AutoSSL not renewing SSL-certificates
The last few days, SSL-certifcates provided by AutoSSL are no longer being renewed.
The AutoSSL logs show the following:
[code]
...
...
[/code]
Any idea how to include the .cab file somehow?
-
hi richard i have tried let's encrypt and nothing im running cloud linux so idk if that makes any difference
i removed the certificates as welll so will be a clean install and changed to lets encrypt and still the same error buddy
0 -
Certificate verification failed! The system did not find the root certificate t hat corresponds to the supplied Certificate Authority Bundle’s intermediate cert ificate. Please supply a full Certificate Authority Bundle with the root certifi cate included. at /usr/local/cpanel/Cpanel/SSLInstall/Service.pm line 48.
0 -
help please guys still the same
0 -
Alin, did you follow these steps exactly to add Lets Encrypt?
After you set the cert provider to Lets Encrypt, click "Run AutoSSL For all users" and then refresh and check the logs for any errors or not.
0 -
Hi richard
yes buddy :) tried everything no luck
0 -
Alin Vladic - if you're seeing that CA Bundle issue, there isn't a fix until the developers resolve the case. I'll be sure to post once I have more details.
0 -
Hey There, Can anyone confirm that switching to Let's Encrypt will solve this issue for the hostname certificates? My understanding was that the Let's Encrypt choice in WHM only applied to domain certificates within cPanel accounts and that it is not available as a method for the hostname certificate. Thanks
0 -
3.14fingers - Switching to Let's Encrypt is unrelated to the hostname certificate. If you are on a modern cPanel version, Let's Encrypt is already being used for the hostname.
0 -
Hello CPRex, Thanks very much for your prompt reply. So if I am needing to remain on an older version of cPanel on one or more servers that were using the free hostname certificates from elsewhere (NOT Let's Encrypt) will this situation be getting resolved by cPanel & Web Pros? Also, does this current situation affect me if I choose to purchase an SSL for the hostname from some other outside source? Will simply purchasing a commercial SSL from another provider right now solve the situation right now that cPanel & Web Pros have left us dealing with?
0 -
It depends on what you mean by "older" version. Currently the LTS version is 118, and will likely stay that way until next spring. If you are on an version older than that, it's unlikely any updates will be provided to that version.
You are still free to purchase and install an SSL certificate on the hostname as the system won't override that.
0 -
hi, i also have this problem with autossl since almost a month.
cpanel, this is getting old, please come up with a solution!
i found 2 workarounds:
1. you can buy and install any certificate that IS NOT SIGNED BY CPANEL. it will be valid for the number of years you purchased it, and at the end of the period you have to renew it manually.
2. you can manually obtain a free certificate from let's encrypt using command line tool "certbot", and manually install that certificate in cpanel. it is only valid for 3 months, and you have to manually renew.
0 -
Thank you vlad lazarciuc for a clear description that might have been better served by Web Pros or cPanel themselves as an interim solution in the first place.
0 -
UPDATE - the new CA bundle exists, but your server likely has the old file cached on the system. Since every server will have a slightly different file name I can't provide an exact command to move it out of the way, but you want to move the most recent cache file located inside the
/var/cpanel/userhomes/cpanelcabcache/cache/directory and then re-run AutoSSL. After doing that, it should properly issue the certificate with the correct CA Bundle file.0 -
I have 5 files in that directory
http:__crt_comodoca_com_COMODORSADomainValidationSecureServerCA_crt.8294f1a0^ With a timestamp of 17/04/2018
http:__crt_comodoca_com_cPanelIncCertificationAuthority_crt.22bcc0ae
^ With a timestamp of 21/10/2024
http:__crt_sectigo_com_SectigoRSADomainValidationSecureServerCA_crt.4ab3b176
^ With a timestamp of 30/10/2024
http:__r10_i_lencr_org_.42b20ec
^ With a timestamp of 31/10/2024
http:__r11_i_lencr_org_.65838ed1
^ With a timestamp of 31/10/2024
Which file do you want me to move / delete ?0 -
David Forster - you would only need to delete a file from that directory if you're experiencing the CA Bundle renewal issue. If so, you'd want to delete the newest Sectigo certificate file, which would be the http:__crt_sectigo_com_SectigoRSADomainValidationSecureServerCA_crt.4ab3b176 file.
0 -
I follow thats steps but dont work
/cpanelcabcache/cache]# mv http:__crt_sectigo_com_SectigoRSADomainValidationSecureServerCA_crt.4ab3b176 http:__crt_sectigo_com_SectigoRSADomainValidationSecureServerCA_crt.4ab3b176.old
the error continues
Certificate verification failed! The system did not find the Certificate Authority Bundle that matches this certificate. Contact “cPanel, LLC” to obtain the Certificate Authority Bundle for “cPanel ECC Domain Validation Secure Server CA 3”.0 -
Yes I have the - CA Bundle renewal issue
aka - WARN Certificate verification failed! The system did not find the Certificate Authority Bundle that matches this certificate. Contact “cPanel, LLC” to obtain the Certificate Authority Bundle for “cPanel ECC Domain Validation Secure Server CA 3”
We are using a older version of WHM which a previous developer did modifications to which stops us from upgrading to a newer version
As new customers come on we have been migrating them to a different system but we still have a bunch on this older version
I have deleted / moved that Sectigo file out wish me luck.
