Skip to main content

SSL Notifications in cPanel 68

Comments

119 comments

  • garconcn
    Hello @rpvw, The global AutoSSL notification settings are separate from the individual cPanel AutoSSL notification settings. The following feature request is open for the ability to set default values for the cPanel user notifications: Ability to set defaults for cPanel User Notifications In the meantime, you'd need to manually disable the individual AutoSSL notifications for cPanel users via "cPanel >> Contact Information" or setup a script that loops the cPanel API 2 functions referenced on the following thread: AutoSSL notifications in cPanel 68 Thank you.

    I guess this is already too late as the "Autossl notification feature" does not exist in cpanel until you upgrade to V68, but once you upgrade, the notification will be sent out right after. So, client will receive at least one notification.
    0
  • jmartinmds
    Another note of thanks @NanoGame. I modified the script a little bit to include all 4 AutoSSL notifications:
    #!/bin/bash /bin/ls -1 /var/cpanel/users | while read USER; do /bin/echo "Now processing ${USER} ..." /usr/bin/cpapi2 --user=${USER} CustInfo savecontactinfo notify_autossl_expiry_coverage=0 notify_autossl_renewal_coverage=0 notify_autossl_expiry=0 notify_autossl_renewal=0 done
    And I agree with the others that this should be configurable for the entire server, and able to be set as a default option to have these disabled for new accounts.
    0
  • anton_latvia
    Thanks for the script. Question - where can we setup defaults for new accounts? So that new accounts will have these settings turned off?
    0
  • cPanelMichael
    Question - where can we setup defaults for new accounts? So that new accounts will have these settings turned off?

    It's not yet possible to configure those values by default. We will update the following feature request once there's more information about plans to add that functionality to the product: Ability to set defaults for cPanel User Notifications In the meantime, you could setup a custom script like the one referenced earlier in this thread, and configure it to run as a post-stage hook immediately after an account is created. The particular event you would hook into is Accounts::Create: Guide to Standardized Hooks - Whostmgr Functions - Software Development Kit - cPanel Documentation EX:
    /usr/local/cpanel/bin/manage_hooks add script /path/to/something.sh --manual --category Whostmgr --event Accounts::Create --stage post
    Thank you.
    0
  • 4u123
    I think a distinction needs to be made between the AutoSSL notifications and notifications for certificates the end user may have installed themselves from third parties. With AutoSSL, sending notifications to the end user is a waste of time, since they can't do anything to resolve any of those problems. Expiry notifications on these certs are also pointless, considering the fact that they auto renew. I think it's pretty reasonable to assume that AutoSSL notifications should go to the admin contact only. Also want to mention that we are using cachewall (xvarnish). As someone mentioned this above, I would suggest some of these errors are caused by that software, for us it seems to be an issue on the proxy subdomains. I understand that project has stalled and is currently not being developed -so it is unlikely a fix will be produced. I will attempt to reach out to them about this.
    0
  • ronaldst
    What on earth been going on at the cPanel office pushing out something causing all clients to be bombarded with emails? Just spent days sorting this issue. Thank you to everyone getting a solution written into an actual post, which honestly should been the 2nd post in this topic by an actual cPanel staffer.
    0
  • diegomarin
    We have the same problem receiving many support tickets regarding the subject. I think that this feature should only be available to administrators and not to customers.
    0
  • mrl14
    This is a HUGE mistake on CPanel's part. You cannot just introduce new notifications to customers, especially with a very confusing message, as you have with AutoSSL. You are assuming that we have a) enabled this for all customers b) informed them of the service they are receiving from it and c) they understand the email you've sent them. You need to reverse this immediately and introduce it as a new feature that we can enable if we feel it is necessary. This should be fixed today and issued in a release tonight.
    0
  • wwwcad
    HUGE mistake! Hundreds of worried customers asking what the hell is going on with their accounts.
    0
  • wwwcad
    By the way: thanks @NanoGame for the script. At least with this we can stop future emails. And i didn't know we can execute Cpanel Api commands that easily from a bash script. Great!
    0
  • cPanelMichael
    Hello, Thank you to everyone for taking the time to offer feedback regarding the new AutoSSL notifications in cPanel version 68. To update, we have an internal case open to implement a new feature that will allow administrators to globally disable the end-user AutoSSL notifications. I don't have a specific time frame to offer at this time, but I'll update this thread again as soon as more information is available. In the meantime, the following user-submitted script will disable all end-user SSL notifications for all cPanel users:
    Hi Texo, we are getting a lot of tickets about these notices too. This is a little shell script I wrote to change the notifications for the 5 AutoSSL notices off for every user on the server. Save it to /root/something.sh, chmod 755 something.sh and then run it with ./something.sh
    #!/bin/bash cd /var/cpanel/users for user in * do cpapi2 --user=$user CustInfo savecontactinfo notify_autossl_renewal=0 notify_autossl_renewal_coverage=0 notify_autossl_expiry_coverage=0 notify_autossl_expiry=0 notify_ssl_expiry=0 done
    Adjust the 0 values on the line above to 1 if you want to keep a particular notification on. Hope this helps :)

