AutoSSL renews the same cert even if still valid
Good day, Running WHM v66.0.23
I have a strange situation with AutoSSL with either Comodo or LetEncrypt provider, let me describe the scenario:
I have one account with multiple Addon Domains (more than 80 domains) and each one with their own SSL provided by AutoSSL automatically, everything is ok with that. Like a few weeks ago before the v66 upgrade, I noticed that some SSL certs for just 5 addon domains were renewed every day.
Here is a portion of the AUTOSSL log
- Removed, Please Don't Post Actual Domain Names or IPs -
As you can read, AutoSSL knows that cert is still valid, but attempts to add aditional domains that were already excluded by internal configuration.
Does anyone have an idea of where I should start looking for the cause?
Thanks in advance.
-
Adding log, with proper censored sections 2:55:09 PM WARN The certificate for the website "CENSOREDFQDN.com" will not contain the domains "mail.CENSOREDFQDN.com", "CENSOREDFQDN.com", "cpanel.CENSOREDFQDN.com", "webdisk.giorgiosjoyeria.com", "webmail.CENSOREDFQDN.com", and "www.CENSOREDFQDN.com" because the current configuration excludes these domains. at /usr/local/cpanel/Cpanel/SSL/Auto/Report.pm line 134. 2:55:09 PM The website "CENSOREDFQDN.com", owned by "CENSORED", has a valid SSL certificate, but additional SSL coverage may be possible for the domains "CENSOREDFQDN.com", "mail.CENSOREDFQDN.com", "www.CENSOREDFQDN.com", "webdisk.CENSOREDFQDN.com", "webmail.CENSOREDFQDN.com", "cpanel.CENSOREDFQDN.com", and "autodiscover.CENSOREDFQDN.com". The system will attempt to replace this certificate with one that includes these additional domains.0 -
Hello, The log entries you see are to be expected when you exclude a specific domain name from the AutoSSL feature. The AutoSSL feature automatically checks to see if it should issue new certificates for several conditions (e.g. a certificate is expiring, a new subdomain is added). For instance, if you decided to remove an exclusion in the future, the automatic check would ensure the previously excluded domain name is added to the certificate. You can safely ignore those warning messages. That said, internal case CPANEL-15523 is open to see if there's a better way to handle this condition, or if there's a better way to explain what's happening in the AutoSSL logs. I'll monitor this case and update this thread with the outcome. Thank you. 0 -
Hello, it should issue new certificates for several conditions (e.g. a certificate is expiring, a new subdomain is added). Thank you.
Yup, that's the expected behavior. I think my problem is the incredible amount of addon domains in the account, probably it's preventing AutoSSL to keep tight control over those 5 domains cert and renew them every day over and over. By the way, if I click the "Check user" to manually trigger the AutoSSL, those domains SSL certs are renewed again even if they were just installed, so I can repro the same problem either manually or automatically.0 -
Hello, Are you sure those subdomains are not intentionally excluded with the "Excluded" status in "cPanel >> SSL TLS Status"? This option is documented at: SSL TLS Status - Version 66 Documentation - cPanel Documentation Thank you. 0 -
Yes, those subdomains were excluded intentionally, by my hand. (This sounds powerful when you read it, lol) Should I include all subdomains (without exceptions) and try again, just to verify if the issue persists?
Hello, You could, but I don't actually see any issues. The messages you see in the AutoSSL logs don't indicate any problems. Is the SSL certificate not working as expected? Thank you.0 -
s. Is the SSL certificate not working as expected?
It works as expected, but the problem is that everyday the same ssl cert is renewed for no reason. So far Let'encrypt stops working due ratelimit because of asking for the same domain cert over and over. Comodo SSL seems to don't care, but I got a lot of valid and functional SSL certs for the same domains. I know, the whole scenario sounds incredible but it happens... so far this "interesting behavior" is my greatest puzzle at my office0 -
Hello, Could you open a support ticket using the link in my signature so we can take a closer look? Thank you. 0 -
Hello, Could you open a support ticket using the link in my signature so we can take a closer look? Thank you.
Sure, but first let me retry the scenario without excluding subdomains, just in case0 -
It works as expected, but the problem is that everyday the same ssl cert is renewed for no reason. So far Let'encrypt stops working due ratelimit because of asking for the same domain cert over and over. Comodo SSL seems to don't care, but I got a lot of valid and functional SSL certs for the same domains.
To update, this is fixed in cPanel version 68 as part of internal case CPANEL-16864: Fixed case CPANEL-16864: AutoSSL: avoid performing DCV checks for excluded domains. Thank you.0 -
To update, this is fixed in cPanel version 68 as part of internal case CPANEL-16864: Fixed case CPANEL-16864: AutoSSL: avoid performing DCV checks for excluded domains. Thank you.
Thanks for the update0
Please sign in to leave a comment.
Comments
11 comments