Skip to main content

AutoSSL error for newly migrated server

Comments

7 comments

  • cPRex Jurassic Moderator

    Hey there!  There isn't going to be a way to force AutoSSL into issuing that certificate as it thinks the DNS isn't setup properly.  Can you run this command on your server?

    export domainNameToCheckDnsFor=domain.com ; ourReturnedIpAddr=$(/usr/local/cpanel/3rdparty/bin/perl -mCpanel::DnsRoots -e ' $domainNameToCheckDnsFor = $ENV{"domainNameToCheckDnsFor"}; @ipReturn =  Cpanel::DnsRoots->new()->get_ipv4_addresses_for_domain("$domainNameToCheckDnsFor"); print "@ipReturn"; ') ; ourReturnedData=$( curl  --connect-timeout 15 --insecure -vI -sL -H"Host:$domainNameToCheckDnsFor" https://$domainNameToCheckDnsFor/  2>&1  |grep '^*' )  ;  echo -e "\n\n The command ::\n\n curl --insecure --connect-timeout 15 -vI -sL -H'Host:$domainNameToCheckDnsFor' https://$domainNameToCheckDnsFor/ 2>&1 |grep '^*' \n\n" ;  echo -e " The return and IP :: \n\n IP:$ourReturnedIpAddr\n\n $ourReturnedData" ; unset domainNameToCheckDnsFor

    Just update that very first "domain.com" to the actual domain you're working with, and this should give you the IP address of the domain in the way that AutoSSL checks for it.

    0
  • Russel Olinger

    I ran that command for my mail.mydomain.com and portal.mydomain.com - both return similar but slightly different results but both are listing the correct IP for the domain/subdomains.

    For portal.mydomain.com:

    The return and IP ::

     IP:208.Y.Y.Y

     *   Trying 208.Y.Y.Y443...
    * Connected to portal.mydomain.com (208.Y.Y.Y) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    *  CAfile: /etc/pki/tls/certs/ca-bundle.crt
    * TLSv1.0 (OUT), TLS header, Certificate Status (22):
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * TLSv1.2 (IN), TLS header, Certificate Status (22):
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS header, Finished (20):
    * TLSv1.2 (IN), TLS header, Unknown (23):
    * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
    * TLSv1.2 (IN), TLS header, Unknown (23):
    * TLSv1.3 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (IN), TLS header, Unknown (23):
    * TLSv1.3 (IN), TLS handshake, CERT verify (15):
    * TLSv1.2 (IN), TLS header, Unknown (23):
    * TLSv1.3 (IN), TLS handshake, Finished (20):
    * TLSv1.2 (OUT), TLS header, Finished (20):
    * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
    * TLSv1.2 (OUT), TLS header, Unknown (23):
    * TLSv1.3 (OUT), TLS handshake, Finished (20):
    * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
    * ALPN, server accepted to use http/1.1
    * Server certificate:
    *  subject: CN=mydomain.com
    *  start date: Nov 13 07:16:24 2024 GMT
    *  expire date: Feb 11 07:16:23 2025 GMT
    *  issuer: C=US; O=Let's Encrypt; CN=R11
    *  SSL certificate verify ok.
    * TLSv1.2 (OUT), TLS header, Unknown (23):
    * TLSv1.2 (IN), TLS header, Unknown (23):
    * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    * TLSv1.2 (IN), TLS header, Unknown (23):
    * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    * old SSL session ID is stale, removing
    * TLSv1.2 (IN), TLS header, Unknown (23):
    * Mark bundle as not supporting multiuse
    * Connection #0 to host portal.mydomain.com left intact
    * Issue another request to this URL: 'https://portal.mydomain.com/login.html?e=A'
    * Found bundle for host portal.mydomain.com: 0x561a79f763c0 [serially]
    * Can not multiplex, even if we wanted to!
    * Re-using existing connection! (#0) with host portal.mydomain.com
    * Connected to portal.mydomain.com (208.Y.Y.Y) port 443 (#0)
    * TLSv1.2 (OUT), TLS header, Unknown (23):
    * TLSv1.2 (IN), TLS header, Unknown (23):
    * Mark bundle as not supporting multiuse
    * Connection #0 to host portal.mydomain.com left intact

    For mail.mydomain.com, however, note that there isn't a port 443 for mail.mydomain.com because its a mail server.  My mail server uses port 993 (incoming) and 465 (outgoing) - both have SSL/TLS for account connections.  However "webmail.mydomain.com" does have port 443 open....but that is not the subdomain in question here.

