SSL Notifications in cPanel 68
[Moderator Note]
Here's the most recent update on this topic for anyone visiting this thread for the first time:
[End Moderator Note] Hello, I hope someone can help me. I upgraded to cPanel 68 and the instant I did so (and every day since) all my users have started receiving autoSSL error emails like this one :-
This is only part of the email, it's a long email listing failures for every cname like ftp, web disk etc. I am getting loads of support tickets asking what the hell is going on as users don't understand the email and for the life of me I cannot find how to disable these emails. This is where the cPanel/WHM documentation pages really let customers down, they are so difficult to navigate and find anything in, they really need an overhaul as the current plain text 1990's looking system just doesn't help anymore.
The expiry notification system is separate from the AutoSSL system so the confusion is understandable. This system is responsible for sending expiry notifications for all certificate types. The tweak setting disables the expiry notifications system (SSL::CertificateExpiring and AutoSSL::CertificateExpiring - except for related DCV problems). The following command will disable the expiry notification system:whmapi1 set_tweaksetting key=notify_expiring_certificates value=0
Its possible the cause of the unexpected notifications is the AutoSSL system sending them when a domain is failing DCV and is affecting the ability for it to renew before the expiry (AutoSSL::CertificateExpiring - when there are related DCV problems or AutoSSL::CertificateRenewalCoverage). We opened up case CPANEL-16927 to move the all the expiry and related notifications for AutoSSL certificates to be controlled by the same options that were added in CPANEL-16842 (not yet released). Hopefully, this will reduce the confusion created by having two places where the notifications are controlled. CPANEL-16842 shipped in 68.0.14 with these changes: [LIST]AutoSSL options area will handle server-wide control for sending notifications for AutoSSL certificates except expiry. (AutoSSL::CertificateInstalled, AutoSSL::CertificateRenewalCoverage, and SSL::CertificateExpiring - when there are related DCV problems) If the notifications are enabled in the AutoSSL options area users will retain the option to disable them in cPanel. Once available the following command line options will be able to disable the notifications server-wide: [LIST] Turn off all the AutoSSL notifications and prevent AutoSSL from replacing invalid or expiring non-AutoSSL certificates: whmapi1 set_autossl_metadata metadata_json='{"clobber_externally_signed":0,"notify_autossl_expiry_coverage":0,"notify_autossl_renewal_coverage":0,"notify_autossl_renewal":0}'
Turn off all the AutoSSL notifications and allow AutoSSL to replace invalid or expiring non-AutoSSL certificates (not recommended): whmapi1 set_autossl_metadata metadata_json='{"clobber_externally_signed":1,"notify_autossl_expiry_coverage":0,"notify_autossl_renewal_coverage":0,"notify_autossl_renewal":0}'
When CPANEL-16927 is completed in a coming v70 release: [LIST]Tweak Settings option will control sending notification non-AutoSSL certificates (SSL::CertificateExpiring) [Note: If AutoSSL is disabled we treat all certificates as non-AutoSSL certificates] AutoSSL options area will handle control for sending notifications for AutoSSL certificates. (AutoSSL::CertificateInstalled, AutoSSL::CertificateRenewalCoverage, AutoSSL::CertificateExpiryCoverage [partial DCV failure - NEW] and AutoSSL::CertificateExpiring [full DCV failure]) We have also added some language in the WHM Contact Manager to clarify that the settings control which notifications the server administrator receives and where to adjust the settings for a cPanel user (in Contact Information) If the notifications are enabled in the AutoSSL options area users will retain the option to disable them in cPanel and administrators will have the option to disable them in the WHM Contact Manager When CPANEL-16928 is completed in a coming v70 release: [LIST] We are adding additional granularity to control to the AutoSSL::CertificateInstalled notification as AutoSSL::CertificateInstalledCovergeReduced [New] and AutoSSL::CertificateInstalledUncoveredDomains [NEW] for administrators who want to disable the AutoSSL::CertificateInstalled success notifications. This allows administrators to reduce the number of notifications but still stay informed when a certificate that reduces the SSL coverage is installed. This is an important distinction since this usually means that a DCV problem was not corrected in time to prevent interruption of service by having an expected domain removed from the certificate.
