SSL Notifications in cPanel 68
[Moderator Note]
Here's the most recent update on this topic for anyone visiting this thread for the first time:
[End Moderator Note] Hello, I hope someone can help me. I upgraded to cPanel 68 and the instant I did so (and every day since) all my users have started receiving autoSSL error emails like this one :-
This is only part of the email, it's a long email listing failures for every cname like ftp, web disk etc. I am getting loads of support tickets asking what the hell is going on as users don't understand the email and for the life of me I cannot find how to disable these emails. This is where the cPanel/WHM documentation pages really let customers down, they are so difficult to navigate and find anything in, they really need an overhaul as the current plain text 1990's looking system just doesn't help anymore.
The expiry notification system is separate from the AutoSSL system so the confusion is understandable. This system is responsible for sending expiry notifications for all certificate types. The tweak setting disables the expiry notifications system (SSL::CertificateExpiring and AutoSSL::CertificateExpiring - except for related DCV problems). The following command will disable the expiry notification system:whmapi1 set_tweaksetting key=notify_expiring_certificates value=0
Its possible the cause of the unexpected notifications is the AutoSSL system sending them when a domain is failing DCV and is affecting the ability for it to renew before the expiry (AutoSSL::CertificateExpiring - when there are related DCV problems or AutoSSL::CertificateRenewalCoverage). We opened up case CPANEL-16927 to move the all the expiry and related notifications for AutoSSL certificates to be controlled by the same options that were added in CPANEL-16842 (not yet released). Hopefully, this will reduce the confusion created by having two places where the notifications are controlled. CPANEL-16842 shipped in 68.0.14 with these changes: [LIST]AutoSSL options area will handle server-wide control for sending notifications for AutoSSL certificates except expiry. (AutoSSL::CertificateInstalled, AutoSSL::CertificateRenewalCoverage, and SSL::CertificateExpiring - when there are related DCV problems) If the notifications are enabled in the AutoSSL options area users will retain the option to disable them in cPanel. Once available the following command line options will be able to disable the notifications server-wide: [LIST] Turn off all the AutoSSL notifications and prevent AutoSSL from replacing invalid or expiring non-AutoSSL certificates: whmapi1 set_autossl_metadata metadata_json='{"clobber_externally_signed":0,"notify_autossl_expiry_coverage":0,"notify_autossl_renewal_coverage":0,"notify_autossl_renewal":0}'
Turn off all the AutoSSL notifications and allow AutoSSL to replace invalid or expiring non-AutoSSL certificates (not recommended): whmapi1 set_autossl_metadata metadata_json='{"clobber_externally_signed":1,"notify_autossl_expiry_coverage":0,"notify_autossl_renewal_coverage":0,"notify_autossl_renewal":0}'
When CPANEL-16927 is completed in a coming v70 release: [LIST]Tweak Settings option will control sending notification non-AutoSSL certificates (SSL::CertificateExpiring) [Note: If AutoSSL is disabled we treat all certificates as non-AutoSSL certificates] AutoSSL options area will handle control for sending notifications for AutoSSL certificates. (AutoSSL::CertificateInstalled, AutoSSL::CertificateRenewalCoverage, AutoSSL::CertificateExpiryCoverage [partial DCV failure - NEW] and AutoSSL::CertificateExpiring [full DCV failure]) We have also added some language in the WHM Contact Manager to clarify that the settings control which notifications the server administrator receives and where to adjust the settings for a cPanel user (in Contact Information) If the notifications are enabled in the AutoSSL options area users will retain the option to disable them in cPanel and administrators will have the option to disable them in the WHM Contact Manager When CPANEL-16928 is completed in a coming v70 release: [LIST] We are adding additional granularity to control to the AutoSSL::CertificateInstalled notification as AutoSSL::CertificateInstalledCovergeReduced [New] and AutoSSL::CertificateInstalledUncoveredDomains [NEW] for administrators who want to disable the AutoSSL::CertificateInstalled success notifications. This allows administrators to reduce the number of notifications but still stay informed when a certificate that reduces the SSL coverage is installed. This is an important distinction since this usually means that a DCV problem was not corrected in time to prevent interruption of service by having an expected domain removed from the certificate.
