cPanel Services certificate renewal failed
AnsweredHello community!
It's been 7 days now that the cPanel issued certificate failed to do the yearly renewal for unknown reasons. Right now I've changed to a self-signed but obviously it's temporary and unsafe (I'm afraid that already the server is compromised).
When I run the /usr/local/cpanel/bin/checkallsslcerts script, I get the response:
The system will check for the certificate for the “cpanel” service.
The system will attempt to replace the self-signed certificate for the “cpanel” service with a signed certificate from the “Let’s Encrypt™” provider.
The system will attempt to install a certificate for the “cpanel” service from the system SSL storage.
None of the certificates in the system SSL storage were acceptable to use for the “cpanel” service.
DNS query error ({domain}/CAA): SERVFAIL (2)
The system will attempt to get a new certificate for the domains: {hostname}, autoconfig.{hostname}, autodiscover.{hostname}, cpanel.{hostname}, cpcalendars.{hostname}, cpcontacts.{hostname}, ipv6.{hostname}, mail.{hostname}, webdisk.{hostname}, webmail.{hostname}, whm.{hostname}, www.{hostname}, {host hostname}, autoconfig.{host hostname}, autodiscover.{host hostname}, cpanel.{host hostname}, cpcalendars.{host hostname}, cpcontacts.{host hostname}, ipv6.{host hostname}, mail.{host hostname}, webdisk.{host hostname}, webmail.{host hostname}, whm.{host hostname}, www.{host hostname}
429 urn:ietf:params:acme:error:rateLimited (The request exceeds a rate limit) (Error creating new order :: too many certificates already issued for "contaboserver.net". Retry after 2024-04-07T11:00:00Z: see https://letsencrypt.org/docs/rate-limits/) at bin/checkallsslcerts.pl line 734.
I've tried numerous times to run the script but without any success. Contabo's support is tragically slow and since they have to contact cPanel themselves (new cPanel policy...) this problem is taking dangerously too much time to resolve.
Any suggestions are greatly appreciated!
Kostas
-
Hey there! Can you using the details here to remove that old hostname from the server?
After that is complete, you can manually run "/usr/local/cpanel/bin/checkallsslcerts" to force a renewal of the hostname SSL.
0 -
Hey cPRex,
Thank you for your reply.
I'm not sure what do you mean by 'old' hostname. There was no change in the hostname. Just the services certificate failed to renew.
Is the something I'm missing?
Could the
DNS query error ({domain}/CAA): SERVFAIL (2)
error mean something? I'm really struggling with this...0 -
I'm saying that Contabo creates a default hostname when they create your server, which you likely overwrote very early on in the server's life. But the fat that you're seeing a ratelimite related to their system tells me that there are still remnants of that hostname on the machine.
Once that is cleared, I'm guessing things will work fine.
0 -
You were right about the json. I renamed the files as indicated by the post you mentioned. I ran the script once more and now I have a bunch of DNS errors:
The system will check for the certificate for the “cpanel” service.
The system will attempt to replace the self-signed certificate for the “cpanel” service with a signed certificate from the “Let’s Encrypt™” provider.
The system will attempt to install a certificate for the “cpanel” service from the system SSL storage.
None of the certificates in the system SSL storage were acceptable to use for the “cpanel” service.
