Skip to main content

SSL for WHM self-signed

Comments

17 comments

  • cPRex Jurassic Moderator

    Hey there!  You should run the following command on the server and note any errors in the output:

    /usr/local/cpanel/bin/checkallsslcerts

     

    0
  • lm s

    Hello everyone, I am having a recurring problem on different servers. Currently, the hostname certificate expired on 04/17, and it could not be renewed on any of the previous attempts before the expiration. I have already deleted the record of old certificates, but when I try to run the command suggested by cPanel "/usr/local/cpanel/bin/checkallsslcerts", it returns the following error in the console:

     
    [root@example ~]# /usr/local/cpanel/bin/checkallsslcerts --allow-retry
    The system will check for the certificate for the “cpanel” service.
    The system will attempt to replace the self-signed certificate for the “cpanel” service with a signed certificate from the “Let’s Encrypt™” provider.
    The system will attempt to install a certificate for the “cpanel” service from the system SSL storage.
    None of the certificates in the system SSL storage were acceptable to use for the “cpanel” service.
    DNS query error (hostname.com/CAA): SERVFAIL (2)
    The system will attempt to get a new certificate for the domains: sub.hostname.com, autoconfig.sub.hostname.com, autodiscover.sub.hostname.com, cpanel.sub.hostname.com, cpcalendars.sub.hostname.com, cpcontacts.sub.hostname.com, ipv6.sub.hostname.com, mail.sub.hostname.com, webdisk.sub.hostname.com, webmail.sub.hostname.com, whm.sub.hostname.com, www.sub.hostname.com
    The system failed to validate domain control for the domain “autoconfig.sub.hostname.com” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (no valid A records found for autoconfig.sub.hostname.com; no valid AAAA records found for autoconfig.sub.hostname.com)
    The system failed to validate domain control for the domain “cpanel.sub.hostname.com” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (no valid A records found for cpanel.sub.hostname.com; no valid AAAA records found for cpanel.sub.hostname.com)
    The system failed to validate domain control for the domain “mail.sub.hostname.com” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up CAA for hostname.com - the domain's nameservers may be malfunctioning)
    The system failed to validate domain control for the domain “www.sub.hostname.com” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up CAA for hostname.com - the domain's nameservers may be malfunctioning)
    The system failed to validate domain control for the domain “cpcontacts.sub.hostname.com” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (no valid A records found for cpcontacts.sub.hostname.com; no valid AAAA records found for cpcontacts.sub.hostname.com)
    The system failed to validate domain control for the domain “whm.sub.hostname.com” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (no valid A records found for whm.sub.hostname.com; no valid AAAA records found for whm.sub.hostname.com)
    The system failed to validate domain control for the domain “cpcalendars.sub.hostname.com” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (no valid A records found for cpcalendars.sub.hostname.com; no valid AAAA records found for cpcalendars.sub.hostname.com)
    The system failed to validate domain control for the domain “webmail.sub.hostname.com” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (no valid A records found for webmail.sub.hostname.com; no valid AAAA records found for webmail.sub.hostname.com)
    The system failed to validate domain control for the domain “ipv6.sub.hostname.com” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (no valid A records found for ipv6.sub.hostname.com; no valid AAAA records found for ipv6.sub.hostname.com)
    The system failed to validate domain control for the domain “webdisk.sub.hostname.com” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (no valid A records found for webdisk.sub.hostname.com; no valid AAAA records found for webdisk.sub.hostname.com)
    The system failed to validate domain control for the domain “sub.hostname.com” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up CAA for hostname.com - the domain's nameservers may be malfunctioning)
    The system failed to validate domain control for the domain “autodiscover.sub.hostname.com” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (no valid A records found for autodiscover.sub.hostname.com; no valid AAAA records found for autodiscover.sub.hostname.com)
    The system failed to validate domain control for the domain “mail.sub.hostname.com” using the “DNS” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up CAA for hostname.com - the domain's nameservers may be malfunctioning)
    The system failed to validate domain control for the domain “www.sub.hostname.com” using the “DNS” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up CAA for hostname.com - the domain's nameservers may be malfunctioning)
    The system failed to validate domain control for the domain “autoconfig.sub.hostname.com” using the “DNS” DCVmethod: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking upCAA for hostname.com - the domain's nameservers may be malfunctioning)
    The system failed to validate domain control for the domain “cpanel.sub.hostname.com” using the “DNS” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up CAAfor hostname.com - the domain's nameservers may be malfunctioning)
    The system failed to validate domain control for the domain “sub.hostname.com” using the “DNS” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up CAA for hostname.com - the domain's nameservers may be malfunctioning)
    The system failed to validate domain control for the domain “autodiscover.sub.hostname.com” using the “DNS” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up CAA for hostname.com - the domain's nameservers may be malfunctioning)
    The system failed to validate domain control for the domain “whm.sub.hostname.com” using the “DNS” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up CAA for hostname.com - the domain's nameservers may be malfunctioning)
    The system failed to validate domain control for the domain “cpcalendars.sub.hostname.com” using the “DNS” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up CAA for hostname.com - the domain's nameservers may be malfunctioning)
    The system failed to validate domain control for the domain “cpcontacts.sub.hostname.com” using the “DNS” DCVmethod: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking upCAA for hostname.com - the domain's nameservers may be malfunctioning)
    The system failed to validate domain control for the domain “ipv6.sub.hostname.com” using the “DNS” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up CAA for hostname.com - the domain's nameservers may be malfunctioning)
    The system failed to validate domain control for the domain “webdisk.sub.hostname.com” using the “DNS” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up CAA for hostname.com - the domain's nameservers may be malfunctioning)
    The system failed to validate domain control for the domain “webmail.sub.hostname.com” using the “DNS” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up CAA for hostname.com - the domain's nameservers may be malfunctioning)
    “sub.hostname.com” failed DCV. Cannot proceed.
     
