Mismatch about when services certificate will be renewed
Hello,
I begun getting emails of:
"
The SSL certificate for “<service-name>” on “<cp-server-fqdn>” will expire in less than 30 days.
You need to install a new certificate as soon as possible.
"
But if I run at the terminal command of the script for updating the services cert:
/usr/local/cpanel/bin/checkallsslcerts --verbose
I get:
"
The “<service-name>” service’s certificate will expire soon (Jun 28, 2024). If this certificate remains installed on Jun 26, 2024, the system will attempt to replace it.
"
So, it looks like a mismatch - The email asks me to replace the cert ASAP, but the script does not allow me to manually run the update process and claims it will do it automatically two days before the cert will expire.
So, what is going on here?
-
Hey there! This is a known issue with the notifications that we're working on resolving, specifically case CPANEL-45617 which is titled ""Service SSL Certificate Expires Soon" messages do not say it will attempt an automatic renewal, confusing customers and generating support tickets."
so once that is taken care of they will be more clear for users.
For the time being you don't need to do anything as the certificate will renew automatically.
0 -
Same issue here but dated June 18th. I tried running /usr/local/cpanel/bin/checkallsslcerts and it says it will not renew until 3 days before (15th). 3 days is too short. Been burned a few years back on a different issue where cpanel refused to update the service certs until the last 3 days and then it failed resulting in a 24 period of no cert, and many angry customers.
Is there a way to force these service certs to update right now? They are with LetsEncrypt.
0 -
You can visit WHM >> Manage Service SSL Certificates, click Reset next to each one, and then run checkallsslcerts again to force a new cert to be installed.
0 -
Thanks cPRex.
1. Where can I read CPANEL-45617 ?
2. I think CP needs to understand that some customers wish to control when the cert is renewed, not waiting for the last moment.
Please consider letting us manually change the cert replace time-before threshold, to avoid last minute emergencies and stress3. Also, it can be nice to add to the warning email of X days for the services certs change - the above text you added, how to manually initiate a cert replace, so customers will be direct how to renew the cert manually at the time that is good for them
0 -
1 - there is no public way to view that
2 - at this point we don't plan to create a selectable renewal time, but I do want to see that extended to at least 10-15 days.
3 - In theory, it *should* never have to be manually renewed.
Instead of adding the details to the message, what if that message simply didn't send at all until the renewal happened? I'm not sure there is a benefit in emailing users 30 days out when the certificate will hopefully soon be auto-renewed at day 15. Does that make sense?
0 -
I like that theory, but that if all is perfect and fits all customers' use cases, but we know it is never so, especially when the warning email is way too soon before the cert change.
I agree that 10-15 day windows for the actual change before the expiration, is much better.
It makes sense to send that email only a few days before the actual change, tops one week.
Today's state is annoying and harassments.0 -
Exactly - I'm trying to get that process improved significantly in the near future!
0
Please sign in to leave a comment.
Comments
7 comments