DNS query error ({domain.tld}/CAA): SERVFAIL (2)
The system will attempt to get a new certificate for the domains: {hostname}, autoconfig.{hostname}, autodiscover.{hostname}, cpanel.{hostname}, cpcalendars.{hostname}, cpcontacts.{hostname}, ipv6.{hostname}, mail.{hostname}, webdisk.{hostname}, webmail.{hostname}, whm.{hostname}, www.{hostname}
The system failed to validate domain control for the domain “webdisk.{hostname}” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problemwith a DNS query) (no valid A records found for webdisk.{hostname}; no valid AAAA records found for webdisk.{hostname})
The system failed to validate domain control for the domain “cpcontacts.{hostname}” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (no valid A records found for cpcontacts.{hostname}; no valid AAAA records found for cpcontacts.{hostname})
The system failed to validate domain control for the domain “webmail.{hostname}” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problemwith a DNS query) (no valid A records found for webmail.{hostname}; no valid AAAA records found for webmail.{hostname})
The system failed to validate domain control for the domain “ipv6.{hostname}” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (no valid A records found for ipv6.{hostname}; no valid AAAA records found for ipv6.{hostname})
The system failed to validate domain control for the domain “autodiscover.{hostname}” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (no valid A records found for autodiscover.{hostname}; no valid AAAA records found for autodiscover.{hostname})
The system failed to validate domain control for the domain “whm.{hostname}” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (no valid A records found for whm.{hostname}; no valid AAAA records found for whm.{hostname})
The system failed to validate domain control for the domain “autoconfig.{hostname}” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (no valid A records found for autoconfig.{hostname}; no valid AAAA records found for autoconfig.{hostname})
The system failed to validate domain control for the domain “cpcalendars.{hostname}” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (no valid A records found for cpcalendars.{hostname}; no valid AAAA records found for cpcalendars.{hostname})
The system failed to validate domain control for the domain “cpanel.{hostname}” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (no valid A records found for cpanel.{hostname}; no valid AAAA records found for cpanel.{hostname})
The system failed to validate domain control for the domain “www.{hostname}” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up CAA for {domain.tld} - the domain's nameservers may be malfunctioning)
The system failed to validate domain control for the domain “{hostname}” using the “HTTP” DCV method: Timeout after 30 seconds!
The system failed to validate domain control for the domain “mail.{hostname}” using the “HTTP” DCV method: Timeout after 30 seconds!
Net::ACME2::X::ACME: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/335795130187/dDCgYA” indicated an ACME error: 404 Not Found (404 urn:ietf:params:acme:error:malformed (The request message was malformed) (No such challenge)).
==> Net::ACME2::X::Generic::new('Net::ACME2::X::ACME', '“https://acme-v02.api.letsencrypt.org/acme/chall-v3/335795130187/dDCgYA” indicated an ACME error: 404 Not Found (404 urn:ietf:params:acme:error:malformed (The request message was malformed) (No such challenge)).', HASH(0x3b5b9c0)) (called in /usr/local/cpanel/3rdparty/perl/536/cpanel-lib/Net/ACME2/X/ACME.pm at line 68)
==> Net::ACME2::X::ACME::new('Net::ACME2::X::ACME', HASH(0x3b5b9c0)) (called in /usr/local/cpanel/3rdparty/perl/536/cpanel-lib/X/Tiny.pm at line 169)