[End Moderator Note] Hello, I hope someone can help me. I upgraded to cPanel 68 and the instant I did so (and every day since) all my users have started receiving autoSSL error emails like this one :-
exampledomain.co.uk: The AutoSSL certificate expires on 2017-05-11 at 00:00:00 UTC. At the time of this notice, the certificate expired "159 days, 19 hours, 55 minutes, and 48 seconds" ago.
AutoSSL did not renew the certificate for "exampledomain.co.uk". You must take action to keep this site secure.
The "cPanel" AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems:
webdisk.exampledomain.co.uk [ Last AutoSSL Run at "2017-10-16 at 23:54:07 UTC" ]
The system queried for a temporary file at "http://webdisk.exampledomain.co.uk/.well-known/pki-validation/C14A94680F46EA0B29D3DF1E93E14EFC.txt", but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain "webdisk.exampledomain.co.uk" resolved to an IP address "91.210.235.75" that does not exist on this server.
This is only part of the email, it's a long email listing failures for every cname like ftp, web disk etc. I am getting loads of support tickets asking what the hell is going on as users don't understand the email and for the life of me I cannot find how to disable these emails. This is where the cPanel/WHM documentation pages really let customers down, they are so difficult to navigate and find anything in, they really need an overhaul as the current plain text 1990's looking system just doesn't help anymore.
-
Hi mtindor, I know you didn't ask me, but my observations below may help: Tweak settings > Send notifications when certificates approach expiry. seems to apply to Admins only The three settings I mentioned above remove the notification options from the users cPanel Edit Contact Information and Preferences page - so I am going to go out on a limb and guess that these apply to users only. I felt that the previous replies regarding the Tweak settings entry all left me with some doubt as to what it did exactly - so if some kind developer could give us a simple, unequivocal, (possible politically incorrect) clarification, I am sure everyone will thank you :) 0 -
My apologies in advance, as this may upset some readers...... Well of course one can continue bashing the developers for whatever they did wrong - I know - I am often one of the first to loudly and thoroughly castigate when I see something I believe to be wrong. However - repetition does little to solve an issue other than to irritate ! [LIST] - Should this feature have been allowed to be pushed out in the form it was ? .... Of course not.
- Should someone have thought about the implications ? .... Probably, but they either didn't think it would be an issue, or it got overlooked.
- Did developers react to the communities concerns within a reasonable time frame ? ... I believe they did. All in all - I still think they did a great job - having once been involved in a software application myself, and having users come onto my forum and just moan and complain incessantly often left me wondering why I was bothering at all (and our software was FOSS), so I appreciated it when someone took the time and trouble to give us any encouragement. Bottom line, if you have something to say, be constructive and don't belabour the point. Software gets more complex and demanding every day. Users want it to do more, on a bigger variety of platforms, and maintain backward compatibility, and pay less for the privilege. If you think you can do a better job - we shall look forward to seeing your contribution !
0 -
My apologies in advance, as this may upset some readers......
That may or may not have been directed at me, at least in part. Regardless, I don't take offense. I'm not a software developer, and i do appreciate what the developers do. Perhaps "fail" was too harsh -- maybe "partial fail". I feel it was still constructive criticism, as I don't think it would be too late for the cPanel folks to default those options to DISabled, assuming they aren't disabled by default on a 66-to-68 update. Mike PS: I can't do a better job, and you won't see any contribution from me.0 -
rpvw, Thanks for the response. Do you have any idea if disabling those three notifications (under Manage AutoSSL-->Options) also disables (sets to =0) existing settings for the indivdual cPanel users that are entered into /var/cpanel/users/ ? You had stated that it removes the options from the users' cPanel Edit Contact Information and Preference page, but I'm just wondering if it also goes through /var/cpanel/users/* and disables them (or if it even needs to). The whole function in WHM under Manage AutoSSL-->Options might act upon things higher up the chain, thus ignoring any related lines in a /var/cpanel/users/. I know that after I logged into a WHM 68.0.14 and unchecked the options in Manage AutoSSL-->Options, the lines in /var/cpanel/users/ still exist and did not change. Previous to this I had already run the script (provided by a cPanel forum member) that sets the options to =0, and so it is unclear to me whether unchecking the items under Manage AutoSSL-->Options does anything to the /var/cpanel/users/ files -- or if it even needs to. I guess that the question isn't really one I should expect you or any other user to answer. Some definitive clarification by the cPanel folks would be nice though. Basically, I just want to know what happens, behind the scenes, when those options are unchecked in Manage AutoSSL-->Options. Does it act upon information previously added to /var/cpanel/users/? Or does it act on things higher up, thus ignoring any related entries in /var/cpanel/users/ when the options are disabled? Mike 0 -
My apologies in advance, as this may upset some readers......