    More information about each cPanel API 2 function is available on this post: SSL Notifications in cPanel 68 Thank you.
    0
  • Duplika
    Hopefully this is released soon, and gives cPanel a heads up to avoid this kind of mistakes on the future.
    0
  • BFFMediaInc
    I like everyone else is hit by this, I have 20 servers. All I see is cpanel figuring out a way to hide the symptom but not sending out notices. But the problem still exists that the auto-ssl is no longer issuing certificate renewals behind cloudflare, is that correct? I am approaching the warning dates from those emails. I assume they are correct that the replacement SSL will not be deployed. I use full-strict security at cloudflare and require a current SSL on the servers. These are all ecommerce stores with very high traffic. SSLs auto-renewed like clockwork before this upgrade which auto-deployed, I'll have words with my datacenter about that. But what is being done to fix the lack of an ssl being re-issued at expiration?
    0
  • Stephen Hare
    I was also seeing expired certs even though they are up to date in the backend. I turned off cachewall (xvarnish) and *poof* they are back. Likely related. rodpascoe - are you running varnish?

    Hi Quarterstaff. Did you manage to find a solution to Cachewall preventing AutoSSL certs from updating? I have also found it necessary to disable Cachewall and do a manual check of AutoSSL to get cert updated.
    0
  • stormy
    I've also been hit by this problem and received a LOT of support tickets. I agree that this is way too confusing for end users and it should be disabled ASAP as a stop gap measure. It would be fantastic for WHM admins to be able to receive a summary of all issues though, or to be able check them out through the web interface.
    0
  • cPanelMichael
    But the problem still exists that the auto-ssl is no longer issuing certificate renewals behind cloudflare, is that correct?

    I've moved that particular issue to a separate thread for further discussion: New Thread - CloudFlare and AutoSSL
    Hi Quarterstaff. Did you manage to find a solution to Cachewall preventing AutoSSL certs from updating? I have also found it necessary to disable Cachewall and do a manual check of AutoSSL to get cert updated.

    I recommend reaching out to their support team to report the issue to see if this is something they have a patch for, or if they are working towards a resolution. Thank you.
    0
  • cPanelNick
    I've also been hit by this problem and received a LOT of support tickets. I agree that this is way too confusing for end users and it should be disabled ASAP as a stop gap measure. It would be fantastic for WHM admins to be able to receive a summary of all issues though, or to be able check them out through the web interface.

    Hi stormy, All the problems are logged during each AutoSSL run and are viewable in the WHM "SSL/TLS "Manage AutoSSL " Logs We have opened CPANEL-16842 to add an option to disable AutoSSL notifications server- wide. Certificate expiry notifications (both AutoSSL and non-AutoSSL) can already be disabled server-wide in WHM "Tweak Settings " Notifications " Send notifications when certificates approach expiry.
    0
  • stormy
    Thanks @cPanelNick! Yes, I know the logs page, but you have to comb through everything that has been done, success or failure. A list with all the issues would be really handy. Anyway, not worth it to start a feature request for that :)
    Certificate expiry notifications (both AutoSSL and non-AutoSSL) can already be disabled server-wide in WHM "Tweak Settings " Notifications " Send notifications when certificates approach expiry.

    I'm confused about that setting, because I did disable the notifications and they were still sent. I had to run the script quoted above to disable them. So what does it disable exactly? I'm on 68.0.12.
    0
  • cPanelMichael
    I'm confused about that setting, because I did disable the notifications and they were still sent. I had to run the script quoted above to disable them. So what does it disable exactly? I'm on 68.0.12.