[End Moderator Note] Hello, I hope someone can help me. I upgraded to cPanel 68 and the instant I did so (and every day since) all my users have started receiving autoSSL error emails like this one :-
exampledomain.co.uk: The AutoSSL certificate expires on 2017-05-11 at 00:00:00 UTC. At the time of this notice, the certificate expired "159 days, 19 hours, 55 minutes, and 48 seconds" ago.
AutoSSL did not renew the certificate for "exampledomain.co.uk". You must take action to keep this site secure.
The "cPanel" AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems:
webdisk.exampledomain.co.uk [ Last AutoSSL Run at "2017-10-16 at 23:54:07 UTC" ]
The system queried for a temporary file at "http://webdisk.exampledomain.co.uk/.well-known/pki-validation/C14A94680F46EA0B29D3DF1E93E14EFC.txt", but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain "webdisk.exampledomain.co.uk" resolved to an IP address "91.210.235.75" that does not exist on this server.
This is only part of the email, it's a long email listing failures for every cname like ftp, web disk etc. I am getting loads of support tickets asking what the hell is going on as users don't understand the email and for the life of me I cannot find how to disable these emails. This is where the cPanel/WHM documentation pages really let customers down, they are so difficult to navigate and find anything in, they really need an overhaul as the current plain text 1990's looking system just doesn't help anymore.
-
Thus, since you are using AutoSSL, the "Send notifications when certificates approach expiry" only applies to non-AutoSSL certificates. Additionally, by default, notifications are sent both to users and administrators. If "Send notifications when certificates approach expiry" is disabled, this notification type is not utilized at all. If you want the administrator notification enabled, but the user notification disabled, then you'd leave the option enabled in "WHM >> Tweak Settings" and access cPanel to disable "SSL certificate expiry" under the "Contact Information" option for each user. If you want user notifications enabled, but the administrator notification disabled, then you'd leave the tweak setting option on and modify the contact preference for "SSL certificates expiring" in "WHM >> Contact Manager". No, that's not correct. The "WHM >> Manage AutoSSL" notification settings control whether a specific AutoSSL notification type is active on the system. For the enabled AutoSSL notification types, you use "WHM >> Contact Manager" to control if the enabled notification types are sent to the administrator, and you use "cPanel >> Contact Information" to control whether enabled notification types are sent to the cPanel user. Thank you.
cPanel is not listening to us.... As administrators, and those of us who wish to use autoSSL, we want to be able have the option to receive our chosen notifications, and we want the facility to turn off select or all notifications to cPanel users. It is very simple. As it stands now we would have to go into each user's cPanel and manually turn them off. cPanel has created a rod for our backs here, a massive increase in support requests from users who do not know what to do about these notifications. Even in v70, it is still not right.0 -
Only it didn't fix it for everyone (us included) so Hedloff's question is valid. We sell them too and couldn't agree more. Yes Hedloff, 70 finally fixed it, just take all the ticks out of the boxes to say good-bye to those pesky emails.
Thank you rodpascoe ! :) Great to hear that it's just not us having huge issues..... Tested on a couple of server now and it seems to be working fine. cPanel also added self signed ssl a while ago for all accounts as default and when thousends of customers get notification about these aswell, it creates a lot of work for our support department! Would really wish cPanel would start to listen and when they add new features they have them disabled by default!0 -
If you want the administrator notification enabled, but the user notification disabled, then you'd leave the option enabled in "WHM >> Tweak Settings" and access cPanel to disable "SSL certificate expiry" under the "Contact Information" option for each user.
"access cPanel to disable "SSL certificate expiry" under the "Contact Information" option for each user." Where is that? I cannot find it in WHM or user cPanels.0 -
access cPanel to disable "SSL certificate expiry" under the "Contact Information" option for each user." Where is that? I cannot find it in WHM or user cPanels.