I would concur with what you said in this post. The following is really get a bit off of this topic, but I think it applies to what @rpvw has said. For the record, I haven't read through this entire thread, but I think I have the gist of what is going on. I have not yet upgraded to cPanel 68, for reasons I am about to explain. I think ultimately what all of this boils down to is a complete misuse (or misunderstanding) of the various cPanel release tiers (STABLE, RELEASE, CURRENT, EDGE, BETA?). I'm assuming that this "feature" was included in v68 when it was at EDGE and CURRENT? But the issue did not really raise it's head until v68 reached RELEASE? Am I correct in this assumption? If so, this is telling me that there's not enough people using CURRENT or EDGE and finding these issues before the version moves on up the cycle. Either that or cPanel is pushing out versions too fast through the various tiers. cPanel has attempted to remedy some of this with their new LTS schedule that went into affect this year. But it's still not a perfect system. I'm not sure of what the exact solution is. But just because there's not an immediate solution, doesn't mean you can't identify it as a problem. In my opinion, cPanel would be a bit better served if they simplified these release tiers. Have an EDGE release that's mostly for developers - people that develop plugins and addon products for cPanel. Not really real-world ready Have an LTS version - perhaps twice a year instead of the current once per year. Continue to support both versions (provide security updates) for 12 months. Another words release an LTS in January, release another LTS in June but continue to support the January release through December, and continue to support the June release through May. Have something in between - call it RELEASE or CURRENT. This tier gets updated more often. Ideally you'd provide some type of incentive (lower price?) to use this tier, the idea being to get more people willing to use this tier and identify real-wolrd issues before it reaches LTS. This only works if you have a legitimate number of using using this tier and using it in real-word production environments, otherwise everyone is just going to be on LTS and only identify the issues when the release hits LTS. This is one reason why I stay a bit behind the RELEASE tier (I suppose STABLE is more of where I'm at, but you can likely expect to find more issues with v68 when it reaches STABLE as even more users get the update). I stay tuned into these forums to see what "issues" might exist in various releases. I know all of this is a bit off of the original topic here. But I just think this issue could have been avoided if it had been identified earlier in the release cycle.0 -
Do you have any idea if disabling those three notifications (under Manage AutoSSL-->Options) also disables (sets to =0) existing settings for the indivdual cPanel users that are entered into /var/cpanel/users/ ?
I am sorry but I did not test that, since I had previously used the shell script that a user kindly provided in one of the many recent threads pertinent to this subject, to loop through all the users, and disable the notifications in each user cPanel so everything was already set to =0unchecked the options in Manage AutoSSL-->Options, the lines in /var/cpanel/users/ still exist and did not change.
I also found that behaviour on users that I had disabled in WHM >> SSL/TLS >> Manage AutoSSL > Manage Users. I raised a bug report about it because I felt that the notification options should not even be displayed in a users cPanel if the autoSSL had been disabled for that user - I never got a reply, so I closed the report in a fit of pique.0 -
You might like to read through a thread I opened some time ago relating to accelerated (and possibly unrealistic) release schedules and their consequences. Updates and Minefields 0 -
Indeed! I pretty much echo everything you said in that thread. Perhaps my post really belongs in that thread. As you said, there just seems to be a lot missing from a quality control standpoint. I also don't believe there is anything wrong with constructive criticism. A boardroom full of yes men won't get you very far. As long as it's done in a tactful manner and your posts are always polite, maybe a side of grumpy, but there's nothing wrong with that (mine are too at time). 0 -
So, client will receive at least one notification. 0 -
Hi, I'm an end user managing a simple web site, & know nothing of scripts & servers. But I keep getting AutoSSL renewal notices (see attachment SSL letter.gif). As far as I know, I've never had certificates attached to either of my domain names. The server who seems to be sending the notices (Hudson Valley Host) is one I have never used. The log-on page the letter sends me to will not accept my current cPanel username & password, nor any I have used in the past. My question is simple: is there some way I can stop the reminders from my end? I don't know if they can be treated as ordinary junk mail, as the sender is listed as my own cPanel account, from my email address at my current servers. (If they were blocked, it might destabilize the situation.) I spoke to my servers, who directed me to the other server that seems to send the letters, but after days of being put on tickets the reminders keep arriving. Can you suggest any remedy? Thanks 0 -
(I'm slightly off-topic again) The log-on page the letter sends me to will not accept my current cPanel username & password, nor any I have used in the past.