    Hi @stormy, Setting "Send notifications when certificates approach expiry" to "Off" under the "Notifications" tab in "WHM >> Tweak Settings" should prevent "/scripts/notify_expiring_certificates" from generating new notifications about expiring certificates (both AutoSSL and non-AutoSSL certificates). Is it possible the notifications that were sent were queued from before you disabled this option? Feel free to open a support ticket and we can verify it's working as expected on your system. Thank you.
    0
  • cPanelLauren
    Just a side note but it also might be helpful in the meantime, if you're going to use the abovementioned bash script as a workaround with the cpapi2 function to note that AutoSSL needs to be enabled in WHM>>SSL/TLS>>Manage AutoSSL interface as well as within the feature list the user's package is using.
    0
  • stormy
    Thanks @cPanelMichael. I can confirm that the notifications are still being sent, I just received another one right now. Thanks @cPanelLauren too. There's another reason the script didn't work: the Contact Information feature must be enabled as well, although it's listed as "Legacy". I had that disabled, and once enabled and checked, I could see that the individual notifications for AutoSSL were not disabled in ?goto_app=ContactInfo_Change. I'm still confused at the server-wide setting. Does it only mean the notifications won't be activated by default for new accounts? Or does it mean that the notification is never sent? If it's the latter, it's not working for me.
    0
  • cPanelNick
    Thanks @cPanelNick! Yes, I know the logs page, but you have to comb through everything that has been done, success or failure. A list with all the issues would be really handy. Anyway, not worth it to start a feature request for that :)

    I'm not sure if it is helpful, however, we did add an API for this in v68:
    # whmapi1 get_autossl_problems_for_user username=myusername --- data: problems_by_domain: - domain: this.tld log: 2017-11-14T05:18:03Z problem: "this.tld" does not resolve to any IPv4 addresses on the internet. time: 2017-11-14T05:27:23Z -
    0
  • cPanelNick
    I'm confused about that setting, because I did disable the notifications and they were still sent. I had to run the script quoted above to disable them. So what does it disable exactly? I'm on 68.0.12.

