Skip to main content

SSL certificate expiry notice... will expire in less than 30 day

Comments

36 comments

  • coffeeboyuk

    This problem seem to resolved itself. I went to reboot the server after some time to see if it takes ages for status to update  and Server Status all says it's "up".

    0
  • cPRex Jurassic Moderator

    Hey there!  It's normal for Service Status to take a few minutes for things to show up after a reboot.  In fact, there is specifically a delay after a reboot so it doesn't detect things as down and restart them unnecessarily.

    As for the SSL renewal, it will happen automatically when there are two days left on the current certificate, so you can just ignore those warnings.

    0
  • coffeeboyuk

    Hi,

     

    I notice when I went to check the certificate today at "Manage Service SSL Certificates" and the expiry date has reverted back to 9/5/24 from 2025, why did it do that?

    Also, for SSL certificate to renew automatically, should "Configure AutoSSL for Users on the Server" be set to "Manage AutoSSL?" because currently it is set to "Reset to Feature List Setting?"

     

    Kind regards,

     

    Leon

     

     

    0
  • coffeeboyuk

    By the way, it looks like 9/5/24 is the american standard date and just want to check the certificate for server host from the web browser and it is 05/09/2024 (Thu, 05 Sep 2024 14:09:44 GMT), but I'm still a little baffled that I'm sure I saw the year date of 2025?

    0
  • cPRex Jurassic Moderator

    The new hostname certificates are issued for three months, so that seems like a normal expiration date at this time.

    That setting for the users is fine also.

    0
  • coffeeboyuk

    Thanks for the prompt reply. It's reassuring to know.

    Something for CPANEL team to consider: Prehaps it might be wise to add in these email notifications that the certificate will automatically renew when there is two days left, because it gives the impression I have to manually go in and renew it. If I read that, I wouldn't go in manually renewed it myself. Maybe also add that, I can manually renew it at my convenience before expiry.

     

    Kind regards,

     

    Leon

    1
  • cPRex Jurassic Moderator

    I believe it does say that near the bottom of the email notification - something like "If this certificate remains installed on Nov 25, 2021, the system will attempt to replace it."

    1
  • bayden10

    coffeeboyuk I agree, and 2 days for host services renewal is a bit tight if something was to go sideways.

    Jim

    System email indicates manual cert install as soon as possible, nothing about will auto renew in number of days.
    (AlmaLinux v8.10.0 - cP v120.0.9)

     

    0
  • cPRex Jurassic Moderator

    Interesting - let me look into this a bit and I'll get you some more details soon.

    0
  • cPRex Jurassic Moderator

    I created case CPANEL-45617 so our developers can look into that wording and hopefully get that updated so it's less scary and less confusing in the future - thanks for bringing this up!

    2
  • Fahad Adnan

    I have the same issue the Manage Service SSL Certificates not renew and it's say will expire on 6/16/24, how to resolve this issue?

    Issuer: Let's Encrypt
    Key Size: 2048
    Expires: Sunday, June 16, 2024 at 12:03:27 PM UTC
    0
  • cPRex Jurassic Moderator

    They'll renew when it gets closer to the expiration.

    0
  • Enrique Delavau

    Hi there, i was going to create a new post but this already has the same issue i have...
    The SSL certificate for “exim” will exipre soon...

    Is there anyway to force renew these? Renewing two days before expiring doesnt look so good in case something happen.....

    0
  • cPRex Jurassic Moderator

    Sure - you can visit WHM >> Manage Service SSL Certificates, reset each one, and then run "/usr/local/cpanel/bin/checkallsslcerts" to force a renewal.

    0
  • splaquet

    I operate a handful of cPanel servers, so these new emails land in bulk and are REALLY annoying!


    I’d previously used the LetsEncrypt plugin for WHM & cPanel before cPanel offered their official integration.

    I believe it renewed certificates after 60 days, leaving a long grace period and preventing these annoying emails to myself and clients.

    Services or cPanel level, I never received any warnings that any certificates were expiring, unless they were actually in danger of expiring.

    IMO, their cPanel plugin was MUCH more intuitive than cPanel’s new offering. It was very clear on how you’d create individual certificates in any combination, or DNS for Wildcard certs.

    Everything “works”, but could be much better. Since they deprecated their cPanel plugin and stopped development, maybe integrate some of what they had into your new solution?

    0
  • cPRex Jurassic Moderator

    splaquet - I do have request CPANEL-45617 open to make the renewal notifications less confusing, and I'm hoping that helps.  I'm also working to get the renewal time extended so they new sooner.

    2
  • 4est

    Well, my server's certificates were about to expire tomorrow.

    And they were STILL not renewed!

    I did run /usr/local/cpanel/bin/checkallsslcerts  and this fixed it:  
    "The system will attempt to replace the certificate for the “cpanel” service with a signed certificate from the “Let’s Encrypt™” provider because the current certificate expires in less than 2 days."

    So it seems it ONLY renews them when there is less than 48 hours remaining, so that is really on the edge, since it had only ONE chance to renew them (tomorrow night)

    I don't like having things done really on the last minute...

    1
  • cPRex Jurassic Moderator

    Correct - I have case CPANEL-45628 open to get them renewed at a much earlier date, as I also agree that 2 days isn't enough.

    0
  • foxmedo

    I am experiencing the same issue. I tried to renew it, but we encountered another problem related to the datacenter domain name, which is blocked by Let's Encrypt. I searched everywhere to remove contaboserver.net from my files but couldn't find it. How can we renew this certificate solely for our hostname?