You probably shouldn't do that. This is how phishing scams work. Your real cPanel username and password may be compromised now. I would suggest that you log into your real cPanel account ([plain]http://yourdomain.tld/cpanel[/plain]) and change your password as soon as possible. I'm not saying that this particular link was a phishing scam, but you never know. If your real login isn't working, then it's obviously not a link to your real cPanel.0 -
All my customers keeps receiving these emails every f***** day. Hundreds of support tickets asking about what's going on. People asking Refunds for their branded SSL certificates because we are reporting a fail in their "coverage". :mad::mad::mad: Worst update by Cpanel ever. 0 -
Hi @wwwcad, Were you able to review the previous posts regarding the steps you can take to disable the notifications for all cPanel users? Here's the link to the specific post: SSL Notifications in cPanel 68 Thank you. 0 -
The only way to stop these emails server-wide was to add a system filter to exim. /etc/cpanel_exim_system_filter if $header_subject: contains "AutoSSL" then #If logfile configured #logwrite "BLOCKED AUTOSSL EMAIL $tod_log $sender_address $sender_address_domain $header_to $sender_address_local_part $header_subject" seen finish endif0 -
The only way to stop these emails server-wide was to add a system filter to exim.
Hello, While a system filter rule is one way to stop the emails, the other method (referenced in my last response) should also work to stop the notifications. Can you verify if you tried using that script? Thank you.0 -
Hello, While a system filter rule is one way to stop the emails, the other method (referenced in my last response) should also work to stop the notifications. Can you verify if you tried using that script? Thank you.
No Michael, Sorry. The script was executed and it reported an OK to the changes requested via the API but the emails are still being sent in all our servers. The filter was the only solution to avoid them server-wide. Example of some of the emails being sent.2017-12-13 03:16:37 [718430] 1eP2DU-0030ta-3E <= cpanel@xxxxxx H=(localhost.localdomain) [127.0.0.1]:36433 I=[127.0.0.1]:25 P=esmtp S=43785 M8S=0 id=1513152996.bm7cEW8bldyKbGqk@xxxxx T="[xxxx] \342\232\240 xxxx: The AutoSSL certificate renewal may cause a reduc" from for xxxx@gmail.com0 -
The script was executed and it reported an OK to the changes requested via the API but the emails are still being sent in all our servers.
Feel free to open a support ticket using the link in my signature if you'd like us to take a closer look at the system and the email logs to see why exactly it didn't work as expected. Thank you.0 -
I need some final clarification on notifications, because things have changed and the documentation doesn't seem to be updated/complete. There are now 3 places to configure notifications: 1. Tweak settings > Notifications > Send notifications when certificates approach expiry ("Send a notification when an SSL certificate expires soon. The system will only send a notification for an AutoSSL-provided certificate if that certificate fails to renew".) Does this send notifications to the cPanel user or to the server admin? Or both? 2. Contact manager: There are two related notifications here, "AutoSSL certificates expiring" and "SSL certificates expiring". Both say this: "This option performs no actions when the "Send notifications when certificates approach expiry." option is disabled in WHM"s "Tweak Settings" interface." So, depending on the answer to my question about 1, there's no way for the server admin only to receive notifications, and not notify the final users. 3. Manage AutoSSL > Options. Here are the new notification options. I think these are user only notifications. Am I right? Thanks for the clarification! 0 -
Hello @stormy, I'm formulating my response based on the behavior in cPanel version 70, as it's nearing publication to the Current build tier (tentatively planned for the third week of January). cPanel version 68 becomes EOL once version 70 reaches the Stable build tier. . Tweak settings > Notifications > Send notifications when certificates approach expiry ("Send a notification when an SSL certificate expires soon. The system will only send a notification for an AutoSSL-provided certificate if that certificate fails to renew".) Does this send notifications to the cPanel user or to the server admin? Or both?
