cPanel Service Certificates not renewing
Server has been altering me for some time to immediately renew the cpanel service certificates.
"You need to install a new certificate as soon as possible. You can do this with WHM’s “Manage Service SSL Certificates” interface at https://my.server:2087/scripts2/manageservicecrts."
The link does not work (missing cpseess in the url) and just gets a 401 error
Browsing to manageservicescerts has no way to renew a certificate.
running /usr/local/cpanel/bin/checkallsslcerts results in "The “cpanel” service’s certificate will expire soon (Jun 9, 2024). If this certificate remains installed on Jun 7, 2024, the system will attempt to replace it."
So if I read that right, the server is not going to attempt a renewal until June 7? what's with all the alerts then?
-> how do I increase the window? would prefer 7 days.
-> surely it should only be sending an alert if the renew attempt failed?
-
Hey there! After the change to Let's Encrypt the notifications are extra chatty - I'm looking into this to see if we can calm that down a bit.
In the mean time, no, there's nothing you need to do on the server as it will handle the renewal automatically.
0 -
I did want to say I created case CPANEL-44215 with our developers to see if we can improve/adjust/manage these notifications, and I'll be sure to post updates here once I get them!
1 -
ok great!
yeah whm has still retained some of the legacy setup from when the cpanel store did the certs and considers <30 days a problem that needs manual intervention. Aside from the notifications there are little yellow exclamation marks against the certs etc.
I think it just needs to be retuned for much lower number.
still I think 2 days is too short. almost no time to do anything about it should lets encrypt fail to renew the certs (and they do very occasionally). a week is good. :)
1 -
Agreed on all counts!
0 -
I've got about 10 servers that are all sending me alerts every other day (or so), so I'd love to see a solution to this sooner than later. Can we switch back to cPanel-issued certs so that they renew sooner?
0 -
There's no way to switch back to the previous system as that has been removed. I've stressed the importance of that case to our developers as much as I can.
0 -
Thank you!
0 -
Sure thing!
0 -
still getting alerts
Friday night of a long weekend. I really don't want to be fixing something on Sunday!
# date
Fri Jun 7 17:39:51 AEST 2024
# /usr/local/cpanel/bin/checkallsslcerts
The system will check for the certificate for the “cpanel” service.
The system will attempt to verify that the certificate for the “cpanel” service is still valid using OCSP (Online Certificate Status Protocol).
The “cpanel” service’s certificate will expire soon (Jun 9, 2024). If this certificate remains installed on Jun 7, 2024, the system will attempt to replace it.
The system will check for the certificate for the “dovecot” service.
The system will attempt to verify that the certificate for the “dovecot” service is still valid using OCSP (Online Certificate Status Protocol).
The “dovecot” service’s certificate will expire soon (Jun 9, 2024). If this certificate remains installed on Jun 7, 2024, the system will attempt to replace it.
The system will check for the certificate for the “exim” service.
The system will attempt to verify that the certificate for the “exim” service is still valid using OCSP (Online Certificate Status Protocol).
The “exim” service’s certificate will expire soon (Jun 9, 2024). If this certificate remains installed on Jun 7, 2024, the system will attempt to replace it.
The system will check for the certificate for the “ftp” service.
The system will attempt to verify that the certificate for the “ftp” service is still valid using OCSP (Online Certificate Status Protocol).
The “ftp” service’s certificate will expire soon (Jun 9, 2024). If this certificate remains installed on Jun 7, 2024, the system will attempt to replace it.
0 -
The key sentence there is this guy:
"The “cpanel” service’s certificate will expire soon (Jun 9, 2024). If this certificate remains installed on Jun 7, 2024, the system will attempt to replace it."
so there's still nothing you need to do.
If you want to manually fix this you can go to WHM >> Manage Service SSL Certificates, and choose the "reset" option next to each certificate to install a self-signed cert, and then run /usr/local/cpanel/bin/checkallsslcerts to force the renewal to happen earlier, but you really shouldn't have to do anything.
0 -
they have renewed. :)
it was close of business on June 7 when I posted that. It's June 8 here now.
0 -
I had no doubt!
1 -
cPRex Can we get a status update on the case (CPANEL-44215)? All of my servers are now starting to send me emails and SMS messages every day complaining about their certificates expiring. I know I can go in and manually reset/re-issue them, but I really don't have time to deal with that....and that only gets me another 90 days until they begin nagging me again. I can't believe that there's not more folks on here looking for a solution to their "naggy" servers.
0 -
I'm facing the same problem as you guys, all my servers are spaming me regarding this, I really miss the option to force a renewal before the end date. Reset the cert to install a self signed cert and then a new one, can surely be avoided in order to prevent customers to see the ugly warning complaining about self signed cert during the process. Also as UI improvement and UEX, the yellow triangle on manageservicecrts page has a tooltip (that take a long time to appear by the way) that state my cert will expire in 20 days, but when you press on "Certificate Details" to see the information, there is another message saying that will expire in 19 days. Also the link "Certificate Details", that open a box with information that has a box with more information that open a box to more information... it's like... too many boxes. So please put some love on this. Finally, the email notification need a fix on the link, I thought for a moment that the email was a phishing one when fail.
1
Please sign in to leave a comment.
Comments
15 comments