AutoSSL not renewing SSL-certificates
The last few days, SSL-certifcates provided by AutoSSL are no longer being renewed.
The AutoSSL logs show the following:
[code]
...
...
[/code]
Any idea how to include the .cab file somehow?
-
Thanks even more cPRex for following up yet again.
Any ETA from WebPros and cPanel on when this problem will be officially resolved?
I note its now been a month since this thread started.
It's also over three weeks since you wrote "Our team is still working on the case right now and doing some testing. It's our highest priority issue at the moment so I'm hoping there is a fix soon."
0 -
Thank you cPRex This solution
https://support.cpanel.net/hc/en-us/community/posts/26884027819543/comments/27479013114007
has worked for me.
I deleted the cache data and rerun the AutoSSL.
Just so you know before I deleted the cache the auto SSL was stuck in the queue where I had to delete the "in progress" and delete autossl_queue_cpanel.sqlite from /var/cpanel
0 -
3.14fingers - let me read through this thread again so I can ensure I'm providing accurate details and I'll get you an update soon!
0 -
Alrighty - here is what I know.
Orginally we created case CPANEL-45964 for our team to get this resolved, which got broken out into a few subtasks. One of those was CS2-2919 which was specifically to update the CA bundles on cabundle.cpanel.net, which has been completed.
3.14fingers - you mentioned your system was on version 104, and there isn't going to be a reliable way to get that working as cPanel has since left Sectigo for Let's Encrypt even for the hostname certificates. We made the switch in version 110.0.27 so if you updated the machine to 110 I would expect things to work - *however* - you may still need to manually remove those files I mentioned earlier.
The team is not expecting anyone to experience issues with the CA bundle at this time if they are on a modern (aka, 110 or later) version of cPanel, but you may still need to delete those files if they are present.
0 -
Thank you very much for the post, we solved the issue by upgrading WHM to version 110.0.27. This worked for us.
0 -
I'm glad to hear that worked well for you!
0 -
Is there somewhere that I can just manually retrieve the current ca bundle?
0 -
Charlie Actual - not that I am aware of. As far as I know, they are unique to each certificate. What cPanel version are you using and what specific issue are you running into?
0 -
Legacy CentOs machine v86.0.40
I saw your earlier recommendation to Ian.
"Ian Exaudi - since you're on a CentOS 6 machine, you are so far out of date that this won't work no matter what you do. You need to update to a more modern operating system."
Since the issue currently is the AutoSSL, would purchasing an SSL cert from elsewhere get us running again long enough for me to convince our admin to migrate our data to a more modern OS/server?
0 -
Yes, I would still expect purchasing a certificate from a third-party and installing that would work just fine, as those functions are not impacted by this change.
0 -
Here is a workaround to use Let's Encrypt for the hostname...WORKED for me on an oudated cPanel & WHM Version 86 on CentOS 61) Let's Encrypt provider must be installed and enabled for AutoSSL.If it is not the case, check this https://support.cpanel.net/hc/en-us/articles/360050823313-How-to-install-and-enable-the-Let-s-Encrypt-provider-for-AutoSSL2) from CPanel create a wild card subdomain name that is *.myhostname.com3) go to "WHM" » "SSL/TLS" » "Manage AutoSSL" and run AutoSSL check4) check autoSSL logs to see if it worked or any errors...5) If you encounter any of these errors:DNS DCV error (*.myhostname.com): 403 .../... Incorrect TXT record "0uvp5RtGqs9pTRF" found at _acme-challenge.myhostname.comDNS DCV error (*.myhostname.com: 403 .../... During secondary validation: Incorrect TXT recordThis is because Let's Encrypt is reading an outdated DNS TXT record (due to DNS propagation delay). Edit _acme-challenge.myhostname.com. TXT record, and set TTL to 1 (one seconde).Wait DNS propagation and try again to run AutoSSL...6) if the certificate was created successfully, go to "WHM" » "Service Configuration" » "Manage Service SSL Certificates" and install the certificate for all services :-)0
-
cPRex I have found a workaround for this.
After running /usr/local/cpanel/bin/checkallsslcerts. A cert is actually getting created but the CA bundle is wrong. Go to "WHM" » "Service Configuration" » "Manage Service SSL Certificates" > Browse the newly created cert. Now remove the CA bundle that is autofilled and apply this CA BUNDLE
Go ahead and install this and it will work :)0 -
Hello Again cPRex - Can someone from cPanel validate that the link in the previous post actually provides a genuine Sectigo CA Bundle as suggested by the Unnamed User?