    The expiry notification system is separate from the AutoSSL system so the confusion is understandable. This system is responsible for sending expiry notifications for all certificate types. The tweak setting disables the expiry notifications system (SSL::CertificateExpiring and AutoSSL::CertificateExpiring - except for related DCV problems). The following command will disable the expiry notification system:
    whmapi1 set_tweaksetting key=notify_expiring_certificates value=0
    Its possible the cause of the unexpected notifications is the AutoSSL system sending them when a domain is failing DCV and is affecting the ability for it to renew before the expiry (AutoSSL::CertificateExpiring - when there are related DCV problems or AutoSSL::CertificateRenewalCoverage). We opened up case CPANEL-16927 to move the all the expiry and related notifications for AutoSSL certificates to be controlled by the same options that were added in CPANEL-16842 (shipped in 68.0.14). Hopefully, this will reduce the confusion created by having two places where the notifications are controlled. CPANEL-16842 shipped in 68.0.14 with these changes: [LIST]
  • AutoSSL options area will handle server-wide control for sending notifications for AutoSSL certificates except expiry. (AutoSSL::CertificateInstalled, AutoSSL::CertificateRenewalCoverage, and SSL::CertificateExpiring - when there are related DCV problems)
  • If the notifications are enabled in the AutoSSL options area users will retain the option to disable them in cPanel. Once available the following command line options will be able to disable the notifications server-wide: [LIST]
  • Turn off all the AutoSSL notifications and prevent AutoSSL from replacing invalid or expiring non-AutoSSL certificates:
    whmapi1 set_autossl_metadata metadata_json='{"clobber_externally_signed":0,"notify_autossl_expiry_coverage":0,"notify_autossl_renewal_coverage":0,"notify_autossl_renewal":0}'
  • Turn off all the AutoSSL notifications and allow AutoSSL to replace invalid or expiring non-AutoSSL certificates (not recommended):
    whmapi1 set_autossl_metadata metadata_json='{"clobber_externally_signed":1,"notify_autossl_expiry_coverage":0,"notify_autossl_renewal_coverage":0,"notify_autossl_renewal":0}'
  • In v70 we added set_autossl_metadata_key to make this easier to set from the command line: WHM API 1 Functions - set_autossl_metadata_key - Software Development Kit - cPanel Documentation When CPANEL-16927 is completed in a coming v70 release (available in EDGE): [LIST]
  • Tweak Settings option will control sending notification non-AutoSSL certificates (SSL::CertificateExpiring) [Note: If AutoSSL is disabled we treat all certificates as non-AutoSSL certificates]
  • AutoSSL options area will handle control for sending notifications for AutoSSL certificates. (AutoSSL::CertificateInstalled, AutoSSL::CertificateRenewalCoverage, AutoSSL::CertificateExpiryCoverage [partial DCV failure - NEW] and AutoSSL::CertificateExpiring [full DCV failure])
  • We have also added some language in the WHM Contact Manager to clarify that the settings control which notifications the server administrator receives and where to adjust the settings for a cPanel user (in Contact Information)
  • If the notifications are enabled in the AutoSSL options area users will retain the option to disable them in cPanel and administrators will have the option to disable them in the WHM Contact Manager When CPANEL-16928 is completed in a coming v70 release (available in EDGE): [LIST]
  • We are adding additional granularity to control to the AutoSSL::CertificateInstalled notification as AutoSSL::CertificateInstalledCovergeReduced [New] and AutoSSL::CertificateInstalledUncoveredDomains [NEW] for administrators who want to disable the AutoSSL::CertificateInstalled success notifications. This allows administrators to reduce the number of notifications but still stay informed when a certificate that reduces the SSL coverage is installed. This is an important distinction since this usually means that a DCV problem was not corrected in time to prevent interruption of service by having an expected domain removed from the certificate.
  • Now that we have a way to distinguish between a coverage problem and a successful renewal, we will also change AutoSSL::CertificateInstalled (Success) to be disabled by default (If you have already saved/modified AutoSSL options, your existing settings will be preserved.) Note: This post was edited to clarify how certificates are treated when AutoSSL is disabled, provide command line options for disabling AutoSSL notifications server-wide, and expand how CPANEL-16928 will be implemented.
  • 0
  • swbrains
    I also experienced a lot of support queries after 68 was released due to SSL "will expire soon" notifications being sent to my users. I actually handle SSL certificate renewal myself using scripts on my customers' sites to check and renew certs as needed (from Lets Encrypt). For some reason, Lets Encrypt is not an option in the list of Providers for AutoSSL (only Comodo is listed). Anyway, since my script starts trying to renew certs about 10 days prior to expiration, the cPanel notifications go out to customers prior to this, which of course is generating confusion. Again, this is for non-AutoSSL certs. I have AutoSSL disabled server wide in WHM and always have. I had already disabled the notifications in Contact Manager, but continued to see the notices being sent. After reading this thread, I have disabled the Tweak Settings option. But shouldn't the Contact Manager notification settings in my screenshot below have stopped non-AutoSSL notifications regardless of the Tweak Settings option (as per the last setting shown)? Or was that setting overridden by an individual account setting? If so, what is the purpose of this WHM setting? Finally, as mentioned in the prior post: CPANEL-16927 is completed in a coming v70 release: Tweak Settings option will control sending notification non-AutoSSL certificates This sounds like what I need. Does this mean that there is currently no setting that will disable non-AutoSSL expiry notifications in 68.0.14, including the one in Tweak Settings I mentioned earlier? Thanks for any clarity you can shed on this issue.
    0
  • Rehan_1990
    After upgrading cPanel/WHM to 68, i have been noticing that cPanel sending notification emails to client which is disturbing. Is there any way we can stop these notification.
    0
  • CrazySerb
    How did this "feature" reach Release? incomprehensible.

    Right? As in, whoever adds these features in that development pit obviously isn't the one testing them and approving them, and one hand isn't talking to the other one as the testers obviously don't have a full idea of all the new features implemented so they can properly test their effects. Or, if they do, they are doing a terrible job testing the effects of these new features and are just green lighting everything that even remotely looks good. Either way, an issue.
    If you're running EDGE or CURRENT you might expect some issues.

    I'm not arguing with you. When you go to your WebHost Manager to select your tier, you'll note the links to the right of each one. Click them to be taken to the cPanel glossary page where I got the quotes above. 49163 I hope this helps!