As of cPanel version 70, the "Send notifications when certificates approach expiry" option in "WHM >> Tweak Settings" applies to non-AutoSSL certificates only (unless AutoSSL is disabled on the system): Fixed case CPANEL-16927: Make notify_expiring_certificates ignore AutoSSL when AutoSSL is active. Thus, since you are using AutoSSL, the "Send notifications when certificates approach expiry" only applies to non-AutoSSL certificates. Additionally, by default, notifications are sent both to users and administrators. If "Send notifications when certificates approach expiry" is disabled, this notification type is not utilized at all. If you want the administrator notification enabled, but the user notification disabled, then you'd leave the option enabled in "WHM >> Tweak Settings" and access cPanel to disable "SSL certificate expiry" under the "Contact Information" option for each user. If you want user notifications enabled, but the administrator notification disabled, then you'd leave the tweak setting option on and modify the contact preference for "SSL certificates expiring" in "WHM >> Contact Manager".. Manage AutoSSL > Options. Here are the new notification options. I think these are user only notifications. Am I right?
No, that's not correct. The "WHM >> Manage AutoSSL" notification settings control whether a specific AutoSSL notification type is active on the system. For the enabled AutoSSL notification types, you use "WHM >> Contact Manager" to control if the enabled notification types are sent to the administrator, and you use "cPanel >> Contact Information" to control whether enabled notification types are sent to the cPanel user. Thank you.0 -
Well I've read through this entire thread and I am still confused. I simply want to disable the email notifications for Auto SSL that get sent to the end user (cPanel account email address). I've had dozens of clients contacting me wondering what all the AutoSSL emails mean. Since I manage the server, I don't want end users seeing this kind of communication. So - please explain in the simplest terms, how can I turn off the AutoSSL emails for the end users? I can see that it is possible to control this in the "Contact Information and Preferences" section within each individual cPanel account - but I want to control the notifications for all users on a server wide basis. There really should be a simple WHM panel interface that contains the notification controls for all the end users (cPanel accounts) - that's separate from the admin notifications. 0 -
Well I've read through this entire thread and I am still confused. I simply want to disable the email notifications for Auto SSL that get sent to the end user (cPanel account email address). I've had dozens of clients contacting me wondering what all the AutoSSL emails mean. Since I manage the server, I don't want end users seeing this kind of communication. So - please explain in the simplest terms, how can I turn off the AutoSSL emails for the end users? I can see that it is possible to control this in the "Contact Information and Preferences" section within each individual cPanel account - but I want to control the notifications for all users on a server wide basis. There really should be a simple WHM panel interface that contains the notification controls for all the end users (cPanel accounts) - that's separate from the admin notifications.
Confusing isn't it? I still get the emails (as do my users) despite following all the instructions on here. Opened a ticket and never got a reply. Gave up and now just delete the emails.0 -
Have you tried running: /usr/local/cpanel/bin/whmapi1 set_autossl_metadata metadata_json={\"notify_autossl_expiry_coverage\":0} /usr/local/cpanel/bin/whmapi1 set_autossl_metadata metadata_json={\"notify_autossl_renewal_coverage\":0} /usr/local/cpanel/bin/whmapi1 set_autossl_metadata metadata_json={\"notify_autossl_renewal\":0} Or through the WHM interface: Manage AutoSSL -> Options -> Notify when AutoSSL defers certificate renewal because a domain on the current certificate has failed DCV. Manage AutoSSL -> Options -> Uncheck Notify when AutoSSL will not secure new domains because a domain on the current certificate has failed DCV. Manage AutoSSL -> Options -> Uncheck Send notifications when AutoSSL has renewed a certificate. Further explanation: /usr/local/cpanel/bin/whmapi1 set_autossl_metadata metadata_json={\"notify_autossl_expiry_coverage\":0} unchecks Manage AutoSSL -> Options -> Notify when AutoSSL defers certificate renewal because a domain on the current certificate has failed DCV. /usr/local/cpanel/bin/whmapi1 set_autossl_metadata metadata_json={\"notify_autossl_renewal_coverage\":0} unchecks Manage AutoSSL -> Options -> Notify when AutoSSL will not secure new domains because a domain on the current certificate has failed DCV. /usr/local/cpanel/bin/whmapi1 set_autossl_metadata metadata_json={\"notify_autossl_renewal\":0} unchecks Manage AutoSSL -> Options -> Send notifications when AutoSSL has renewed a certificate. Doing it through the command-line is quicker for me, but may not be the case for you. Does this stop all of the notifications? I'm really not sure. 0 -
I can see that it is possible to control this in the "Contact Information and Preferences" section within each individual cPanel account - but I want to control the notifications for all users on a server wide basis.
