SSL certificate expiry notice... will expire in less than 30 day
Hi,
I got an email to say my dovecot, exim, and cpanel will expiry in less than 30 days.
So I went into my CPANEL via the link https://***** my domain *****:2087/scripts2/manageservicecrts (redacted domain) to reset the certificate but I notice when I reboot my server the Service Status in Home/Server Status/Service Status takes a good while to say it's "up" from "pending". Is this normal? Is something slowing my server down?
Kind regards,
Leon
-
This problem seem to resolved itself. I went to reboot the server after some time to see if it takes ages for status to update and Server Status all says it's "up".
0 -
Hey there! It's normal for Service Status to take a few minutes for things to show up after a reboot. In fact, there is specifically a delay after a reboot so it doesn't detect things as down and restart them unnecessarily.
As for the SSL renewal, it will happen automatically when there are two days left on the current certificate, so you can just ignore those warnings.
0 -
Hi,
I notice when I went to check the certificate today at "Manage Service SSL Certificates" and the expiry date has reverted back to 9/5/24 from 2025, why did it do that?
Also, for SSL certificate to renew automatically, should "Configure AutoSSL for Users on the Server" be set to "Manage AutoSSL?" because currently it is set to "Reset to Feature List Setting?"
Kind regards,
Leon
0 -
By the way, it looks like 9/5/24 is the american standard date and just want to check the certificate for server host from the web browser and it is 05/09/2024 (Thu, 05 Sep 2024 14:09:44 GMT), but I'm still a little baffled that I'm sure I saw the year date of 2025?
0 -
The new hostname certificates are issued for three months, so that seems like a normal expiration date at this time.
That setting for the users is fine also.
0 -
Thanks for the prompt reply. It's reassuring to know.
Something for CPANEL team to consider: Prehaps it might be wise to add in these email notifications that the certificate will automatically renew when there is two days left, because it gives the impression I have to manually go in and renew it. If I read that, I wouldn't go in manually renewed it myself. Maybe also add that, I can manually renew it at my convenience before expiry.
Kind regards,
Leon
1 -
I believe it does say that near the bottom of the email notification - something like "If this certificate remains installed on Nov 25, 2021, the system will attempt to replace it."
1 -
coffeeboyuk I agree, and 2 days for host services renewal is a bit tight if something was to go sideways.
Jim
System email indicates manual cert install as soon as possible, nothing about will auto renew in number of days.
(AlmaLinux v8.10.0 - cP v120.0.9)0 -
Interesting - let me look into this a bit and I'll get you some more details soon.
0 -
I created case CPANEL-45617 so our developers can look into that wording and hopefully get that updated so it's less scary and less confusing in the future - thanks for bringing this up!
2 -
I have the same issue the Manage Service SSL Certificates not renew and it's say will expire on 6/16/24, how to resolve this issue?
Issuer: Let's Encrypt Key Size: 2048 Expires: Sunday, June 16, 2024 at 12:03:27 PM UTC 0 -
They'll renew when it gets closer to the expiration.
0 -
Hi there, i was going to create a new post but this already has the same issue i have...
The SSL certificate for “exim” will exipre soon...
Is there anyway to force renew these? Renewing two days before expiring doesnt look so good in case something happen.....0 -
Sure - you can visit WHM >> Manage Service SSL Certificates, reset each one, and then run "/usr/local/cpanel/bin/checkallsslcerts" to force a renewal.
0 -
I operate a handful of cPanel servers, so these new emails land in bulk and are REALLY annoying!
I’d previously used the LetsEncrypt plugin for WHM & cPanel before cPanel offered their official integration.I believe it renewed certificates after 60 days, leaving a long grace period and preventing these annoying emails to myself and clients.
Services or cPanel level, I never received any warnings that any certificates were expiring, unless they were actually in danger of expiring.
IMO, their cPanel plugin was MUCH more intuitive than cPanel’s new offering. It was very clear on how you’d create individual certificates in any combination, or DNS for Wildcard certs.
Everything “works”, but could be much better. Since they deprecated their cPanel plugin and stopped development, maybe integrate some of what they had into your new solution?
0 -
splaquet - I do have request CPANEL-45617 open to make the renewal notifications less confusing, and I'm hoping that helps. I'm also working to get the renewal time extended so they new sooner.
2 -
Well, my server's certificates were about to expire tomorrow.
And they were STILL not renewed!
I did run /usr/local/cpanel/bin/checkallsslcerts and this fixed it:
"The system will attempt to replace the certificate for the “cpanel” service with a signed certificate from the “Let’s Encrypt™” provider because the current certificate expires in less than 2 days."So it seems it ONLY renews them when there is less than 48 hours remaining, so that is really on the edge, since it had only ONE chance to renew them (tomorrow night)
I don't like having things done really on the last minute...
1 -
Correct - I have case CPANEL-45628 open to get them renewed at a much earlier date, as I also agree that 2 days isn't enough.
0 -
I am experiencing the same issue. I tried to renew it, but we encountered another problem related to the datacenter domain name, which is blocked by Let's Encrypt. I searched everywhere to remove contaboserver.net from my files but couldn't find it. How can we renew this certificate solely for our hostname?
