System SSL due to expire
Hi there,
On my main server I am receiving emails from the system informing me my system SSL certificate will expire within 30 days (currently 9 days to go).
My server's IP ranges were recently changed therefore the server's main IP is now also changed.. Yet on the email I receive...
The certificate has the following properties:
hostname.domain.net, old.ip.address.cprapid.com
Is there any way I can view and edit the service URLs I want the certificate to cover? Also, can I simply edit (or delete) the cprapid zone entries?
I also ran the following in the terminal...
"/usr/local/cpanel/bin/checkallsslcerts"
The system will check for the certificate for the “cpanel” service.
The system will attempt to verify that the certificate for the “cpanel” service is still valid using OCSP (Online Certificate Status Protocol).The “cpanel” service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. Thesystem will attempt to renew and install a new certificate to the “cpanel” service and any other services that use the old certificate.
The system will attempt to install a certificate for the “cpanel” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “cpanel” service.The system will attempt to install a certificate for the “cpanel” service from the cPanel store.
[WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: The system failed to acquire a signed certificate from the cPanel Store. ({"domain_details":null,"status":"revoked","status_details":null,"status_message":"Stale CSR"})
The system will check for the certificate for the “dovecot” service.
The system will attempt to verify that the certificate for the “dovecot” service is still valid using OCSP (Online Certificate StatusProtocol).
The “dovecot” service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. The system will attempt to renew and install a new certificate to the “dovecot” service and any other services that use the old certificate.
The system will attempt to install a certificate for the “dovecot” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “dovecot” service.
The system will check for the certificate for the “exim” service.
The system will attempt to verify that the certificate for the “exim” service is still valid using OCSP (Online Certificate Status Protocol).
The “exim” service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. The system will attempt to renew and install a new certificate to the “exim” service and any other services that use the old certificate.
The system will attempt to install a certificate for the “exim” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “exim” service.
The system will check for the certificate for the “ftp” service.
The system will attempt to verify that the certificate for the “ftp” service is still valid using OCSP (Online Certificate Status Protocol).
The “ftp” service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. The system will attempt to renew and install a new certificate to the “ftp” service and any other services that use the old certificate.
The system will attempt to install a certificate for the “ftp” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “ftp” service.
[root@goldenage ~]#
------
I have read that sometimes the cpanel certificate will not renew until 3 days before expiry. I am just getting a little stressed as the clock continues to count down.
There are also 2 other domains listed within this certificate. I would like to know how I can remove these. I assume this was the previous owner experimenting with changing the hostname. How do you remove domains from being classed as system domains?
Thank you.
-
Hey there! Can you run these commands and see if that gets things taken care of?
cp -Rf /var/cpanel/hostname_cert_csrs /var/cpanel/hostname_cert_csrs.bak
/bin/rm -rf /var/cpanel/hostname_cert_csrs/*
/usr/local/cpanel/bin/checkallsslcerts0 -
Thank you very much for the reply. I does a lot more than it was prior to this, but it is still trying to look using the old server IP address... Would you like to see the entire output from those commands?
Here is the error section. Can I simply edit the zone entry for the cprapid entries (to reflect the current IP) ?
173-82-11-50.cprapid.com: Attempting HTTP DCV preflight check …
… success!
www.173-82-11-50.cprapid.com: Attempting HTTP DCV preflight check …
… success!
whm.173-82-11-50.cprapid.com: Attempting HTTP DCV preflight check …
The system queried for a temporary file at “http://whm.173-82-11-50.cprapid.com/.well-known/pki-validation/BA8504774529A8D4BDD8BD15A560C211.txt”, but the web server responded with the following error: 400 (Bad Request). A DNS (Domain Name System) or web server misconfiguration may exist.
mail.173-82-11-50.cprapid.com: Attempting HTTP DCV preflight check …
… success!
cpanel.173-82-11-50.cprapid.com: Attempting HTTP DCV preflight check …
The system queried for a temporary file at “http://cpanel.173-82-11-50.cprapid.com/.well-known/pki-validation/BA8504774529A8D4BDD8BD15A560C211.txt”, but the web server responded with the following error: 400 (Bad Request). A DNS (Domain Name System) or web server misconfiguration may exist.
webmail.173-82-11-50.cprapid.com: Attempting HTTP DCV preflight check …
The system queried for a temporary file at “http://webmail.173-82-11-50.cprapid.com/.well-known/pki-validation/BA8504774529A8D4BDD8BD15A560C211.txt”, but the web server responded with the following error: 400 (Bad Request). A DNS (Domain Name System) or web server misconfiguration may exist.
cpcontacts.173-82-11-50.cprapid.com: Attempting HTTP DCV preflight check …
The system queried for a temporary file at “http://cpcontacts.173-82-11-50.cprapid.com/.well-known/pki-validation/BA8504774529A8D4BDD8BD15A560C211.txt”, but the web server responded with the following error: 400 (Bad Request). A DNS (Domain Name System) or web server misconfiguration may exist.
cpcalendars.173-82-11-50.cprapid.com: Attempting HTTP DCV preflight check …
The system queried for a temporary file at “http://cpcalendars.173-82-11-50.cprapid.com/.well-known/pki-validation/BA8504774529A8D4BDD8BD15A560C211.txt”, but the web server responded with the following error: 400 (Bad Request). A DNS (Domain Name System) or web server misconfiguration may exist.