    Thank you in advance for your help

    I have waited until 07:00 to resolve my problem related to SSL generation, but this might happen again with the other servers. We need to understand how checkallsslcerts is working and from where it gets the list of domains

    Please note that my hostname is correct. When I searched for contaboserver.net on my server, I didn't find anything related

    [root@srv1 ~]# grep -rl 'contaboserver.net' /etc/
    [root@srv1 ~]# 

     

    [root@srv1 ~]# /usr/local/cpanel/bin/checkallsslcerts
    The system will check for the certificate for the “cpanel” service.
    The system will attempt to replace the self-signed certificate for the “cpanel” service with a signed certificate from the “Let’s Encrypt™” provider.
    The system will attempt to install a certificate for the “cpanel” service from the system SSL storage.
    None of the certificates in the system SSL storage were acceptable to use for the “cpanel” service.
    The system will attempt to get a new certificate for the domains: srv1.alphahost.xyz, autoconfig.srv1.alphahost.xyz, autodiscover.srv1.alphahost.xyz, cpanel.srv1.alphahost.xyz, cpcalendars.srv1.alphahost.xyz, cpcontacts.srv1.alphahost.xyz, ipv6.srv1.alphahost.xyz, mail.srv1.alphahost.xyz, webdisk.srv1.alphahost.xyz, webmail.srv1.alphahost.xyz, whm.srv1.alphahost.xyz, www.srv1.alphahost.xyz, vmi1042232.contaboserver.net, autoconfig.vmi1042232.contaboserver.net, autodiscover.vmi1042232.contaboserver.net, cpanel.vmi1042232.contaboserver.net, cpcalendars.vmi1042232.contaboserver.net, cpcontacts.vmi1042232.contaboserver.net, ipv6.vmi1042232.contaboserver.net, mail.vmi1042232.contaboserver.net, webdisk.vmi1042232.contaboserver.net, webmail.vmi1042232.contaboserver.net, whm.vmi1042232.contaboserver.net, www.vmi1042232.contaboserver.net
    429 urn:ietf:params:acme:error:rateLimited (The request exceeds a rate limit) (Error creating new order :: too many certificates already issued for "contaboserver.net". Retry after 2024-06-19T06:00:00Z: see https://letsencrypt.org/docs/rate-limits/) at bin/checkallsslcerts.pl line 691.

    0
  • Hefin

    I agree with splaquet and 4est  two days is simply not enough time for renewal window if things go south.

    The emails regarding service account certificates expiry are quite simply bonkers. I've just received a fresh barrage of emails prompting for Dovecot, Exim, and cPanel SSL certificate renewal. You're essentially telling me, "Don't worry about it; keep receiving these aggressive emails for the next 28 days, then cross your fingers that the certification renewal does its thing in the final two days." Madness! And after the next 60 days, get prepared to do the same, ad infinitum! WebPros, April 1st is ages away!

    cPanel uses Let's Encrypt for its accounts, which creates an SSL certificate for 90 days and renews it 30 days before it expires. Why don't other service-level certifications do the same? I wholeheartedly agree that two days is simply not enough notice. Additionally, I echo the concerns that this email comes across as quite aggressive in trying to prompt action. The constant aggressive emails flooding my mailbox, especially three at a time for SSL and other certificates nearing expiry, are simply ridiculous.

    Let's Encrypt certificates for service-level accounts are arguably more important than account-level certifications, as invalid certification at the highest level has more potential to wreak havoc.

    cPRex , honestly, the WebPros/development team needs to change this two-day renewal timeframe joke; it's not funny.

    1
  • Rogerio Vitiello

    Hello,

    my server SSL will expire in 10 days... I found this topic.

    cPRex so what we need to do? Ok about CPANEL-45628 but what is the immediate fix?

    How can I renew manually without disturb the server in production?

    0
  • 4est

    wait until less than 2 days.

    then cross your fingers  :)

    1
  • cPRex Jurassic Moderator

    Rogerio Vitiello - that has already been answered earlier in this same thread :D

    0
  • Rogerio Vitiello

    Wait until 2 days and pray? 🙄

    or WHM >> Manage Service SSL Certificates, reset each one, and then run "/usr/local/cpanel/bin/checkallsslcerts" to force a renewal

    0
  • Hefin

    Great todays barrage emails landing in my inbox, yay:

    reminding me that I 

    So only another 26th days of getting email reminders to 'Install a new certificate as soon as possible'

    Oh no wait WebPros is saying there is nothing to do but keep receiving these emails until 2 days until expiry and then get on your knees and pray that nothing goes remotely wrong in 48 hours which of course it definitely won't as it's very rare for anything to go wrong in IT.   

    0
  • Hefin

    Rogerio Vitiello while that's a workaround, 60 days time you gotta do it all again and again and again....well unless you put it on a cron I suppose

    0
  • Rogerio Vitiello

    I admit this procedure makes me a little tense... 2 days really needs to be changed to at least 15 days. The idea of ​​resetting the certificate and executing a script manually is not viable.

    0
  • cPRex Jurassic Moderator

    Update - we've completed testing this in version 122 internally, and we'll be releasing it in version 120 soon!  At this point, if things go well, the plan will be to go with a 30-day renewal.

    2
  • Hefin

    hallelujah!  Awesome cPRex thanks for bending the ear of the powers that be!  I owe you a pint in Wales!

    Fingers crossed it goes through, OK.

    1

Please sign in to leave a comment.