Thank you in advance for your help
I have waited until 07:00 to resolve my problem related to SSL generation, but this might happen again with the other servers. We need to understand how checkallsslcerts is working and from where it gets the list of domains
Please note that my hostname is correct. When I searched for contaboserver.net on my server, I didn't find anything related
[root@srv1 ~]# grep -rl 'contaboserver.net' /etc/
[root@srv1 ~]#[root@srv1 ~]# /usr/local/cpanel/bin/checkallsslcerts
The system will check for the certificate for the “cpanel” service.
The system will attempt to replace the self-signed certificate for the “cpanel” service with a signed certificate from the “Let’s Encrypt™” provider.
The system will attempt to install a certificate for the “cpanel” service from the system SSL storage.
None of the certificates in the system SSL storage were acceptable to use for the “cpanel” service.
The system will attempt to get a new certificate for the domains: srv1.alphahost.xyz, autoconfig.srv1.alphahost.xyz, autodiscover.srv1.alphahost.xyz, cpanel.srv1.alphahost.xyz, cpcalendars.srv1.alphahost.xyz, cpcontacts.srv1.alphahost.xyz, ipv6.srv1.alphahost.xyz, mail.srv1.alphahost.xyz, webdisk.srv1.alphahost.xyz, webmail.srv1.alphahost.xyz, whm.srv1.alphahost.xyz, www.srv1.alphahost.xyz, vmi1042232.contaboserver.net, autoconfig.vmi1042232.contaboserver.net, autodiscover.vmi1042232.contaboserver.net, cpanel.vmi1042232.contaboserver.net, cpcalendars.vmi1042232.contaboserver.net, cpcontacts.vmi1042232.contaboserver.net, ipv6.vmi1042232.contaboserver.net, mail.vmi1042232.contaboserver.net, webdisk.vmi1042232.contaboserver.net, webmail.vmi1042232.contaboserver.net, whm.vmi1042232.contaboserver.net, www.vmi1042232.contaboserver.net
429 urn:ietf:params:acme:error:rateLimited (The request exceeds a rate limit) (Error creating new order :: too many certificates already issued for "contaboserver.net". Retry after 2024-06-19T06:00:00Z: see https://letsencrypt.org/docs/rate-limits/) at bin/checkallsslcerts.pl line 691.0 -
foxmedo - can you use the details here to remove that old hostname?
0 -
I agree with splaquet and 4est two days is simply not enough time for renewal window if things go south.
The emails regarding service account certificates expiry are quite simply bonkers. I've just received a fresh barrage of emails prompting for Dovecot, Exim, and cPanel SSL certificate renewal. You're essentially telling me, "Don't worry about it; keep receiving these aggressive emails for the next 28 days, then cross your fingers that the certification renewal does its thing in the final two days." Madness! And after the next 60 days, get prepared to do the same, ad infinitum! WebPros, April 1st is ages away!
cPanel uses Let's Encrypt for its accounts, which creates an SSL certificate for 90 days and renews it 30 days before it expires. Why don't other service-level certifications do the same? I wholeheartedly agree that two days is simply not enough notice. Additionally, I echo the concerns that this email comes across as quite aggressive in trying to prompt action. The constant aggressive emails flooding my mailbox, especially three at a time for SSL and other certificates nearing expiry, are simply ridiculous.
Let's Encrypt certificates for service-level accounts are arguably more important than account-level certifications, as invalid certification at the highest level has more potential to wreak havoc.
cPRex , honestly, the WebPros/development team needs to change this two-day renewal timeframe joke; it's not funny.
1 -
Hello,
my server SSL will expire in 10 days... I found this topic.
cPRex so what we need to do? Ok about CPANEL-45628 but what is the immediate fix?
How can I renew manually without disturb the server in production?
0 -
wait until less than 2 days.
then cross your fingers :)
1 -
Rogerio Vitiello - that has already been answered earlier in this same thread :D
0 -
Wait until 2 days and pray? 🙄
or WHM >> Manage Service SSL Certificates, reset each one, and then run "/usr/local/cpanel/bin/checkallsslcerts" to force a renewal
0 -
Great todays barrage emails landing in my inbox, yay:
reminding me that I
So only another 26th days of getting email reminders to 'Install a new certificate as soon as possible'
Oh no wait WebPros is saying there is nothing to do but keep receiving these emails until 2 days until expiry and then get on your knees and pray that nothing goes remotely wrong in 48 hours which of course it definitely won't as it's very rare for anything to go wrong in IT.
0 -
Rogerio Vitiello while that's a workaround, 60 days time you gotta do it all again and again and again....well unless you put it on a cron I suppose
0 -
I admit this procedure makes me a little tense... 2 days really needs to be changed to at least 15 days. The idea of resetting the certificate and executing a script manually is not viable.
0 -
Update - we've completed testing this in version 122 internally, and we'll be releasing it in version 120 soon! At this point, if things go well, the plan will be to go with a 30-day renewal.
2 -
hallelujah! Awesome cPRex thanks for bending the ear of the powers that be! I owe you a pint in Wales!
Fingers crossed it goes through, OK.1
Please sign in to leave a comment.
Comments
36 comments