Hello, Here's a post here with an example of a script you can use to disable the cPanel user AutoSSL notifications for every user: Post 2496419 Keep in mind this is improved in cPanel version 70, as the ability to disable options that send AutoSSL notifications to cPanel users will exist in "WHM >> Home >> SSL/TLS >> Manage AutoSSL". Thank you.0 -
Hello, Here's a post here with an example of a script you can use to disable the cPanel user AutoSSL notifications for every user: Post 2496419 Keep in mind this is improved in cPanel version 70, as the ability to disable options that send AutoSSL notifications to cPanel users will exist in "WHM >> Home >> SSL/TLS >> Manage AutoSSL". Thank you.
Thank you for clarifying this. I will look forward to this solving these emails in cPanel 70.0 -
Have anyone tested that these emails are not sent out in version 70 after disabling this in tweak settings? We're still at version 66 because of these terrible emails causing so much pain for our customers and helpdesk! 0 -
We're still at version 66 because of these terrible emails causing so much pain for our customers and helpdesk!
The fix is well documented in this thread... one simple command line, and the notifications can be disabled. Did you miss that? upgrade to 68, then run the command, problem solved. We have found that the notifications are actually helpful, except for the "successful renewal" emails, so those are the only ones we have disabled. The rest of them are almost always pointing to some type of problem that should be fixed anyway. We have devised a couple of standard responses that help customers to learn more about the "SSL/TLS Status" feature in cPanel to give them control over what FQDNs they want protected by SSL. Your mileage may vary here... but, I think you could upgrade and disable the notifications easily. - Scott0 -
Thanks Scott! But we do not use AutoSSL for our customers. We sell SSL and actually make profits, therefore we do not want to use it. No, I didn't read the whole thread because I will skip version 68 on our servers and go directly to version 70. I updated one server to 70 and changed setting, but I do not fully trust cPanel have fixed it.... That's why I wanted some feedback on this setting in tweak: 0 -
But we do not use AutoSSL for our customers. We sell SSL and actually make profits, therefore we do not want to use it.
I updated one server to 70 and changed setting, but I do not fully trust cPanel have fixed it.... That's why I wanted some feedback on this setting in tweak (Send notifications when certificates approach expiry)
Hello @Hedloff, Yes, disabling the "Send notifications when certificates approach expiry" option in "WHM >> Tweak Settings" in cPanel version 70 will disable the notifications that occur when non-AutoSSL SSL certificates are about to expire. Let us know if you have any additional questions. Thank you.0 -
The fix is well documented in this thread... one simple command line, and the notifications can be disabled. Did you miss that? upgrade to 68, then run the command, problem solved. We have found that the notifications are actually helpful, except for the "successful renewal" emails, so those are the only ones we have disabled. The rest of them are almost always pointing to some type of problem that should be fixed anyway. We have devised a couple of standard responses that help customers to learn more about the "SSL/TLS Status" feature in cPanel to give them control over what FQDNs they want protected by SSL. Your mileage may vary here... but, I think you could upgrade and disable the notifications easily. - Scott
Only it didn't fix it for everyone (us included) so Hedloff's question is valid.Thanks Scott! But we do not use AutoSSL for our customers. We sell SSL and actually make profits, therefore we do not want to use it. No, I didn't read the whole thread because I will skip version 68 on our servers and go directly to version 70. I updated one server to 70 and changed setting, but I do not fully trust cPanel have fixed it.... That's why I wanted some feedback on this setting in tweak:
We sell them too and couldn't agree more. Yes Hedloff, 70 finally fixed it, just take all the ticks out of the boxes to say good-bye to those pesky emails.0
Please sign in to leave a comment.
Comments
119 comments