     
     
    0
  • WF

    I have replaced "myhostname" where the ip address or portion of the hostname actually shows in the results:

    The system will check for the certificate for the “cpanel” service.
    The system will attempt to replace the self-signed certificate for the “cpanel” service with a signed certificate from the “Let’s Encrypt™” provider.
    The system will attempt to install a certificate for the “cpanel” service from the system SSL storage.
    None of the certificates in the system SSL storage were acceptable to use for the “cpanel” service.
    The system will attempt to get a new certificate for the domains: myhostname, autoconfig.myhostname, autodiscover.myhostname.cprapid.com, cpanel.myhostname.cprapid.com, cpcalendars.myhostname.cprapid.com, cpcontacts.myhostname.cprapid.com, ipv6.myhostname.cprapid.com, mail.myhostname.cprapid.com, webdisk.myhostname.cprapid.com, webmail.myhostname.cprapid.com, whm.myhostname.cprapid.com, www.myhostname.cprapid.com
    The system failed to validate domain control for the domain “cpanel.myhostname.cprapid.com” using the “HTTP” DCV method: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (myhostname: Invalid response from http://cpanel.myhostname.cprapid.com/.well-known/acme-challenge/H5PURZpApdE3FNnTCkVU-xd0N8UqjAkMhg-YCOV8Xpc: 400)
    The system failed to validate domain control for the domain “webmail.myhostname.cprapid.com” using the “HTTP” DCV method: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (myhostname: Invalid response from http://webmail.myhostname.cprapid.com/.well-known/acme-challenge/78bH-faXp6mJWczkRPZ-FODXJcZFq90w-JmGKGA7tbc: 400)
    The system failed to validate domain control for the domain “cpcontacts.myhostname.cprapid.com” using the “HTTP” DCV method: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (myhostname: Invalid response from http://cpcontacts.myhostname.cprapid.com/.well-known/acme-challenge/Efi4BovI3_4oMm2SrcukCTGu-8WB6MaWvrXEQvbv0xU: 400)
    The system failed to validate domain control for the domain “cpcalendars.myhostname.cprapid.com” using the “HTTP” DCV method: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (myhostname: Invalid response from http://cpcalendars.myhostname.cprapid.com/.well-known/acme-challenge/QhwDTSddnuNPLfk64dK6g4JFFC--Gf36K_2BLFxcR04: 400)
    The system failed to validate domain control for the domain “webdisk.myhostname.cprapid.com” using the “HTTP” DCV method: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (myhostname: Invalid response from http://webdisk.myhostname.cprapid.com/.well-known/acme-challenge/q9CwjlzuCT58a2e4RRmL6GFtTzxPRca6X-ta0Zilh34: 400)
    The system failed to validate domain control for the domain “whm.myhostname.cprapid.com” using the “HTTP” DCV method: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (myhostname: Invalid response from http://whm.myhostname.cprapid.com/.well-known/acme-challenge/tYJie9etwjMAasMuMYkXz9UzFbQDJ-bAVxG5cMl-Cl4: 400)
    The system failed to validate domain control for the domain “cpcalendars.myhostname.cprapid.com” using the “DNS” DCV method: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (No TXT record found at _acme-challenge.cpcalendars.myhostname.cprapid.com)
    The system failed to validate domain control for the domain “webmail.myhostname.cprapid.com” using the “DNS” DCV method: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (No TXT record found at _acme-challenge.webmail.myhostname.cprapid.com)