Hello @Tam, This is found in cPanel, under the "Preferences" section. Or, from the dropdown option in the upper right of the theme where you see the account username. The option is documented at: Contact Information - Version 70 Documentation - cPanel Documentation Note the following section: Important: [LIST]- This interface only appears if your hosting provider enables either of the following features in WHM's feature, you must set your contact email address.
Thank you.0 - This interface only appears if your hosting provider enables either of the following features in WHM's feature, you must set your contact email address.
-
Ah, the issue is with the documentation then, if the notifications are disabled in WHM > Manage AutoSSL > Options, then they will not show in the Contact Information options.
Hello @Tam, That's by design and documented on our interface (Home >> cPanel >> Preferences >> Contact Information).- The system will not send notifications to cPanel users for options that you disable.
- These options override the user's current settings.
Can you verify which behavior or documentation you are referring to that's not accurate? Thank you.0 -
It is clearly there in the documentation linked to in the previous post. For instance, My account approaches its bandwidth usage limit. This setting notifies you if your website will soon exceed the maximum amount of traffic allowed. Notes: [LIST] - This setting only appears if your hosting provider limits the bandwidth usage for your cPanel account and enables bandwidth notifications.
- After you reach your maximum bandwidth, visitors cannot access your website.
- To resolve this issue, you must upgrade your hosting plan. Otherwise, you must wait until the limit resets. Generally, this limit resets at the end of each month. In any of the AutoSSL references there is no mention of This setting only appears if your hosting provider...... But anyway, as so many people are discovering with cPanel and their lovely AutoSSL, cPanel is not allowing us to have full control over the feature. Okay, we can enable or disable it, but we need to be able to control whether our clients receive AutoSSL notifications or not, and by not allowing us to do so you are burgeoning our support departments/facilities with excessive work because the vast majority of clients do not know what to do with these notifications and it is predominantly a server administrative issue. It is completely impractical for us to have to enter a client's cPanel and disable it manually from within there, many of us have thousands of clients. The feature should be considered incomplete until that facility is available to admins.
0 -
In any of the AutoSSL references there is no mention of This setting only appears if your hosting provider......
Good point. I've opened a case with our Documentation Team (#DOC-10387) to have the Contact Information document updated to reflect that information.It is completely impractical for us to have to enter a client's cPanel and disable it manually from within there, many of us have thousands of clients.
You can disable the AutoSSL notifications completely without logging into cPanel for each account by disabling the notification types under the "Options" tab in "WHM >> Manage AutoSSL". This action alone will ensure the notifications are not sent to cPanel users or administrators. That said, if I understand correctly, you'd like to disable the AutoSSL notifications for all users, but still have it sent to the administrator. Is that correct? If so, we have a feature request open that would offer what you are seeking: Ability to set defaults for cPanel User Notifications In the meantime, you could use a workaround like the one referenced on this post. Thank you.0 -
That said, if I understand correctly, you'd like to disable the AutoSSL notifications for all users, but still have it sent to the administrator. Is that correct? If so, we have a feature request open that would offer what you are seeking: Ability to set defaults for cPanel User Notifications In the meantime, you could use a workaround like the one referenced on this post. Thank you.
