Self signed cert on DNSOnly server
After installing cPanel DNSOnly on a new DNS server and checking WHM > Service Configuration > Manage Service SSL Certificates I see that the server has installed a self signed cert. I can verify this when I browse to https://ns.domain.com:2087. I tried running /usr/local/cpanel/bin/checkallsslcerts to generate a new cert, but I get an error:
Net::ACME2::X::Generic: No key ID has been set. Either pass “key_id” to new(), or create_account().
==> Net::ACME2::X::Generic::new('Net::ACME2::X::Generic', 'No key ID has been set. Either pass “key_id” to new(), or create_account().') (called in /usr/local/cpanel/3rdparty/perl/536/cpanel-lib/X/Tiny.pm at line 169)
==> X::Tiny::create('Net::ACME2::X', 'Generic', 'No key ID has been set. Either pass “key_id” to new(), or create_account().') (called in /usr/local/cpanel/3rdparty/perl/536/cpanel-lib/Net/ACME2.pm at line 609)
==> Net::ACME2::_die_generic('No key ID has been set. Either pass “key_id” to new(), or create_account().') (called in /usr/local/cpanel/3rdparty/perl/536/cpanel-lib/Net/ACME2.pm at line 539)
==> Net::ACME2::_require_key_id(Net::ACME2::LetsEncrypt=HASH(0x3ca9ec0), HASH(0x3c0bcc0)) (called in /usr/local/cpanel/3rdparty/perl/536/cpanel-lib/Net/ACME2.pm at line 349)
==> Net::ACME2::create_order(Net::ACME2::LetsEncrypt=HASH(0x3ca9ec0), 'identifiers', ARRAY(0x3f24150)) (called in /var/cpanel/perl/Cpanel/SSL/ACME.pm at line 56)
==> Cpanel::SSL::ACME::__ANON__() (called in /usr/local/cpanel/Cpanel/Try.pm at line 193)
==> (eval)() (called in /usr/local/cpanel/Cpanel/Try.pm at line 193)
==> Cpanel::Try::try(CODE(0x3ed8188), 'Net::ACME2::X::ACME', CODE(0x37af600)) (called in /var/cpanel/perl/Cpanel/SSL/ACME.pm at line 72)
==> Cpanel::SSL::ACME::create_order_for_domains(Net::ACME2::LetsEncrypt=HASH(0x3ca9ec0), 'nameserver.domain.com', 'autoconfig.nameserver.domain.com', 'autodiscover.nameserver.domain.com', 'cpanel.nameserver.domain.com', 'cpcalendars.nameserver.domain.com', 'cpcontacts.nameserver.domain.com', 'ipv6.nameserver.domain.com', 'mail.nameserver.domain.com', 'webdisk.nameserver.domain.com', 'webmail.nameserver.domain.com', 'whm.nameserver.domain.com', 'www.nameserver.domain.com') (called in /var/cpanel/perl/Cpanel/SSL/ACME/DCV.pm at line 97)
==> Cpanel::SSL::ACME::DCV::new('Cpanel::SSL::ACME::DCV', 'acme', Net::ACME2::LetsEncrypt=HASH(0x3ca9ec0), 'domains', ARRAY(0x17593a0), 'provider', Cpanel::SSL::Auto::Provider::LetsEncrypt=HASH(0x31a7b38)) (called in bin/checkallsslcerts.pl at line 763)
==> bin::checkallsslcerts::_create_dcv(bin::checkallsslcerts=HASH(0x2b90e28), Net::ACME2::LetsEncrypt=HASH(0x3ca9ec0), ARRAY(0x17593a0), Cpanel::SSL::Auto::Provider::LetsEncrypt=HASH(0x31a7b38)) (called in bin/checkallsslcerts.pl at line 731)
==> (eval)(bin::checkallsslcerts=HASH(0x2b90e28), Net::ACME2::LetsEncrypt=HASH(0x3ca9ec0), ARRAY(0x17593a0), Cpanel::SSL::Auto::Provider::LetsEncrypt=HASH(0x31a7b38)) (called in bin/checkallsslcerts.pl at line 731)
==> bin::checkallsslcerts::_attempt_dcv_for_domains(bin::checkallsslcerts=HASH(0x2b90e28), Cpanel::SSL::Auto::Provider::LetsEncrypt=HASH(0x31a7b38), 'nameserver.domain.com', 'autoconfig.nameserver.domain.com', 'autodiscover.nameserver.domain.com', 'cpanel.nameserver.domain.com', 'cpcalendars.nameserver.domain.com', 'cpcontacts.nameserver.domain.com', 'ipv6.nameserver.domain.com', 'mail.nameserver.domain.com', 'webdisk.nameserver.domain.com', 'webmail.nameserver.domain.com', 'whm.nameserver.domain.com', 'www.nameserver.domain.com') (called in bin/checkallsslcerts.pl at line 609)
==> bin::checkallsslcerts::_replace_cert_with_ca_signed_cert_from_lets_encrypt(bin::checkallsslcerts=HASH(0x2b90e28), 'cpanel') (called in bin/checkallsslcerts.pl at line 443)
==> bin::checkallsslcerts::_check_notify_and_auto_renew_cert_for_service(bin::checkallsslcerts=HASH(0x2b90e28), 'cpanel') (called in bin/checkallsslcerts.pl at line 114)
==> bin::checkallsslcerts::run(bin::checkallsslcerts=HASH(0x2b90e28)) (called in bin/checkallsslcerts.pl at line 74)
Does anyone know how to resolve this error so I can get a non self-signed cert installed for all services on my nameserver?
