Skip to main content

System SSL due to expire

Comments

15 comments

  • cPRex Jurassic Moderator

    Hey there!  Can you run these commands and see if that gets things taken care of?

    cp -Rf /var/cpanel/hostname_cert_csrs /var/cpanel/hostname_cert_csrs.bak
    /bin/rm -rf /var/cpanel/hostname_cert_csrs/*
    /usr/local/cpanel/bin/checkallsslcerts 

     

    0
  • vincentg

    Thank you very much for the reply. I does a lot more than it was prior to this, but it is still trying to look using the old server IP address... Would you like to see the entire output from those commands?

    Here is the error section. Can I simply edit the zone entry for the cprapid entries (to reflect the current IP) ?

    173-82-11-50.cprapid.com: Attempting HTTP DCV preflight check …

    … success!

    www.173-82-11-50.cprapid.com: Attempting HTTP DCV preflight check …

    … success!

    whm.173-82-11-50.cprapid.com: Attempting HTTP DCV preflight check …

    The system queried for a temporary file at “http://whm.173-82-11-50.cprapid.com/.well-known/pki-validation/BA8504774529A8D4BDD8BD15A560C211.txt”, but the web server responded with the following error: 400 (Bad Request). A DNS (Domain Name System) or web server misconfiguration may exist.

    mail.173-82-11-50.cprapid.com: Attempting HTTP DCV preflight check …

    … success!

    cpanel.173-82-11-50.cprapid.com: Attempting HTTP DCV preflight check …

    The system queried for a temporary file at “http://cpanel.173-82-11-50.cprapid.com/.well-known/pki-validation/BA8504774529A8D4BDD8BD15A560C211.txt”, but the web server responded with the following error: 400 (Bad Request). A DNS (Domain Name System) or web server misconfiguration may exist.

    webmail.173-82-11-50.cprapid.com: Attempting HTTP DCV preflight check …

    The system queried for a temporary file at “http://webmail.173-82-11-50.cprapid.com/.well-known/pki-validation/BA8504774529A8D4BDD8BD15A560C211.txt”, but the web server responded with the following error: 400 (Bad Request). A DNS (Domain Name System) or web server misconfiguration may exist.

    cpcontacts.173-82-11-50.cprapid.com: Attempting HTTP DCV preflight check …

    The system queried for a temporary file at “http://cpcontacts.173-82-11-50.cprapid.com/.well-known/pki-validation/BA8504774529A8D4BDD8BD15A560C211.txt”, but the web server responded with the following error: 400 (Bad Request). A DNS (Domain Name System) or web server misconfiguration may exist.

    cpcalendars.173-82-11-50.cprapid.com: Attempting HTTP DCV preflight check …

    The system queried for a temporary file at “http://cpcalendars.173-82-11-50.cprapid.com/.well-known/pki-validation/BA8504774529A8D4BDD8BD15A560C211.txt”, but the web server responded with the following error: 400 (Bad Request). A DNS (Domain Name System) or web server misconfiguration may exist.

    Succeeded domains: 27

    Failed domains: 5

    Undoing HTTP DCV setup …

    … complete.

    Undoing DNS DCV setup …

    … complete.

    Setting up HTTP DCV (/var/www/html/.well-known/pki-validation/6F524CD7E0076E6C8D30FCB5B700E0F8.txt) …

    … complete.

    Setting up DNS DCV for “173-82-11-50.cprapid.com”, “goldenage.example.net”, “goldenage.example2.com”, and “newgoldenage.example.net” …

    … complete.

     

    Requesting certificate from cPStore …

     

    This part gives me hope...

    The cPanel Store is processing the hostname certificate request.
    The system will check the cPanel Store again the next time that “/usr/local/cpanel/bin/checkallsslcerts” runs.

    I will run this periodically and see if the cert is installed. I will keep you posted.

     

     

    0
  • cPRex Jurassic Moderator

    That looks good to me!  We do include the old hostname by default "just in case" so if that one fails, it's nothing to be concerned about.  Let us know if you don't see that issued soon!

    0
  • vincentg

    It's been about 17 hours and I ran the command again. Is it normal for the panel store to take a while to issue the cert?

    Here is the output from today...