I did go thru on friday and did a bunch of certbot cerificates as a temp fix0 -
Didnt work deleting that Sectigo file
The error persists
WARN Certificate verification failed! The system did not find the Certificate Authority Bundle that matches this certificate. Contact “cPanel, LLC” to obtain the Certificate Authority Bundle for “cPanel ECC Domain Validation Secure Server CA 3”.0 -
Same issue here. Legacy server (Centos 6.x) which we can't update to Let's Encrypt.
Tried the fix suggested by cPRex. No dice :-(
Getting this error:
6:26:07 PMWARN Certificate verification failed! The system did not find the Certificate Authority Bundle that matches this certificate. Contact “cPanel, LLC” to obtain the Certificate Authority Bundle for “cPanel ECC Domain Validation Secure Server CA 3”. at /usr/local/cpanel/Cpanel/SSL/Auto/Provider.pm line 933.WARN (XID vwwg28) The system failed to install an SSL certificate onto the website “[client website]” because of the following error: Certificate verification failed! The system did not find the Certificate Authority Bundle that matches this certificate. Contact “cPanel, LLC” to obtain the Certificate Authority Bundle for “cPanel ECC Domain Validation Secure Server CA 3”.0 -
CPRex,
i decoded the certificate from that folder and it's common name is
cPanel, Inc. Certification Authority
the autossl wants the ca bundle for
cPanel ECC Domain Validation Secure Server CA 3
which is not in the folder!
can you post here the SSL file for "cPanel ECC Domain Validation Secure Server CA 3" so that we install it manually in that folder?
0 -
Ian Exaudi - since you're on a CentOS 6 machine, you are so far out of date that this won't work no matter what you do. You need to update to a more modern operating system.
For the other users that mention deleting a Sectigo file, that isn't going to be related to this issue as Let's Encrypt is the provider of the current certificates, even for the hostname.
vlad lazarciuc - there isn't a way for me to do that as they are all unique certificates the way they are issued. Could you create a ticket so this can be investigated?
0 -
cPRex Fair enough too. I get it.
Decommissioning this server and cancelling the licence as soon as we can.
0 -
OK, so here are two very specific questions. I am hoping cPanel can provide two very specific answers - If a server has CentOS v7.9.2009 & WHM v104.0.11, what is the exact procedure to make a new, free hostname certificate appear? It was working fine by itself until about a month ago and was displaying a one year certificate listed as Issuer Name "Organization - cPanel, Inc" - "Common Name - cPanel, Inc Certification Authority" - Equally, can I download the (PEM) chain from a server that still has a working free cPanel hostname SSL and use that chain in the server(s) that are suffering this issue?
0 -
3.14fingers - that version of cPanel hasn't been supported for almost 2 years, so there isn't going to be an official way to get that working. Is there a reason you can't update that system to version 110?
0 -
Hello cPRex Thanks for your further reply. It is appreciated. Can you or WebPros specifically guarantee that updating to cPanel V110 will correct this issue with hostname certificates? I ask this because I have already just had to purchase paid SSL certificates for two other servers that are running an even higher version of cPanel at V112 despite the cPanel license supposedly including a free hostname certificate.
0 -
I can't comment on your specific license situation, but if you have a license purchased through us there is no reason you should need to be purchasing an SSL for any domain or hostname. If the license is purchased through a third-party they can disable certain features, such as AutoSSL.
However, I don't believe the fix is getting pushed back to version 110, as even that is no longer supported at this point. Our supported versions can always be found here:
So no, I doubt that would fix the issue, but updating to version 110 is the last version supported with CentOS 7.
0 -
Thanks again cPRex
I'm confused though... 8 days ago you responded including saying:
Currently the LTS version is 118, and will likely stay that way until next spring. If you are on an version older than that, it's unlikely any updates will be provided to that version.
But when I check the page you suggested in your most recent response at http://layer1.cpanel.net/ I see the following entry:
11.110 11.110.0.48 Mon Nov 4 22:47:56 2024
This is under a heading on that page titled Latest Major Version Releases
That's like two or three days ago.
Doesn't that constitute an update that was released for version 110?
Surely they could include the fix on that if they are still pushing out updates as recently as 48 hours ago???
...and No, there are no restrictions to using Auto SSL on any of my cPanel licences. This issue started by itself on servers that had no trouble achieving free hostname certificates until quite recently... around when this thread started actually.
0 -
There are still some security fixes going to 110 for critical issues, but it's not considered a supported release at this time.
Are you able to create a ticket with our team so we could look at your situation directly?
0 -
Hello Yet Again cPRex
Please understand that I do genuinely appreciate all these replies you are taking the time to write but WOW! Are you indicating here that WebPros don't consider a failure to renew the free hostname certificate on a server that is provided as part of the license cost to actually be part of the security of a server?
If WebPros deem it sufficient to release security fixes for something like V110 then why don't they deem it sufficient to include the fix for the issue on that version. I mean, we are all paying our ever increasing monthly fees to Oakley Capital & CVC.
Anyway, off to buy some more paid hostname certificates to cover for the failure of cPanel to even create a fix for people in my position. And I'd remind all who visit, this isn't just happening to our servers on V110, it is happening on later versions of cPanel as well.
0 -
3.14fingers - okay, I completely blanked there and forgot about the ELS support for CentOS 7, which still runs version 110.
So yes, once this is officially resolved it will get applied to version 110.
0
Please sign in to leave a comment.
Comments
76 comments