0 -
3.14fingers - yes, that is a valid CA bundle. However, that link will expire in 2 months so I don't believe this is a good long-term solution.
Is the main issue here that you are on an older machine?
0 -
Hello
Still running a v76 cPanel server. Cant find solution for this.
At AutoSSL in WHM:
8:49:42 PM WARN Certificate verification failed! The system did not find the Certificate Authority Bundle that matches this certificate. Contact “cPanel, LLC” to obtain the Certificate Authority Bundle for “cPanel ECC Domain Validation Secure Server CA 3”. at /usr/local/cpanel/Cpanel/SSL/Auto/Provider.pm line 933.
Running /usr/local/cpanel/bin/checkallsslcerts
The system will check for the certificate for the “cpanel” service.
The system will attempt to replace the self-signed certificate for the “cpanel” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “cpanel” service from the system ssl storage.
warn [checkallsslcerts] Failed to fetch CA bundle information from certificate’s “authorityIn foAccess” extension: The system could not parse the certificate because of an error: Ignoring non-RSA key of type id-ecPublicKey
warn [checkallsslcerts] Failed to fetch cabundle information from cabundle.cpanel.net: Cpanel::Exception::HTTP::Network/(XID swzcfp) The system failed to send an HTTP (Hypertext Transfer Protocol) “POST” request to “https://cabundle.cpanel.net/v1.0/get_certificate_bundle” because of an error: Timed out while waiting for socket to become ready for reading
at /usr/local/cpanel/Cpanel/HTTP/Client.pm line 102.
Cpanel::HTTP::Client::request(Cpanel::HTTP::Client=HASH(0x259a8f0), "POST", "https://cabundle.cpanel.net/v1.0/get_certificate_bundle", HASH(0x25aedb8)) called at /usr/local/cpanel/3rdparty/perl/526/lib64/perl5/5.26.0/HTTP/Tiny.pm line 247
HTTP::Tiny::post_form(Cpanel::HTTP::Client=HASH(0x259a8f0), "https://cabundle.cpanel.net/v1.0/get_certificate_bundle", HASH(0x244c438)) called at /usr/local/cpanel/Cpanel/SSL/CABundleUtils.pm line 76
Cpanel::SSL::CABundleUtils::fetch_cabundle_from_cpanel_repo("-----BEGIN CERTIFICATE-----\x{a}MIIFLjCCBNSgAwIBAgIRAKet0/tf7m1oq"...) called at /usr/local/cpanel/Cpanel/SSLInfo.pm line 110
Cpanel::SSLInfo::__ANON__() called at /usr/local/cpanel/3rdparty/perl/526/lib64/perl5/cpanel_lib/Try/Tiny.pm line 99
eval {...} called at /usr/local/cpanel/3rdparty/perl/526/lib64/perl5/cpanel_lib/Try/Tiny.pm line 90
Try::Tiny::try(CODE(0x244ba60), Try::Tiny::Catch=REF(0x244bda8)) called at /usr/local/cpanel/Cpanel/SSLInfo.pm line 117
Cpanel::SSLInfo::fetchcabundle("-----BEGIN CERTIFICATE-----\x{a}MIIFLjCCBNSgAwIBAgIRAKet0/tf7m1oq"...) called at /usr/local/cpanel/Cpanel/SSL/OCSP.pm line 186
Cpanel::SSL::OCSP::cert_is_revoked("-----BEGIN CERTIFICATE-----\x{a}MIIFLjCCBNSgAwIBAgIRAKet0/tf7m1oq"..., "http://ocsp.sectigo.com") called at /usr/local/cpanel/Cpanel/SSL/Objects/Certificate.pm line 185
Cpanel::SSL::Objects::Certificate::__ANON__() called at /usr/local/cpanel/3rdparty/perl/526/lib64/perl5/cpanel_lib/Try/Tiny.pm line 99
eval {...} called at /usr/local/cpanel/3rdparty/perl/526/lib64/perl5/cpanel_lib/Try/Tiny.pm line 90
Try::Tiny::try(CODE(0x241f458), Try::Tiny::Catch=REF(0x2409c68)) called at /usr/local/cpanel/Cpanel/SSL/Objects/Certificate.pm line 191
Cpanel::SSL::Objects::Certificate::revoked(Cpanel::SSL::Objects::Certificate=HASH(0x2339460)) called at bin/checkallsslcerts.pl line 371
bin::checkallsslcerts::_replace_cert_with_ca_signed_cert_from_ssl_storage(bin::checkallsslcerts=HASH(0x202ccf8), "cpanel") called at bin/checkallsslcerts.pl line 292
bin::checkallsslcerts::_check_notify_and_auto_renew_cert_for_service(bin::checkallsslcerts=HASH(0x202ccf8), "cpanel") called at bin/checkallsslcerts.pl line 85
bin::checkallsslcerts::run(bin::checkallsslcerts=HASH(0x202ccf8)) called at bin/checkallsslcerts.pl line 49
cannot find issuer certificate at /usr/local/cpanel/Cpanel/NetSSLeay.pm line 38.
