Skip to main content

Self signed cert on DNSOnly server

Comments

13 comments

  • cPRex Jurassic Moderator

    Hey there!  This is likely related to Let's Encrypt just needing to be registered.  Can you use the WHM >> Manage AutoSSL page and ensure that Let's Encrypt is selected and you have agreed to the terms of service there?

    0
  • quietFinn

    I don't think there is AutoSSL in DNSOnly sever.

     

    0
  • PWHosting-Admin

    That's correct, there is no WHM >> Manage AutoSSL in DNSOnly. Is there another way I can register Let's Encrypt?

    0
  • cPRex Jurassic Moderator

    Can you try running this command on the system to set that?

    whmapi1 set_autossl_provider   provider='LetsEncrypt' x_terms_of_service_accepted https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf
    0
  • PWHosting-Admin

    Thanks cPRex, that did the trick! After running that command I got an error that /usr/local/apache/htdocs didn't exist, but after creating that folder and running the checkallsslcerts script again it now has a proper Let's Encrypt cert installed under WHM >> Manage Service SSL Certificates.

    0
  • cPRex Jurassic Moderator

    I'm glad that's working well now!

    0
  • PeteS

    cPRex I am having a similar/same issue. The cPanel cert expired, and then the DNSOnly server installed a self-signed one.

    I have tried to manually install a new cert: https://support.cpanel.net/hc/en-us/articles/360055612073-How-to-generate-a-free-signed-hostname-certificate and I have tried the link you suggested above. No good. (Note: when resetting and restart cpsrvd is required in WHM it hangs. (/usr/local/cpanel/scripts/restartsrv_cpsrvd works fine from command line.)

    This began at the end of last August... not when it updated to 118 tonight. My other DNSOnly is fine (though it has not updated to 118 yet). I think one issue was the LetsEncrypt change, but that probably only began tonight after the 118 update.

    Here are sample errors I'm getting now:

    The system failed to validate domain control for the domain “webdisk.xxx-xxx-xxx-xxx.cprapid.com” using the “HTTP” DCV method: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (xxx.xxx.xxx.xxx: Invalid response from http://webdisk.xxx-xxx-xxx-xxx.cprapid.com/.well-known/acme-challenge/76ayih61ZkBqhxhDUB2886uc5hCqKRmEnpU-vRnnQpI: 404)

    warn [checkallsslcerts] Cpanel::DnsUtils::Install::Processor::_add_error: There is no zone file on this system that can contain “_acme-challenge.webdisk.xxx-xxx-xxx-xxx.cprapid.com.”.

    Cpanel::DnsUtils::Install::Processor:678: There is no zone file on this system that can contain “_acme-challenge.webdisk.xxx-xxx-xxx-xxx.cprapid.com.”. at /usr/local/cpanel/Cpanel/DnsUtils/Batch.pm line 243.

     

    0
  • cPRex Jurassic Moderator

    PeteS - the only entry for that specific error is in the following article:

    https://support.cpanel.net/hc/en-us/articles/360056919273-Does-AutoSSL-DNS-DCV-work-with-remote-DNS-servers

    Is that the case for your system?

    0
  • PeteS

    I do not believe it is. This is one of two NSs that are configured/DNSed identically, and no changes have been made to either one. They are clustered as the nameservers for the rest of my servers. But when the cPanel cert expired on 8/30/23 it installed a self-signed and has never recovered. I assumed it would sort itself out but it hasn’t, and I can’t manually do it either.

    Those domains that fail validation (as in example) are all at my server’s IP dot cprapid.com. I assume that is expected, correct?

    0
  • cPRex Jurassic Moderator

    We'll likely need to see a ticket on this one then, especially if it's been ongoing since August.

    0
  • PeteS

    Will do. I expected that but decided to give it a go on my own first, hoping to find a solution posted here.

    Since it’s not critical (just a DNS server) I won’t open the ticket immediately, but as soon as I get a chance. I will report back here if anything significant comes of it. Thanks!

    0
  • cPRex Jurassic Moderator

    Sounds good!

    0

Please sign in to leave a comment.