    The system failed to validate domain control for the domain “whm.myhostname.cprapid.com” using the “DNS” DCV method: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (No TXT record found at _acme-challenge.whm.myhostname.cprapid.com)
    The system failed to validate domain control for the domain “cpanel.myhostname.cprapid.com” using the “DNS” DCV method: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (No TXT record found at _acme-challenge.cpanel.myhostname.cprapid.com)
    The system failed to validate domain control for the domain “cpcontacts.myhostname.cprapid.com” using the “DNS” DCV method: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (No TXT record found at _acme-challenge.cpcontacts.myhostname.cprapid.com)
    The system failed to validate domain control for the domain “webdisk.myhostname.cprapid.com” using the “DNS” DCV method: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (No TXT record found at _acme-challenge.webdisk.myhostname.cprapid.com)
    The system validated domain control for the “mail.myhostname.cprapid.com” domain using the “HTTP” DCV method.
    The system validated domain control for the “autoconfig.myhostname.cprapid.com” domain using the “HTTP” DCV method.
    The system validated domain control for the “ipv6.myhostname.cprapid.com” domain using the “HTTP” DCV method.
    The system validated domain control for the “myhostname.cprapid.com” domain using the “HTTP” DCV method.
    The system validated domain control for the “www.myhostname.cprapid.com” domain using the “HTTP” DCV method.
    The system validated domain control for the “autodiscover.myhostname.cprapid.com” domain using the “HTTP” DCV method.
    Attempting to verify your certificate.....
    Querying Apache TLS for installations of the previous certificate …
    The system will check for the certificate for the “dovecot” service.
    The system will attempt to replace the self-signed certificate for the “dovecot” service with a signed certificate from the “Let’s Encrypt™” provider.
    The system will attempt to install a certificate for the “dovecot” service from the system SSL storage.
    The system will use the signed certificate for the hostname, on the “dovecot” service, that it found in the system’s SSL datastore.
    Attempting to verify your certificate.....
    The system will check for the certificate for the “exim” service.
    The system will attempt to replace the self-signed certificate for the “exim” service with a signed certificate from the “Let’s Encrypt™” provider.
    The system will attempt to install a certificate for the “exim” service from the system SSL storage.
    The system will use the signed certificate for the hostname, on the “exim” service, that it found in the system’s SSL datastore.
    Attempting to verify your certificate.....

    0
  • cPRex Jurassic Moderator

    lm s - that output indicates a DNS error with the hostname.  Do you see anything odd when you check the main domain using a tool like intodns.com?

    WF - have you changed the hostname from the cprapid.com domain to a valid hostname?

    0
  • WF

    The result from intodns is :I get Can't get nameservers at parent server!<br>I only check domains not subdomains!

    Would I need to change the hostnname?

    0
  • cPRex Jurassic Moderator

    Yes, you would only be able to check domain.com using online tools.

    You should not be using the cprapid hostname on the machine long-term.  https://support.cpanel.net/hc/en-us/articles/360061167093-How-to-change-the-server-s-hostname-from-WHM

    0
  • WF

    Without making any changes, now it is magically working. Maybe when I ran that command, it finally updated. 