-
Hey there! This is likely related to Let's Encrypt just needing to be registered. Can you use the WHM >> Manage AutoSSL page and ensure that Let's Encrypt is selected and you have agreed to the terms of service there?
0 -
I don't think there is AutoSSL in DNSOnly sever.
0 -
That's correct, there is no WHM >> Manage AutoSSL in DNSOnly. Is there another way I can register Let's Encrypt?
0 -
Can you try running this command on the system to set that?
whmapi1 set_autossl_provider provider='LetsEncrypt' x_terms_of_service_accepted https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf
0 -
If those details don't work, please try the workaround mentioned here: https://support.cpanel.net/hc/en-us/articles/21161235673751-checkallsslcerts-fails-on-DNS-Only-servers-or-where-AutoSSL-is-disabled
0 -
Thanks cPRex, that did the trick! After running that command I got an error that /usr/local/apache/htdocs didn't exist, but after creating that folder and running the checkallsslcerts script again it now has a proper Let's Encrypt cert installed under WHM >> Manage Service SSL Certificates.
0 -
I'm glad that's working well now!
0 -
cPRex I am having a similar/same issue. The cPanel cert expired, and then the DNSOnly server installed a self-signed one.
I have tried to manually install a new cert: https://support.cpanel.net/hc/en-us/articles/360055612073-How-to-generate-a-free-signed-hostname-certificate and I have tried the link you suggested above. No good. (Note: when resetting and restart cpsrvd is required in WHM it hangs. (/usr/local/cpanel/scripts/restartsrv_cpsrvd works fine from command line.)
This began at the end of last August... not when it updated to 118 tonight. My other DNSOnly is fine (though it has not updated to 118 yet). I think one issue was the LetsEncrypt change, but that probably only began tonight after the 118 update.
Here are sample errors I'm getting now:
The system failed to validate domain control for the domain “webdisk.xxx-xxx-xxx-xxx.cprapid.com” using the “HTTP” DCV method: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (xxx.xxx.xxx.xxx: Invalid response from http://webdisk.xxx-xxx-xxx-xxx.cprapid.com/.well-known/acme-challenge/76ayih61ZkBqhxhDUB2886uc5hCqKRmEnpU-vRnnQpI: 404)
warn [checkallsslcerts] Cpanel::DnsUtils::Install::Processor::_add_error: There is no zone file on this system that can contain “_acme-challenge.webdisk.xxx-xxx-xxx-xxx.cprapid.com.”.
Cpanel::DnsUtils::Install::Processor:678: There is no zone file on this system that can contain “_acme-challenge.webdisk.xxx-xxx-xxx-xxx.cprapid.com.”. at /usr/local/cpanel/Cpanel/DnsUtils/Batch.pm line 243.0 -
PeteS - the only entry for that specific error is in the following article:
Is that the case for your system?
0 -
I do not believe it is. This is one of two NSs that are configured/DNSed identically, and no changes have been made to either one. They are clustered as the nameservers for the rest of my servers. But when the cPanel cert expired on 8/30/23 it installed a self-signed and has never recovered. I assumed it would sort itself out but it hasn’t, and I can’t manually do it either.
Those domains that fail validation (as in example) are all at my server’s IP dot cprapid.com. I assume that is expected, correct?
0 -
We'll likely need to see a ticket on this one then, especially if it's been ongoing since August.
0 -
Will do. I expected that but decided to give it a go on my own first, hoping to find a solution posted here.
Since it’s not critical (just a DNS server) I won’t open the ticket immediately, but as soon as I get a chance. I will report back here if anything significant comes of it. Thanks!
0 -
Sounds good!
0
Please sign in to leave a comment.
Comments
13 comments