SSL certificate renewed but web is unsecure

Elizabeta

April 15, 2025 12:30

Hello,

Certificate on my DnsOnly server expires, then renewed succesufully.
But web page is unsecure. Why?

Best regards,
Elizabeta

Comments

22 comments

rbairwell

April 15, 2025 13:02
What is the certificate error message when you access it? Is it something like net::ERR_CERT_DATE_INVALID (if so, your browser may have cached the old certificate), net::ERR_CERT_COMMON_NAME_INVALID (are you accessing the server by the hostname or IP address), net::ERR_CERT_AUTHORITY_INVALID or something else?

Which web page are you talking about? Your own website, the WHM on the DNSOnly server (i.e. on port 2087) or something else?
0
William Del Piero cPanel Staff

April 15, 2025 13:46

Edited
Hi,

If an SSL certificate was renewed on your DNS Only server it was likely the hostname certificate for the cPanel services as websites are normally not hosted on a DNS Only server. In order to determine why the website SSL isn't working properly, I recommend logging into the webserver that hosts the site and reviewing the AutoSSL logs (WHM > Manage AutoSSL > Logs) to see if AutoSSL is having trouble renewing the website's SSL certificate.
0
Elizabeta

April 15, 2025 13:49
Hello,

William Del Piero thank you for your answer!

The problem is with web page for access to DNS Only. Web page is not secure, but SSL certificate was renewed succesufully on DNS Only server.
0
William Del Piero cPanel Staff

April 15, 2025 16:48
Hi,

Does the /usr/local/cpanel/bin/checkallsslcerts script produce any errors? This script should detect if the hostname SSL is invalid and attempt to replace it. If that doesn't help, can you ensure that the URL you're using to access WHM/cPanel resolves directly to your DNS Only server?
0
Elizabeta

April 16, 2025 12:14

Edited
Hello,

When I run /usr/local/cpanel/bin/checkallsslcerts I see some errors.
I have a problem, DNSOnly doesn´t know for own record dns2.*h.*.*.*....
But when I look in zone *h.*.*.* there is record dns2
0
cPRex Jurassic Moderator

April 16, 2025 16:28
Can you share the specific errors you're getting from the checkallsslcerts script?
0
cPRex Jurassic Moderator

April 17, 2025 17:03
Thanks for the additional details. The current certificate is self-signed because Let's Encrypt wasn't able to issue a valid one through AutoSSL. I'm not seeing anything obviously wrong with the DNS for the hostname, although we shouldn't be sharing hostnames or IP addresses on the Forum.

It looks like the only option in this situation is to have the local system be the authoritative nameserver, as any HTTP checks will fail since there is no website on the DNSOnly machine.
0
Elizabeta

April 18, 2025 05:56
Hello,

Do you recommend to install Let´s Encrypt plugin?

Best regards,
Elizabeta
0
cPRex Jurassic Moderator

April 18, 2025 14:40
No, as your cPanel server should have Let's Encrypt installed by default through us, with no external plugin necessary. The only reason this wouldn't be the case is if your machine is on an older version of cPanel.
0
Elizabeta

April 30, 2025 13:37
Hello,

Cpanel and DNSOnly are version 126.0.16.

BR
0
cPRex Jurassic Moderator

April 30, 2025 13:54
Did the AutoSSL issue resolve itself on your machine?
0
Elizabeta

May 05, 2025 13:20
I have noticed that I have extra records in named.conf (I have commented this).
Now, DNSOnly know for own record dns2.*h.*.*.*....

But, certificate is now self-signed, not Let's Encrypt. Web page for dns2.*.*.*:2087 is still unsecure.

How can I change the certificate to be Let's Encrypt?

Best regards,
Elizabeta
0
cPRex Jurassic Moderator

May 06, 2025 13:58
What happens when you run /usr/local/cpanel/bin/checkallsslcerts on the machine?
0
cPRex Jurassic Moderator

May 06, 2025 16:32
There isn't going to be a way to fix that - the only way to make this work is to have the DNS cluster be the authoritative nameserver for the hostname.
0
Elizabeta

May 08, 2025 07:29
Hello,

cPRex DNS cluster is authoritative nameserver for the hostname dns2.*.*.*.
How can I replace self-signed certificate which is now installed with Let´s Encrypt?

Domains:

dns2.*.*.*.*

Issuer: (self-signed) WarningSelf-signed certificates will cause browser warnings.
0
Elizabeta

May 08, 2025 07:47
When I go in WHM ->Home-> Service Configuration ->Manage Service SSL Certificates

can I just do Reset Certificate(self signed) then Install Certificate (Let´s Encrypt)?
0
cPRex Jurassic Moderator

May 08, 2025 13:52
No - you'd want to use Manage Service SSL Certificates to perform the reset, and then run "/usr/local/cpanel/bin/checkallsslcerts" to issue the new one.
0
Elizabeta

May 09, 2025 07:33
Hello,

Now I have run reset on WHM->Manage Service SSL Certificates and then I must restart cpsrvd
I have restarted cpsrvd via command line.
Then I have run /usr/local/cpanel/bin/checkallsslcerts

Unfortunately, there is again self-signe certificate

There is on WHM->Manage Service SSL Certificates

Domains:

dns2.testwh.tel.net.ba

Issuer: (self-signed) WarningSelf-signed certificates will cause browser warnings. (More information)
Key: RSA, 2,048-bit (d3d4d1ca …)
Expiration: May 9, 2026 7:22:36 AM

Best regards,
Elizabeta
0
cPRex Jurassic Moderator

May 09, 2025 15:43
We need to see a ticket about this at this point since none of the troubleshooting tools are working as expected.
0
Elizabeta

May 19, 2025 11:06
Hello,

Now, on DNSOnly there is secure web page, and certificate is

Domains:

dns2.testwh.tel.net.ba

Issuer: Let's Encrypt
Key: RSA, 2,048-bit (eb905383 …)
Expiration: Aug 16, 2025 7:33:16 AM

Only question is now:

why does this certificate only last until August 16, 2025 instead of one year?

Best regards,
Elizabeta
0
quietFinn

May 19, 2025 12:43
Let's Encrypt certificates are valid for 3 months.

Let's Encrypt is used for the server's free hostname certificates since cPanel 110.0.27.
0
Elizabeta

May 20, 2025 13:26
Hello,

Thank you all for help! Now everything is fine.

Best regards,
Elizabeta
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?