    [root@servername ~]# /usr/local/cpanel/bin/checkallsslcerts
    The system will check for the certificate for the “cpanel” service.
    The system will attempt to verify that the certificate for the “cpanel” service is still valid using OCSP (Online Certificate Status Protocol).
    The “cpanel” service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. Thesystem will attempt to renew and install a new certificate to the “cpanel” service and any other services that use the old certificate.
    The system will attempt to install a certificate for the “cpanel” service from the system ssl storage.
    None of the certificates in the system ssl storage were acceptable to use for the “cpanel” service.
    The system will attempt to install a certificate for the “cpanel” service from the cPanel store.
    The system will check for the certificate for the “dovecot” service.
    The system will attempt to verify that the certificate for the “dovecot” service is still valid using OCSP (Online Certificate StatusProtocol).
    The “dovecot” service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. The system will attempt to renew and install a new certificate to the “dovecot” service and any other services that use the old certificate.
    The system will attempt to install a certificate for the “dovecot” service from the system ssl storage.
    None of the certificates in the system ssl storage were acceptable to use for the “dovecot” service.
    The system will check for the certificate for the “exim” service.
    The system will attempt to verify that the certificate for the “exim” service is still valid using OCSP (Online Certificate Status Protocol).
    The “exim” service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. The system will attempt to renew and install a new certificate to the “exim” service and any other services that use the old certificate.
    The system will attempt to install a certificate for the “exim” service from the system ssl storage.
    None of the certificates in the system ssl storage were acceptable to use for the “exim” service.
    The system will check for the certificate for the “ftp” service.
    The system will attempt to verify that the certificate for the “ftp” service is still valid using OCSP (Online Certificate Status Protocol).
    The “ftp” service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. The system will attempt to renew and install a new certificate to the “ftp” service and any other services that use the old certificate.
    The system will attempt to install a certificate for the “ftp” service from the system ssl storage.
    None of the certificates in the system ssl storage were acceptable to use for the “ftp” service.
    The cPanel Store is processing the hostname certificate request.
    The system will check the cPanel Store again the next time that “/usr/local/cpanel/bin/checkallsslcerts” runs.
    [root@servername ~]#

    That was manually run via the terminal. The same should run tonight as a cron (I believe) 

    0
  • cPRex Jurassic Moderator

    That seems better to me!  Yes, it's normal for there to be a bit of delay for that to get issued, but usually it happens within 24 hours once you're getting the "The cPanel Store is processing the hostname certificate request" message.

    0
  • vincentg

    Still the same (3 days later) 

    "The cPanel Store is processing the hostname certificate request.
    The system will check the cPanel Store again the next time that “/usr/local/cpanel/bin/checkallsslcerts” runs."

    I tried using the --verbose flag but got no additional output.

    0
  • cPRex Jurassic Moderator

    Can you try running this instead to see if that changes anything?

    /usr/local/cpanel/bin/autossl_check_cpstore_queue
    0
  • vincentg

    When I run 

    /usr/local/cpanel/bin/autossl_check_cpstore_queue
    I don't get any output returned.  then re-run 
    /usr/local/cpanel/bin/checkallsslcerts and get the same return...
    "The cPanel Store is processing the hostname certificate request.
    The system will check the cPanel Store again the next time that “/usr/local/cpanel/bin/checkallsslcerts” runs" 
     
    0
  • cPRex Jurassic Moderator

    It might be time to submit a ticket on this one so we can check that specific order manually in our system.  There's no good reason it should be taking multiple days to issue the certificate once the order has succeeded.

    0
  • vincentg

    I attempted to do so through Cpanel, I was advised that my dedicated server company was my partner provider so I needed to go through them in the first instance. All they have advised me to do is make sure the DNS resolves and check my autossl logs to find the error.

    One thing I did read was 90 day system certs not being replaced until there was only 3 days remaining. My cert does appear to be 90 days, but not sure how to know if this is my issue?

     

    0
  • cPRex Jurassic Moderator

    Yes, you would need to go through your license provider support if that license wasn't purchased through us directly.

    This doesn't sound like the 3-day issue to me.

    0
  • vincentg

    Another system email message...

    The system failed to acquire a signed certificate from the cPanel Store because of the following error: The system failed to acquire a signed certificate from the cPanel Store. ({"domain_details":null,"status":"revoked","status_details":null,"status_message":"Stale CSR"})

    0
  • cPRex Jurassic Moderator

    We'll definitely need a ticket to fix the "revoked" status.

    0
  • vincentg

    Follow up based on advice from my server company...

    Cleaned up the hosts file (old hostname)

    renamed the csr files using mv

    ran checkallsslcerts again and it worked! 

    As I sink back into my chair I feel the zen effect as my blood pressure recedes back to a level capable of supporting human life. :-) 

    0
  • cPRex Jurassic Moderator

    I'm glad they were able to help!

    0

Please sign in to leave a comment.