Yes, thank you.0 -
Hello As much as i like AutoSSL it's giving us a lot of problems. I don't think that cPanel/WHM should have a feature enabled by default if it effects end users. First, AutoSSL was enabled by default and all the SSL's were issued for our cpanel accounts / users. Then we managed to disable AutoSSL for a new accounts and manually disabled all the AutoSSL's for selected users and left enabled only for the users that we choose. But now AutoSSL's are expiring for the users that we disabled in the meantime and now they are receiving warning emails and that means a lot of unnecessary job for our support. After reading this thread we tried that api script, but it's not working because the users that we don't want to receive warning emails are disabled under AutoSSL configuration. Even if we try to manually login to cPanel -> Contact Information and uncheck AutoSSL notifications it doesn't work. It stays always checked. I can not believe that the only solution is to enable AutoSSL AGAIN for all of our users, then run API script and then manually disable AGAIN AutoSSL for the selected users. ????? That's a lot of work for our support team. If we disable AutoSSL in the feature manager DISABLED list, why our users have an option to see AutoSSL notifications in cPanel -> Contact Information? Shouldn't this be connected? Also if we set DISABLED for an user under Manage AutoSSL, why cPanel -> Contact Information regarding AutoSSL still exists and it's enabled? 0 -
Hi @zodiac9797, The issues you have described are solved in cPanel & WHM version 70. AutoSSL notifications are not sent when AutoSSL is disabled for the account, and AutoSSL contact preferences are not visible in cPanel if AutoSSL is disabled for the feature list assigned to the account. Thank you. 0 -
Thank you @cPanelMichael Here is what we had to do to disable end user AutoSSL emails. Maybe someone else will find it useful to save some time. 1. We had to turn on (enable) AutoSSL for all user accounts. When disabled you can't change AutoSSL emails in cPanel -> Contact information or by using shell script 2. Then we run shell script, which you can find in this post, here is some extra info: notify_autossl_renewal=0 (AutoSSL has renewed a certificate.) notify_autossl_renewal_coverage=0 (AutoSSL will not secure a new domain because a domain on the current certificate has failed DCV.) notify_autossl_expiry_coverage=0 (AutoSSL defers certificate renewal because a domain on the current certificate has failed DCV.) notify_autossl_expiry=0 (AutoSSL certificate expiry.) notify_ssl_expiry=0 (SSL certificate expiry.) 3. After that we had to once again disable AutoSSL for all user accounts and the enable it for the user accounts we choose As Michael told this will be sort out in v70, but we couldn't wait another 20-30 days since we were under huge pressure from our users, and even our resellers end users received AutoSSL warning emails, which p*** our resellers... :( It would be easier if there were no 200 SSL's limit, then we could enable AutoSSL for all of our users, but we have big servers with thousands of users. :( Any chance of setting this limit higher or even removing it? 0 -
It would be easier if there were no 200 SSL's limit, then we could enable AutoSSL for all of our users, but we have big servers with thousands of users. :( Any chance of setting this limit higher or even removing it?
Hello @zodiac9797, This type of request is better suited for our feature request website. I encourage you to open a feature request for this via the following URL: Submit A Feature Request Thank you.0 -
It would be easier if there were no 200 SSL's limit, then we could enable AutoSSL for all of our users, but we have big servers with thousands of users. :( Any chance of setting this limit higher or even removing it?
I thought the 200 limit was per VirtualHost. Or is my definition of VirtualHost and everyone else's definition of VirtualHost different? Essentially you can attach up to 199 SANs to a certificate (plus the 1 common name = 200). At least that's how I was understanding this. Is there a limit to the number of certificates you can issue out per server (per IP, I guess?) Say you have a server with 10,000 cPanel users. That's 10,000 VirtualHosts (at least). AutoSSL would be able to issue a certificate for all 10,000 of these (although, you'd probably run into a rate limit, X number issued per day). But if one of those accounts had 201 domain aliases, only the first 199 (plus the 1 ServerName) would be attached as SANs to the certificate. That's how I understood this.0 -
Hi @sparek-3, Yes, you are correct that the limit is per virtual host. I've rarely seen reports where the limit was met, but it is possible to reach the limit if an account makes use of several aliases (parked domains). This document is useful for understanding virtual hosts: Thank you. 0 -
Thank you @sparek-3 and @cPanelMichael ! I was completely wrong regarding the 200 limit. Don't know why I "read" that we can have up to 200 certificates. Anyways this is much better, now we can enable AutoSSL for all of our users. And when I think that I was manually disabling certificates, what a dumba* :D 0 -
As others have said, this is not information that end users need to see. Whether the cPanel account that a customer uses to manage their website is AutoSSL enabled or not is irrelevant to 99.9% of customers. These e-mails are also an issue for hosting companies that sell SSL certificates who are now being put on the defensive to explain why customers should buy their certificates when free ones are provided. Yes, these messages can be disabled. This is not the point. The point is, these messages should not have been enabled. It's forcing web hosts to answer thousands of support e-mails, defend their business practices, and make changes on servers to disable messages that serve no purpose. My suggestion is that cPanel should immediately run a script on ALL cPanel/WHM servers to disable the messages. Admins then have the option of opting in as desired. cPanel/WHM's philosophy should be to "do no harm". In this regard, the AutoSSL deployment has failed to meet this standard. 0 -
Hi @zodiac9797, The issues you have described are solved in cPanel & WHM version 70. AutoSSL notifications are not sent when AutoSSL is disabled for the account, and AutoSSL contact preferences are not visible in cPanel if AutoSSL is disabled for the feature list assigned to the account. Thank you.