==> X::Tiny::create('Net::ACME2::X', 'ACME', HASH(0x3b5b9c0)) (called in /usr/local/cpanel/3rdparty/perl/536/cpanel-lib/Net/ACME2/HTTP.pm at line 214)
==> Net::ACME2::HTTP::_request(Net::ACME2::HTTP=HASH(0x2f49360), 'POST', 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/335795130187/dDCgYA', HASH(0x39a4038), HASH(0x360b608)) (called in /usr/local/cpanel/3rdparty/perl/536/cpanel-lib/Net/ACME2/HTTP.pm at line 236)
==> Net::ACME2::HTTP::_request_and_set_last_nonce(Net::ACME2::HTTP=HASH(0x2f49360), 'POST', 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/335795130187/dDCgYA',HASH(0x39a4038), HASH(0x360b608)) (called in /usr/local/cpanel/3rdparty/perl/536/cpanel-lib/Net/ACME2/HTTP.pm at line 119)
==> (eval)(Net::ACME2::HTTP=HASH(0x2f49360), 'POST', 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/335795130187/dDCgYA', HASH(0x39a4038), HASH(0x360b608)) (called in /usr/local/cpanel/3rdparty/perl/536/cpanel-lib/Net/ACME2/HTTP.pm at line 118)
==> Net::ACME2::HTTP::_post(Net::ACME2::HTTP=HASH(0x2f49360), 'create_key_id_jws', 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/335795130187/dDCgYA', HASH(0x360b650)) (called in /usr/local/cpanel/3rdparty/perl/536/cpanel-lib/Net/ACME2/HTTP.pm at line 96)
==> Net::ACME2::HTTP::post_key_id(Net::ACME2::HTTP=HASH(0x2f49360), 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/335795130187/dDCgYA', HASH(0x360b650)) (called in /usr/local/cpanel/3rdparty/perl/536/cpanel-lib/Net/ACME2.pm at line 605)
==> Net::ACME2::_post_url(Net::ACME2::LetsEncrypt=HASH(0x2efd3b0), 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/335795130187/dDCgYA', HASH(0x360b650)) (calledin /usr/local/cpanel/3rdparty/perl/536/cpanel-lib/Net/ACME2.pm at line 418)
==> Net::ACME2::accept_challenge(Net::ACME2::LetsEncrypt=HASH(0x2efd3b0), Net::ACME2::Challenge::dns_01=HASH(0x3584038)) (called in /var/cpanel/perl/Cpanel/SSL/ACME/DCV.pm at line 164)
==> Cpanel::SSL::ACME::DCV::attempt_dns(Cpanel::SSL::ACME::DCV=HASH(0x2e39f90), CODE(0x2d53590), '{hostname}', 'autoconfig.{hostname}', 'autodiscover.{hostname}', 'cpanel.{hostname}', 'cpcalendars.{hostname}', 'cpcontacts.{hostname}', 'ipv6.{hostname}', 'mail.{hostname}', 'webdisk.{hostname}', 'webmail.{hostname}', 'whm.{hostname}', 'www.{hostname}') (called in bin/checkallsslcerts.pl at line 755)
==> bin::checkallsslcerts::_attempt_dcv_for_domains(bin::checkallsslcerts=HASH(0x1d90a20), Cpanel::SSL::Auto::Provider::LetsEncrypt=HASH(0x2a49330), '{hostname}', 'autoconfig.{hostname}', 'autodiscover.{hostname}', 'cpanel.{hostname}', 'cpcalendars.{hostname}', 'cpcontacts.{hostname}', 'ipv6.{hostname}', 'mail.{hostname}', 'webdisk.{hostname}', 'webmail.{hostname}', 'whm.{hostname}', 'www.{hostname}') (called in bin/checkallsslcerts.pl at line 609)
==> bin::checkallsslcerts::_replace_cert_with_ca_signed_cert_from_lets_encrypt(bin::checkallsslcerts=HASH(0x1d90a20), 'cpanel') (called in bin/checkallsslcerts.pl atline 443)
==> bin::checkallsslcerts::_check_notify_and_auto_renew_cert_for_service(bin::checkallsslcerts=HASH(0x1d90a20), 'cpanel') (called in bin/checkallsslcerts.pl at line 114)
==> bin::checkallsslcerts::run(bin::checkallsslcerts=HASH(0x1d90a20)) (called in bin/checkallsslcerts.pl at line 74)
...propagated at /usr/local/cpanel/3rdparty/perl/536/cpanel-lib/Net/ACME2/HTTP.pm, line 1620 -
Hey, while it's not fixed, that is progress!
If you're not using all of those subdomains on the hostname, and it's unlikely you are, you can just remove them from the DNS zone.
0 -
Found the cause of the problem. The domain.tld part of the hostname didn't point to the correct ip address, so logically the certificate couldn't get authorized.
cPRex thank you so much for your time, you have been super helpful!
Kostas
0 -
I'm glad to hear that helped!
0
Please sign in to leave a comment.
Comments
7 comments