...caught at /usr/local/cpanel/Cpanel/SSL/Objects/Certificate.pm line 190.
Use of uninitialized value $a in hash element at /usr/local/cpanel/Cpanel/SSL/Utils.pm line 118.
Use of uninitialized value $a in concatenation (.) or string at /usr/local/cpanel/Cpanel/SSL/Utils.pm line 118.
Unknown hash: “” at /usr/local/cpanel/Cpanel/SSL/Utils.pm line 118.
None of the certificates in the system ssl storage were acceptable to use for the “cpanel” service.
The system will attempt to install a certificate for the “cpanel” service from the cPanel store.
warn [checkallsslcerts] Failed to fetch CA bundle information from certificate’s “authorityInfoAccess” extension: The system could not parse the certificate because of an error: Ignoring non-RSA key of type id-ecPublicKey
Attempting to verify your certificate.....
Certificate verification failed! The system did not find the Certificate Authority Bundle that matches this certificate. Contact “cPanel, LLC” to obtain the Certificate Authority Bundle for “cPanel ECC Domain Validation Secure Server CA 3”. at /usr/local/cpanel/Cpanel/SSLInstall/Service.pm line 48.
The system will check for the certificate for the “dovecot” service.
The system will attempt to replace the self-signed certificate for the “dovecot” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “dovecot” service from the system ssl storage.
warn [checkallsslcerts] Failed to fetch CA bundle information from certificate’s “authorityInfoAccess” extension: The system could not parse the certificate because of an error: Ignoring non-RSA key of type id-ecPublicKey
Empty CAB! (CA Bundle #1: The system could not parse the certificate because of an error: Ignoring non-RSA key of type id-ecPublicKey
) at /usr/local/cpanel/Cpanel/SSL/Objects/CABundle.pm line 65.
...caught at /usr/local/cpanel/Cpanel/SSL/Objects/Certificate.pm line 190.
Use of uninitialized value $a in hash element at /usr/local/cpanel/Cpanel/SSL/Utils.pm line 118.
Use of uninitialized value $a in concatenation (.) or string at /usr/local/cpanel/Cpanel/SSL/Utils.pm line 118.
Unknown hash: “” at /usr/local/cpanel/Cpanel/SSL/Utils.pm line 118.
None of the certificates in the system ssl storage were acceptable to use for the “dovecot” service.
The system will attempt to install a certificate for the “dovecot” service from the cPanel store.
Attempting to verify your certificate.....
Certificate verification failed! The system did not find the Certificate Authority Bundle that matches this certificate. Contact “cPanel, LLC” to obtain the Certificate Authority Bundle for “cPanel ECC Domain Validation Secure Server CA 3”. at /usr/local/cpanel/Cpanel/SSLInstall/Service.pm line 48.
The system will check for the certificate for the “exim” service.
The system will attempt to replace the self-signed certificate for the “exim” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “exim” service from the system ssl storage.
warn [checkallsslcerts] Failed to fetch CA bundle information from certificate’s “authorityInfoAccess” extension: The system could not parse the certificate because of an error: Ignoring non-RSA key of type id-ecPublicKeycPanel ECC Domain Validation Secure Server CA 3 is at /var/cpanel/userhomes/cpanelcabcache/cache/ and installed on O.S level.
Thank you
0 -
There isn't anything we can do for a cPanel version 76 system. That version has been end of life since 2019.
0
Please sign in to leave a comment.
Comments
76 comments