I would go one step further and disable these notifications by default. My understanding is, there is nothing customers can do about AutoSSL certificates and only admins can resolve any issues. This is not front-facing information that customers need to have.0 -
My clients attacked hosting support with questions about these letters. Please make the global option to disable such notifications. So far I've disabled notifications via the API, the script is below, I think many will need it.
#!/bin/bash /bin/ls -1 /var/cpanel/users | while read USER; do /bin/echo "Now processing ${USER} ..." /usr/bin/cpapi2 --user=${USER} CustInfo savecontactinfo notify_autossl_expiry_coverage=0 notify_autossl_renewal_coverage=0 done
I only signed up to the forum so I could give you my congrats! Well, congratulations and many many thanks, you put an end to a long nightmare for the last 1 and a half year !0 -
Hello, As of cPanel & WHM version 70, it's possible to disable the notifications globally using Web Host Manager. Here's the pertinent section from the interface (WHM >> Home >> SSL/TLS >> Manage AutoSSL): Notes: [LIST] - If you deselect any of the following options, the system will also remove the corresponding option from cPanel's interface (Home >> WHM >> Server Contacts >> Contact Manager).
- The system will not send notifications to cPanel users for options that you disable.
- These options override the user's current settings.
- Notify when AutoSSL cannot request a certificate because all domains on the website have failed DCV. " AutoSSL cannot request a new certificate if all of the domains on a website fail domain control validation (DCV).
- Notify when AutoSSL defers certificate renewal because a domain on the current certificate has failed DCV. " AutoSSL will not attempt to renew a certificate if a currently-secured domain fails DCV. All currently-secured domains must pass DCV for AutoSSL to attempt to renew a certificate during normal circumstances. However, If the certificate will expire in three days or fewer, AutoSSL will drop coverage for the domains that fail and force a renewal.
- Notify when AutoSSL will not secure new domains because a domain on the current certificate has failed DCV . " AutoSSL will not attempt to secure new domains if a currently-secured domain fails DCV. All of the currently-secured domains and at least one of the unsecured domains must pass DCV for AutoSSL to attempt to issue a new certificate. However, If the certificate will expire in three days or fewer, AutoSSL will drop coverage for the domains that fail and force a reissue. Note: [LIST]
- If the certificate expires in three days or fewer, the system does not send this notification.
- Notify when AutoSSL has renewed a certificate successfully. " When AutoSSL renews a certificate, the system will send a notification.
- Notify when AutoSSL has renewed a certificate and the new certificate lacks one or more of the website"s domains. " AutoSSL renews a certificate even if the new certificate does not contain any of the domains from the previous certificate.