Succeeded domains: 27
Failed domains: 5
Undoing HTTP DCV setup …
… complete.
Undoing DNS DCV setup …
… complete.
Setting up HTTP DCV (/var/www/html/.well-known/pki-validation/6F524CD7E0076E6C8D30FCB5B700E0F8.txt) …
… complete.
Setting up DNS DCV for “173-82-11-50.cprapid.com”, “goldenage.example.net”, “goldenage.example2.com”, and “newgoldenage.example.net” …
… complete.
Requesting certificate from cPStore …
This part gives me hope...
The cPanel Store is processing the hostname certificate request.
The system will check the cPanel Store again the next time that “/usr/local/cpanel/bin/checkallsslcerts” runs.I will run this periodically and see if the cert is installed. I will keep you posted.
0 -
That looks good to me! We do include the old hostname by default "just in case" so if that one fails, it's nothing to be concerned about. Let us know if you don't see that issued soon!
0 -
It's been about 17 hours and I ran the command again. Is it normal for the panel store to take a while to issue the cert?
Here is the output from today...
[root@servername ~]# /usr/local/cpanel/bin/checkallsslcerts
The system will check for the certificate for the “cpanel” service.
The system will attempt to verify that the certificate for the “cpanel” service is still valid using OCSP (Online Certificate Status Protocol).
The “cpanel” service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. Thesystem will attempt to renew and install a new certificate to the “cpanel” service and any other services that use the old certificate.
The system will attempt to install a certificate for the “cpanel” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “cpanel” service.
The system will attempt to install a certificate for the “cpanel” service from the cPanel store.
The system will check for the certificate for the “dovecot” service.
The system will attempt to verify that the certificate for the “dovecot” service is still valid using OCSP (Online Certificate StatusProtocol).
The “dovecot” service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. The system will attempt to renew and install a new certificate to the “dovecot” service and any other services that use the old certificate.
The system will attempt to install a certificate for the “dovecot” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “dovecot” service.
The system will check for the certificate for the “exim” service.
The system will attempt to verify that the certificate for the “exim” service is still valid using OCSP (Online Certificate Status Protocol).
The “exim” service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. The system will attempt to renew and install a new certificate to the “exim” service and any other services that use the old certificate.
The system will attempt to install a certificate for the “exim” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “exim” service.
The system will check for the certificate for the “ftp” service.
The system will attempt to verify that the certificate for the “ftp” service is still valid using OCSP (Online Certificate Status Protocol).
The “ftp” service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. The system will attempt to renew and install a new certificate to the “ftp” service and any other services that use the old certificate.
The system will attempt to install a certificate for the “ftp” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “ftp” service.
The cPanel Store is processing the hostname certificate request.
The system will check the cPanel Store again the next time that “/usr/local/cpanel/bin/checkallsslcerts” runs.
[root@servername ~]#That was manually run via the terminal. The same should run tonight as a cron (I believe)
0 -
That seems better to me! Yes, it's normal for there to be a bit of delay for that to get issued, but usually it happens within 24 hours once you're getting the "The cPanel Store is processing the hostname certificate request" message.
0 -
Still the same (3 days later)
"The cPanel Store is processing the hostname certificate request.
The system will check the cPanel Store again the next time that “/usr/local/cpanel/bin/checkallsslcerts” runs."I tried using the --verbose flag but got no additional output.
0 -
Can you try running this instead to see if that changes anything?
/usr/local/cpanel/bin/autossl_check_cpstore_queue
0 -
When I run
/usr/local/cpanel/bin/autossl_check_cpstore_queue
I don't get any output returned. then re-run/usr/local/cpanel/bin/checkallsslcerts and get the same return..."The cPanel Store is processing the hostname certificate request.
The system will check the cPanel Store again the next time that “/usr/local/cpanel/bin/checkallsslcerts” runs"0 -
It might be time to submit a ticket on this one so we can check that specific order manually in our system. There's no good reason it should be taking multiple days to issue the certificate once the order has succeeded.
0 -
I attempted to do so through Cpanel, I was advised that my dedicated server company was my partner provider so I needed to go through them in the first instance. All they have advised me to do is make sure the DNS resolves and check my autossl logs to find the error.
One thing I did read was 90 day system certs not being replaced until there was only 3 days remaining. My cert does appear to be 90 days, but not sure how to know if this is my issue?
0 -
Yes, you would need to go through your license provider support if that license wasn't purchased through us directly.
This doesn't sound like the 3-day issue to me.
0 -
Another system email message...
The system failed to acquire a signed certificate from the cPanel Store because of the following error: The system failed to acquire a signed certificate from the cPanel Store. ({"domain_details":null,"status":"revoked","status_details":null,"status_message":"Stale CSR"})
0 -
We'll definitely need a ticket to fix the "revoked" status.
0 -
Follow up based on advice from my server company...
Cleaned up the hosts file (old hostname)
renamed the csr files using mv
ran checkallsslcerts again and it worked!
As I sink back into my chair I feel the zen effect as my blood pressure recedes back to a level capable of supporting human life. :-)
0 -
I'm glad they were able to help!
0
Please sign in to leave a comment.
Comments
15 comments