Service SSL Certificates Expiring But Not Auto-Renewing
AnsweredHowdy! So last week cPanel started sending me notifications that the Service SSL Certificates (cpanel, dovecot, exim, ftp) will expire in less than 30 days (16 days at this point). This would affect the cert for my server's hostname as well as the hostname's subdomains autoconfig, autodiscover, cpanel, cpcalendars, cpcontacts, ipv6, mail, webdisk, webmail, whm, and www. I am running AlmaLinux v8.9.0 STANDARD virtuozzo, cPanel Version 120.0.5.
The emails say, "You need to install a new certificate as soon as possible," and then directs me to the Manage Service SSL Certificates page in WHM.
But isn't Let's Encrypt supposed to take care of this automatically? I'm confused about why this is happening and what to do. (FYI this server and hostname domain came online on March 7, so this looks like the first cert renewal for it.)
Other certs have been renewing as far as I can tell.
https://toolbox.googleapps.com/apps/dig/#A/ is not reporting any error on the hostname's domain.
I did run checkallsslcerts and got the following:
[root@server ~]# /usr/local/cpanel/bin/checkallsslcerts --allow-retry --verbose
The system will check for the certificate for the “cpanel” service.
The system will attempt to verify that the certificate for the “cpanel” service is still valid using OCSP (Online Certificate Status Protocol).
The “cpanel” service’s certificate will expire soon (Jun 5, 2024). If this certificate remains installed on Jun 3, 2024, the system will attempt to replace it.
The system will check for the certificate for the “dovecot” service.
The system will attempt to verify that the certificate for the “dovecot” service is still valid using OCSP (Online Certificate Status Protocol).
The “dovecot” service’s certificate will expire soon (Jun 5, 2024). If this certificate remains installed on Jun 3, 2024, the system will attempt to replace it.
The system will check for the certificate for the “exim” service.
The system will attempt to verify that the certificate for the “exim” service is still valid using OCSP (Online Certificate Status Protocol).
The “exim” service’s certificate will expire soon (Jun 5, 2024). If this certificate remains installed on Jun 3, 2024, the system will attempt to replace it.
The system will check for the certificate for the “ftp” service.
The system will attempt to verify that the certificate for the “ftp” service is still valid using OCSP (Online Certificate Status Protocol).
The “ftp” service’s certificate will expire soon (Jun 5, 2024). If this certificate remains installed on Jun 3, 2024, the system will attempt to replace it.
So does it look like something is wrong with these certs getting automatically renewed? Is there some kind of misconfiguration?
Should I just ignore the email notification and expect it to renew on June 3?
What should I do?
Thanks!
-
Hey there! You can ignore this warning - this is just information and letting you know this will happen as the system will attempt the renewal on June 3. If this were a purchased certificate this warning would give you time to install a new one.
0 -
Excellent. Thanks so much!
0 -
Sure thing!
0 -
I have just upgraded many VMs to AlmaLinux 8. I started to get these emails and was also very concerned. Leaving only 2 days for auto-renewal before expiry seems very risky! If a real problem is present, it does not leave much time to catch it. The email is also not as clear as it could be. I was not sure if replacement means auto-renewal or self-signed replacement.
0 -
sideways - as long a everything is working well, two days should be plenty of time to renew a hostname certificate.
0
Please sign in to leave a comment.
Comments
5 comments