    Yeah, that's cute. Except that EDGE and CURRENT are usually the same version, and RELEASE is 50% of the time the same as well. And if it isn't, it says "recommended" right next to it. Screenshot So how did a feature like this *slip* into the RELEASE without proper testing and approval is beyond me. And if you're going to label it a "recommended" release, two steps down from the bleeding EDGE and release candidate CURRENT, you'd think this one would get enough testing done by the time it's pushed out. You'd think. You guys screwed up and as someone mentioned should have had a fix for this the next night. And not just an API reference that leaves us scrambling to figure out how to even use that, but an actual function in WHM that lets us disable this with a click of a button globally. Why? Because there are only a dozen of us on this thread who even remotely thought about checking your forums for a solution, and there are tens of thousands of server admins out there who will suffer through this issue hoping for a fix of some sort for days and weeks, answering angry emails from customers who are as confused as they are on why they are even getting emails like these in the first place and what all that means.
    I think a distinction needs to be made between the AutoSSL notifications and notifications for certificates the end user may have installed themselves from third parties. With AutoSSL, sending notifications to the end user is a waste of time, since they can't do anything to resolve any of those problems. Expiry notifications on these certs are also pointless, considering the fact that they auto renew. I think it's pretty reasonable to assume that AutoSSL notifications should go to the admin contact only.

    Right? These notifications to end users are pointless to begin with, so why even implement them in the first place?! And not only implement them but force them in a way that doesn't allow us to turn them off, nor does it provide a default OFF setting on update allowing us to turn it ON ourselves if we so desire. Sometimes I wonder who does use case testing in your offices there... With all that said, thank you for providing the command line solution and whoever provided that shell script as well. It will do, for now, as a quick fix, for those of us who are lucky enough to find it and be able to implement it.
    0
  • rpvw
    v68.0.14 introduced 3 new AutoSSL notification settings in WHM >> SSL/TLS >> Manage AutoSSL > Options which would seem to be the result of the "Implemented case CPANEL-16842: Add options to disable AutoSSL notifications." ]https://forums.cpanel.net/data/attachments/58/58051-a30ff11ce5416467f2160567e5a9a49d.jpg
    I think the cPanel developers deserve the highest praise for both acknowledging the communities concerns, and acting so promptly to mitigate the unintended consequences of the new AutoSSL notifications feature.
    0
  • rpvw
    v68.0.14 introduced 3 new AutoSSL notification settings in WHM >> SSL/TLS >> Manage AutoSSL > Options which would seem to be the result of the "Implemented case CPANEL-16842: Add options to disable AutoSSL notifications." ]https://forums.cpanel.net/data/attachments/58/58051-a30ff11ce5416467f2160567e5a9a49d.jpg
    0
  • mtindor
    v68.0.14 introduced 3 new AutoSSL notification settings in WHM >> SSL/TLS >> Manage AutoSSL > Options which would seem to be the result of the "Implemented case CPANEL-16842: Add options to disable AutoSSL notifications." ]https://forums.cpanel.net/data/attachments/58/58051-a30ff11ce5416467f2160567e5a9a49d.jpg

    The question I would have [for cPanel, not for you] is whether disabling the notifications in this area will stop the notifications to users or if it will stop notifications to admins or both? Mike
    0
  • mtindor
    v68.0.14 introduced 3 new AutoSSL notification settings in WHM >> SSL/TLS >> Manage AutoSSL > Options which would seem to be the result of the "Implemented case CPANEL-16842: Add options to disable AutoSSL notifications." ]https://forums.cpanel.net/data/attachments/58/58051-a30ff11ce5416467f2160567e5a9a49d.jpg
    I think the cPanel developers deserve the highest praise for both acknowledging the communities concerns, and acting so promptly to mitigate the unintended consequences of the new AutoSSL notifications feature.

    They deserve some praise. Highest praise? The jury is out on that one. On an existing WHM 68 box that is now on .14, I see the options -- but they were enabled. I disabled them. If servers upgrading from WHM 66 to 68 have those options ENabled by default I'd consider that a fail. The idea is not to have _any_ of these emails sent out, not even once, unless the admin enables those options. In summary, assuming that a WHM 66 to 68 update does not automatically have those options disabled, I feel they should. Mike
    0

Please sign in to leave a comment.