- Notify when AutoSSL has renewed a certificate and the new certificate lacks at least one domain that the previous certificate secured. " AutoSSL renews certificates even if the new certificate does not contain any domains from the previous certificate
Additionally, the set_autossl_metadata_key WHM API 1 function makes it possible to do this from the command line: > Manage AutoSSL >> Options":whmapi1 set_autossl_metadata_key key=notify_autossl_expiry value=0 ; whmapi1 set_autossl_metadata_key key=notify_autossl_expiry_coverage value=0 ; whmapi1 set_autossl_metadata_key key=notify_autossl_renewal value=0 ; whmapi1 set_autossl_metadata_key key=notify_autossl_renewal_coverage value=0 ; whmapi1 set_autossl_metadata_key key=notify_autossl_renewal_coverage_reduced value=0 ; whmapi1 set_autossl_metadata_key key=notify_autossl_renewal_uncovered_domains value=0
Thank you.0 -
I found this thread because today my STABLE install upgraded to 70.0.48 and send messages to all my clients. One client said he thought it may be indication of a virus and was reporting it to me as a heads-up. I see there is now an option in Manage AutoSSL -> Options, but this appears to disable the messages completely? As a server Admin, I would like to receive these notifications, but obviously not have them go to my clients. I am sure the answer is here somewhere in this long thread, and I apologize if it is, but how do I set these to go only to me? 0 -
As a server Admin, I would like to receive these notifications, but obviously not have them go to my clients.
Big +10 -
Hi @dynaweb, The WHM >> Manage AutoSSL notification settings control whether a specific AutoSSL notification type is active on the system. For the enabled AutoSSL notification types, you can use WHM >> Contact Manager to control if the enabled notification types are sent to the administrator, and you can use cPanel >> Contact Information for each account to control whether the enabled notification types are sent to the individual cPanel users. Alternatively, you can use the command quoted in the following post to disable these notifications for all cPanel users on the system in lieu of manually accessing cPanel >> Contact Information for each account: Post 2496419 Thank you. 0 -
As a server Admin, I would like to receive these notifications, but obviously not have them go to my clients.
Attached is the UI for configuring the notifications in v74+. This should allow the configuration you are looking for. v74+ supports Ancestor DCV (cPanel/Comodo provider only) and DNS DCV (cPanel/Comodo provider only) which reduces the number of cases where the site cannot pass DCV. This will also help reduce the number of notifications.0 -
Attached is the UI for configuring the notifications in v74+. This should allow the configuration you are looking for.
This is much improved, and frankly the kind of options that should be included by default on new features that incorporate notifications that could be sent to users. Preferably with the default set to not send anything to users. I love cPanel, product and company, but want the choice of what communication cPanel has with clients to be in my (company) hands.0 -
Attached is the UI for configuring the notifications in v74+. This should allow the configuration you are looking for. v74+ supports Ancestor DCV (cPanel/Comodo provider only) and DNS DCV (cPanel/Comodo provider only) which reduces the number of cases where the site cannot pass DCV. This will also help reduce the number of notifications.
I am on v70.0.48 but I do not see these options - should I? Will.0 -
I am on v70.0.48 but I do not see these options - should I?
As indicated in the response those notifications will be introduced in v74 of cPanel. You won't have them just yet. Thanks!0 -
We installed new server, moved few customers from other server and with notifications disabled in WHM - they still got these automatic emails about expired SSL certificates, so we had to run that very-old script.. 0 -
@anton_latvia - are you referring to this script? whmapi1 set_autossl_metadata_key key=notify_autossl_expiry value=0 ; whmapi1 set_autossl_metadata_key key=notify_autossl_expiry_coverage value=0 ; whmapi1 set_autossl_metadata_key key=notify_autossl_renewal value=0 ; whmapi1 set_autossl_metadata_key key=notify_autossl_renewal_coverage value=0 ; whmapi1 set_autossl_metadata_key key=notify_autossl_renewal_coverage_reduced value=0 ; whmapi1 set_autossl_metadata_key key=notify_autossl_renewal_uncovered_domains value=0
or was it something else you needed to do? I haven't had any other reports of that issue recently so you're always welcome to open a ticket with our team to have us take a look.0
Please sign in to leave a comment.
Comments
119 comments