    0
  • cPRex Jurassic Moderator

    Glad to hear it!

    0
  • lm s

     

    Thank you very much, cPRex, for your contribution. From intodns, I see all the records correct and working. From the terminal, the hostname also returns the main IP of the server as always. Nothing has changed. The only issue is that the main certificate has expired, and the server does not seem to be able to renew it due to the errors returned by the command. Is this a known problem with Let's Encrypt as an SSL hostname provider? Or what could be happening? What other aspects of the server can I check to rule out additional problems?
    Thank you. I'm really lost on this issue; it's strange that the certificate renewal has been attempted for 30 days without success, and now we are at a point where the server has an expired SSL for the hostname, a significant problem that affects services like nginx, among others.

    0
  • cPRex Jurassic Moderator

    What happens if you run the following command from the server?  Does that show the correct IP for the hostname?

    /scripts/cpdig your.hostname.com A --verbose

    You'll just need to replace that with your actual hostname.

    0
  • WF

    I know what I did differently. I went to dns functions and add an entry for your hostname. That is the only thing I can think of that I have done differently. Forgot about that. 

    0
  • lm s

    Indeed, the result is the server's main IP (it has always been the same, and the hostname as well), and it responds well:

    [root@example ~]# /scripts/cpdig sub.example-hostname.com A --verbose
    [1713457938] libunbound[35606:0] notice: init module 0: validator
    [1713457938] libunbound[35606:0] notice: init module 1: iterator
    [1713457938] libunbound[35606:0] info: resolving sub.example-hostname.com. A IN
    [1713457938] libunbound[35606:0] info: priming . IN NS
    [1713457938] libunbound[35606:0] info: response for . NS IN
    [1713457938] libunbound[35606:0] info: reply from <.> xxx.x.xx.xx#53
    [1713457938] libunbound[35606:0] info: query response was ANSWER
    [1713457938] libunbound[35606:0] info: priming successful for . NS IN
    [1713457938] libunbound[35606:0] info: response for sub.example-hostname.com. A IN
    [1713457938] libunbound[35606:0] info: reply from <.> xxx.xx.xxx.xx#53
    [1713457938] libunbound[35606:0] info: query response was REFERRAL
    [1713457938] libunbound[35606:0] info: response for sub.example-hostname.com. A IN
    [1713457938] libunbound[35606:0] info: reply from <com.> xxxx:xxx:xxxx::xx#53
    [1713457938] libunbound[35606:0] info: query response was REFERRAL
    [1713457938] libunbound[35606:0] info: resolving ns2.example-hostname.com. AAAA IN
    [1713457938] libunbound[35606:0] info: resolving ns1.example-hostname.com. AAAA IN
    [1713457938] libunbound[35606:0] info: response for sub.example-hostname.com. A IN
    [1713457938] libunbound[35606:0] info: reply from <example-hostname.com.> xxx.xxx.xxx.xxx#53
    [1713457938] libunbound[35606:0] info: query response was ANSWER
    xxx.xxx.xxx.xxx

    0
  • cPRex Jurassic Moderator

    Well that looks good at least.  It's likely time to open a ticket so we can take a look at the system directly.

    0
  • lm s

    I understand. Unfortunately, cPanel changed its policies and since my server's license was purchased through GoDaddy, they no longer provide support via ticket. My provider does not offer support for these types of server software issues. That's why I'm reaching out here to see if anyone else has been experiencing these problems when trying to renew an expired hostname certificate. Thank you

    0
  • cPRex Jurassic Moderator

    If your license provide isn't providing support, could you email cs@cpanel.net so we can look into that for you?

    Can you try adding an A entry for the hostname to see if that gets things working? https://support.cpanel.net/hc/en-us/articles/22913165191575-checkallsslcerts-LetsEncrypt-error-if-DNS-Zone-is-not-present-for-the-hostname

    0
  • lm s

    Thank you for the information. I sent an email last month but never received a response. How can I get technical support for this issue (which remains unresolved and is urgent) regarding the license that I am hiring and paying for every month?.

    0
  • cPRex Jurassic Moderator

    If your license is purchased through us you can submit a ticket directly from WHM.

    0

Please sign in to leave a comment.