     The return and IP ::

     IP:208.Y.Y.Y

     *   Trying 208.Y.Y.Y:443...
    * Connected to mail.mydomain.com (208.Y.Y.Y) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    *  CAfile: /etc/pki/tls/certs/ca-bundle.crt
    * TLSv1.0 (OUT), TLS header, Certificate Status (22):
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * TLSv1.2 (IN), TLS header, Certificate Status (22):
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS header, Finished (20):
    * TLSv1.2 (IN), TLS header, Unknown (23):
    * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
    * TLSv1.2 (IN), TLS header, Unknown (23):
    * TLSv1.3 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (IN), TLS header, Unknown (23):
    * TLSv1.3 (IN), TLS handshake, CERT verify (15):
    * TLSv1.2 (IN), TLS header, Unknown (23):
    * TLSv1.3 (IN), TLS handshake, Finished (20):
    * TLSv1.2 (OUT), TLS header, Finished (20):
    * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
    * TLSv1.2 (OUT), TLS header, Unknown (23):
    * TLSv1.3 (OUT), TLS handshake, Finished (20):
    * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
    * ALPN, server accepted to use http/1.1
    * Server certificate:
    *  subject: CN=mail.mydomain.com
    *  start date: Nov 10 00:00:00 2024 GMT
    *  expire date: Feb  8 23:59:59 2025 GMT
    *  issuer: C=US; O=cPanel, LLC; CN=cPanel ECC Domain Validation Secure Server CA 3
    *  SSL certificate verify ok.
    * TLSv1.2 (OUT), TLS header, Unknown (23):
    * TLSv1.2 (IN), TLS header, Unknown (23):
    * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    * TLSv1.2 (IN), TLS header, Unknown (23):
    * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    * old SSL session ID is stale, removing
    * TLSv1.2 (IN), TLS header, Unknown (23):
    * Mark bundle as not supporting multiuse
    * Connection #0 to host mail.mydomain.com left intact
    * Issue another request to this URL: 'https://mydomain.com/errorpage.html'
    *   Trying 208.Y.Y.Y:443...
    * Connected to mydomain.com (208.Y.Y.Y) port 443 (#1)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    *  CAfile: /etc/pki/tls/certs/ca-bundle.crt
    * TLSv1.0 (OUT), TLS header, Certificate Status (22):
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * TLSv1.2 (IN), TLS header, Certificate Status (22):
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS header, Finished (20):
    * TLSv1.2 (IN), TLS header, Unknown (23):
    * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
    * TLSv1.2 (IN), TLS header, Unknown (23):
    * TLSv1.3 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (IN), TLS header, Unknown (23):
    * TLSv1.3 (IN), TLS handshake, CERT verify (15):
    * TLSv1.2 (IN), TLS header, Unknown (23):
    * TLSv1.3 (IN), TLS handshake, Finished (20):
    * TLSv1.2 (OUT), TLS header, Finished (20):
    * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
    * TLSv1.2 (OUT), TLS header, Unknown (23):
    * TLSv1.3 (OUT), TLS handshake, Finished (20):
    * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
    * ALPN, server accepted to use http/1.1
    * Server certificate:
    *  subject: CN=mydomain.com
    *  start date: Nov 13 07:16:24 2024 GMT
    *  expire date: Feb 11 07:16:23 2025 GMT
    *  issuer: C=US; O=Let's Encrypt; CN=R11
    *  SSL certificate verify ok.
    * TLSv1.2 (OUT), TLS header, Unknown (23):
    * TLSv1.2 (IN), TLS header, Unknown (23):
    * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    * TLSv1.2 (IN), TLS header, Unknown (23):
    * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    * old SSL session ID is stale, removing
    * TLSv1.2 (IN), TLS header, Unknown (23):
    * Mark bundle as not supporting multiuse
    * Connection #1 to host mydomain.com left intact

     

    0
  • Russel Olinger

    On a side note, from Terminal on that cPanel:  "dig mail.mydomain.com" is returning the correct IP address.  So the DNS is correct...is the AutoSSL somehow using cached DNS or something? Those cert renewal failures were from Nov 21st when I cut my server over.  

     

    The DNS was cutover to my new server this past weekend.  But on the old server mail.mydomain.com and portal.mydomain.com still show valid certs while all my other AutoSSL domains have errors displaying the IP address of my new server.  Those failures are showing todays date even though I cut the server DNS over on Saturday, four days ago.

    But the failures on my new server, for mail and portal, show failures for Nov 21st - and its like once it failed its never tried again.  But I am not certain.

    0
  • Russel Olinger

    For now, i used the certs for `mail` and `portal` from the old server...I loaded them into the new server and they show as good certs through Feb 2025, but I still need to get this cPanel autoSSL issue resolved - my dns is correct - but for some reason the new server still sees those two sub-domains DNS pointing to the old server IP.  I don't get it.

    0
  • Russel Olinger

    I finally resolved this.

    1. Go to `cPanel -> SSL/TLS -> Manage/View Certs` - delete the bad/issue subdomain certs from here.

    2. Go into `WHM -> Manage SSL Hosts` and delete the certs for the sub-domains from there

    3. Go to `cPanel -> SSL Status` and check the sub-domains and run AutoSSL again.  

    0
  • cPRex Jurassic Moderator

    it's interesting that manually deleting them resolved the issue, but AutoSSL wouldn't overwrite them automatically.  I'm glad you were able to get that working!

    0
  • Russel Olinger

    yeah, all certs are now valid, served by Let's Encrypt and working in AutoSSL now.  Imported ones from old server were 'cPanel certs' and had to be deleted and then readded using AutoSSL on new server to get them as valid Let's Encrypt certs for the daily check and 3-month renewal process.

    0

Please sign in to leave a comment.