.example.com example.tk www.example.tk) 8:57:54 PM The system has completed the AutoSSL check for "rzurita". 9:02:06 PM The queue contains a request for a certificate for "rzurita""s website "woo.rzurita.example.com". The system last polled for this certificate at Aug 7, 2017, 1:57:50 AM UTC. The next poll will be no earlier than Aug 7, 2017, 2:02:50 AM UTC. 9:02:06 PM The queue contains a request for a certificate for "rzurita""s website "zureshop.rzurita.example.com". The system last polled for this certificate at Aug 7, 2017, 1:57:54 AM UTC. The next poll will be no earlier than Aug 7, 2017, 2:02:54 AM UTC. 9:07:04 PM Polling for "rzurita""s new certificate for "zureshop.rzurita.example.com" (order item ID "227127647") " 9:07:04 PM The certificate is not available. (processing) 9:07:04 PM Polling for "rzurita""s new certificate for "woo.rzurita.example.com" (order item ID "227127629") " 9:07:05 PM The certificate is not available. (processing) 9:13:24 PM Polling for "rzurita""s new certificate for "woo.rzurita.example.com" (order item ID "227127629") " 9:13:25 PM The certificate is not available. (processing) 9:13:25 PM Polling for "rzurita""s new certificate for "zureshop.rzurita.example.com" (order item ID "227127647") " 9:13:25 PM The certificate is not available. (processing) 9:17:52 PM The queue contains a request for a certificate for "rzurita""s website "woo.rzurita.example.com". The system last polled for this certificate at Aug 7, 2017, 2:13:25 AM UTC. The next poll will be no earlier than Aug 7, 2017, 2:18:25 AM UTC. 9:17:52 PM The queue contains a request for a certificate for "rzurita""s website "zureshop.rzurita.example.com". The system last polled for this certificate at Aug 7, 2017, 2:13:25 AM UTC. The next poll will be no earlier than Aug 7, 2017, 2:18:25 AM UTC. 9:22:02 PM Polling for "rzurita""s new certificate for "zureshop.rzurita.example.com" (order item ID "227127647") " 9:22:04 PM The certificate is not available. (processing) 9:22:04 PM Polling for "rzurita""s new certificate for "woo.rzurita.example.com" (order item ID "227127629") " 9:22:04 PM The certificate is not available. (processing) 9:27:03 PM The queue contains a request for a certificate for "rzurita""s website "zureshop.rzurita.example.com". The system last polled for this certificate at Aug 7, 2017, 2:22:04 AM UTC. The next poll will be no earlier than Aug 7, 2017, 2:27:04 AM UTC. 9:27:03 PM The queue contains a request for a certificate for "rzurita""s website "woo.rzurita.example.com". The system last polled for this certificate at Aug 7, 2017, 2:22:04 AM UTC. The next poll will be no earlier than Aug 7, 2017, 2:27:04 AM UTC. 9:32:02 PM Polling for "rzurita""s new certificate for "woo.rzurita.example.com" (order item ID "227127629") " 9:32:04 PM The certificate is not available. (processing) 9:32:04 PM Polling for "rzurita""s new certificate for "zureshop.rzurita.example.com" (order item ID "227127647") " 9:32:04 PM The certificate is not available. (processing) 9:37:03 PM The queue contains a request for a certificate for "rzurita""s website "zureshop.rzurita.example.com". The system last polled for this certificate at Aug 7, 2017, 2:32:04 AM UTC. The next poll will be no earlier than Aug 7, 2017, 2:37:04 AM UTC. 9:37:03 PM The queue contains a request for a certificate for "rzurita""s website "woo.rzurita.example.com". The system last polled for this certificate at Aug 7, 2017, 2:32:04 AM UTC. The next poll will be no earlier than Aug 7, 2017, 2:37:04 AM UTC. 9:42:02 PM Polling for "rzurita""s new certificate for "zureshop.rzurita.example.com" (order item ID "227127647") " 9:42:03 PM The certificate is not available. (processing) 9:42:03 PM Polling for "rzurita""s new certificate for "woo.rzurita.example.com" (order item ID "227127629") " 9:42:04 PM The certificate is not available. (processing) 9:47:18 PM Polling for "rzurita""s new certificate for "zureshop.rzurita.example.com" (order item ID "227127647") " 9:47:18 PM The certificate is not available. (processing) 9:47:18 PM Polling for "rzurita""s new certificate for "woo.rzurita.example.com" (order item ID "227127629") " 9:47:18 PM The certificate is not available. (processing) 9:52:03 PM The queue contains a request for a certificate for "rzurita""s website "woo.rzurita.example.com". The system last polled for this certificate at Aug 7, 2017, 2:47:18 AM UTC. The next poll will be no earlier than Aug 7, 2017, 2:52:18 AM UTC. 9:52:03 PM The queue contains a request for a certificate for "rzurita""s website "zureshop.rzurita.example.com". The system last polled for this certificate at Aug 7, 2017, 2:47:18 AM UTC. The next poll will be no earlier than Aug 7, 2017, 2:52:18 AM UTC. 9:57:02 PM Polling for "rzurita""s new certificate for "woo.rzurita.example.com" (order item ID "227127629") " 9:57:03 PM The certificate is not available. (processing) 9:57:03 PM Polling for "rzurita""s new certificate for "zureshop.rzurita.example.com" (order item ID "227127647") " 9:57:04 PM The certificate is not available. (processing)
The certificate is never available even if it polls for days. Any ideas?0 -
I'm going to try contacting Comodo. Maybe they will know what is going on. 0 -
What is the first thing you would check?
Our Technical Support Department has access to some additional internal tools to help determine why a certificate is stuck at the pending status (e.g. possible brand violations). Thank you.0 -
Awesome! What log or file or whatever do you need me to submit to use your additional tools on? 0 -
Awesome! What log or file or whatever do you need me to submit to use your additional tools on?
Hello, You can simply let us know the specific domain name that's stuck as "pending" when opening the support ticket. Let us know if you have any trouble opening the ticket (there's a link in my signature you can use). Thank you.0 -
I'm making some progress with Comodo. They at least see the certificate request from AutoSSL in their system. He wants me to do a manual HTTP DCV by creating the text file with the specific random letters and numbers that he emailed me. I asked him why the text file that AutoSSL created that is accessible from the internet didn't work? I'll keep you all updated. I'll submit a support ticket I guess. As long as it doesn't require giving root access to the server as that would violate our privacy policy. I'll keep you all updated on how that goes too. 0 -
Ticket submitted: 8770923 0 -
Comodo just says they can see the AutoSSL requests in their system, but the automatic DCV failed. His suggestion was to contact cPanel to figure out why the DCV failed, or just do manual DCV on each and every domain. The cPanel technician has replied and had me check a couple access logs. It seems like cPanel is creating public_html/H43J...28V.txt but Comodo is looking for public_html/.well-known/pki-challenge/H43J...28V.txt instead and getting a 404 error. I asked the support technician if there was a way to configure AutoSSL to create the validation file in the place that Comodo is looking for it. Anyone have any suggestions on how to do that? 0 -
Alright, the technician says it's probably because I'm running cpanel/whm version 64.0.19 and AutoSSL has been changed since that version. Upgrading to 64.0.36 now to see if it fixes the issue of the certificates not being installed. 0 -
Alright, the technician says it's probably because I'm running cpanel/whm version 64.0.19 and AutoSSL has been changed since that version. Upgrading to 64.0.36 now to see if it fixes the issue of the certificates not being installed.
Yes, the update is required. Here's the blog post explaining this: Urgent DCV Updates This Week | cPanel Blog Thanks!0 -
Yeah, I'm always really careful with upcp. Since we run a lot of custom code it tends to break things every time. I might have to check out that blog more often. :) 0
Please sign in to leave a comment.
Comments
17 comments