Skip to main content

The Curious Incident of cPanel services CA change

Comments

11 comments

  • lm s

    🚬 

    0
  • rbairwell

    Point 1

    You do not change the CA that the checkallsslcerts script uses to produce new cert for the cPanel services SSL certificate, without proactively letting customers know about it, preferred in advance. 

    According to the changelogs, on the 18th of January 2024 (for version 117.9999.78 onwards):

    Fixed case EK-46: Add a deprecation warning to the AutoSSL UI for the Sectigo provider.

    (with the default Sectigo provider being removed 2nd of April under the 119.9999.69 update).

    This move was also detailed on the features list (specifically "Let's Encrypt instead of Sectigo for AutoSSL and Hostnames").

    Point 2

    For Let's Encryp – I don't know what your reason is for constantly and frequently changing the IPs that are resolved for r3.o.lencr.org,

    I can current see 2 different IPv4 addresses for r3.o.lencry.org (and 2 difference onces for IPv6) - for that hostname, however Let's Encrypt have previously said:

    Let's Encrypt CA does not want to announce particular IP addresses that are used in validation because of a desire to change them periodically (partly in order to make it harder for attackers to be able to cause misissuance). While you could figure out what addresses are currently used, they may change at any time and will not be documented. If you can't allow inbound connections from the general public to the service that you're trying to validate, you can use the DNS challenge type (which just requires letting the Let's Encrypt CA look up your DNS records associated with that name).

    (source https://community.letsencrypt.org/t/ip-addresses-le-is-validating-from-to-build-firewall-rule/5410/17 ) and also from https://letsencrypt.org/docs/faq/#what-ip-addresses-does-let-s-encrypt-use-to-validate-my-web-server :

    What IP addresses does Let’s Encrypt use to validate my web server?

    We don’t publish a list of IP addresses we use to validate, and these IP addresses may change at any time. Note that we now validate from multiple IP addresses.

    0
  • cPRex Jurassic Moderator

    Could I get a short version of what problem this caused?  I haven't heard any complaints about the switch to Let's Encrypt related to the CA up until this post.

    0
  • eitanc

    The change of the cPanel services CA caused a change of the IPs needed for the cPanel server to reach to on the Internet, hence the new IPs were blocked by the Firewall who allow outgoing traffic only to specific IPs on the Internet, which prevented the renewal of the cPanel services cert.

    I guess not many filter outgoing requests from backend servers to the Internet, which is why possibly not many complained about this change.

    0
  • cPRex Jurassic Moderator

    Thanks for the clarification!  As the post that rbairwell shared, we don't have any control over the Let's Encrypt SSL IPs, which is in contrast to Sectigo who does have a set list we cover here:

    https://support.cpanel.net/hc/en-us/articles/360053968633-What-IP-addresses-do-Sectigo-DCV-requests-originate-from

    I'm sorry this caused an interruption for you!

    0
  • ffeingol

    Or just buy a commercial cert (lots of places to get cheap certs) install it and then only worry about it once a year?

    0
  • rbairwell

    Let's Encrypt do have some advice (from Aug 2016) about this:

    • For all challenge types: Allow outgoing traffic to acme-v01.api.letsencrypt.org on port 443 (HTTPS).
    • For HTTP-01 (for example via certbot's webroot plugin): Allow incoming traffic on port 80 (HTTP) from anywhere.

    However, if you are unable to do this but are running the popular CSF firewall suite, then you may be able to use the dyndns settings to allow Let's Encrypt (see this 2020 post for an example of inbound Lets Encrypt rules that used to work), if the problem is outbound then:

    tcp|out|d=r3.o.lencr.org

    might work - although according to Let's Encrypts documentation , the o.lencr.org subdomain is only used for OSCP confirmation and should only be being used by the web browsers (unless you have scripts using things such as wget/curl to fetch things from remote HTTPS sites - such as eCommerce payment confirmations - which might then trigger an OSCP check from the server: but this probably wouldn't happen during certificate renewal).

    If you are using a different firewall suite, then it might be a bit more tricky to add DNS entries as an allow list.

    0
  • eitanc

    cPRex, I am sure you understand that the issue here is not CP's totally OK lack of control of LE's IPs, but the fact that CP does such a fundamental changes and don't inform properly its customers about it.

    I am very sad to say, that issues like this and others seen recently (like the version upgrade that forces a migration process when CP is on Ubuntu), points that CP is degrading, somewhat soon forcing its customers to look into migrating to other, alternative, options.

    0
  • cPRex Jurassic Moderator

    I think I have to disagree about there being no communication about this, as this was a major change with announcements - most recently, our March newsletter included the change about Let's Encrypt.  If you aren't getting the cPanel newsletters you can sign up for those at https://cpanel.net/mailing-list/

    Our January newsletter also talks about how Let's Encrypt will be required in version 118. 

    0
  • eitanc

    I see, is there a web archive for this newsletter?

    0
  • cPRex Jurassic Moderator

    Unfortunately we don't have them published online yet.  Our future plan is to have the email just be a link to an online version, but it hasn't happened quite yet!

    1

Please sign in to leave a comment.