Skip to main content

Issues with license validation on mutiples servers

Comments

84 comments

  • You should not be checking for a license during every single update cycle. FIX THIS.

    3
  • cPRex Jurassic Moderator

    TVCNet Website Hosting and Security Services - it's been that way for a very long time, so I don't think that will be changing.

    -5
  • Daniel Bazaes

    That's not really an argument. Plenty of things existed for years before they were improved. The fact that something has worked a certain way for a long time doesn't mean it can't or shouldn't be changed

    Appealing to tradition isn't a good reason to keep a design that can bring down an entire server because of a single failed license check. Long-standing behavior doesn't automatically make it good design.

    3
  • David Cordovez

    cPRex 

    With all due respect, today's outage proves exactly why the "it's always been that way" approach is an architectural vulnerability that must be reviewed. Today's incident was resolved relatively "quickly", but what happens if a more severe scenario hits tomorrow?

    What if cPanel faces a major network backbone failure or a massive, real external DDoS attack that keeps your auth servers offline for hours? Why should a valid, prepaid monthly license instantly stop working locally because of a remote failure on your side? Paralyzing the administrative plane of your entire global infrastructure over a remote timeout is a massive single point of failure that needs to be addressed.

    1
  • cPRex Jurassic Moderator

    Daniel Bazaes - I don't disagree at all, but this isn't something we're going to change.

    -7
  • Daniel Bazaes

    This is actually a good example that cPanel is willing and able to change long-standing policies when there's a good reason to do so.

    For example:

    Implemented CPANEL-53412: WHM servers now apply current-major security releases within an hour by default, independent of the normal update schedule.

    That was a significant change to update behavior, and ironically, it's the same change that appears to have contributed to the situation we're discussing. So saying "it's always been that way" isn't really an argument against improving the licensing mechanism. If update policies can evolve for security reasons, then the license validation process can evolve for resilience as well.

    4
  • Cameron W

    @cPrex Your or cPanel's reasoning is pathetic. Servers shouldn't go down just because the licensing checks fail once. 

    If the license fails after, say, 5 times, then yes, but as someone said, what happens if you had a DDoS attack or catastrophic failure? Why should my infrastructure be affected? 

    Sure, do your license checks, but the process needs to be worked through further. 

    2
  • cpanel

    It is a massive single point of faliure where we as Admins and Customers of cPanel/WHM dont have control over. 
    License checks per se are completly fine. But i think its a absolute no-go that we pay for a monthly service, and that service goes down the instant WebPros Servers are having issues.

    0
  • Cameron W

    I can see why cPanel wants to check whether the license is legit to stop piracy, but if the server doesn't get an update for 14 days, perhaps block access to cPanel/WHM.

    cPanel needs to stop implementing these 'great' ideas, as it's turning from a rock-solid platform into garbage, as well as jacking up prices every year. 

    0
  • braecht

    Here we go AGAIN. Same problem, AGAIN.

    We spent the entire morning getting screamed at by furious customers because email authentication and webmail were down. And why? Because for some reason cPanel thinks it's a good idea to tie basic email functionality to license validation. Let that sink in: your customers' EMAIL stops working because YOUR licensing system hiccups.

    Who designs something like this? Email auth and webmail access have absolutely no business being coupled to a license check. None. This is not a minor bug, this is a fundamentally broken design decision, and it keeps blowing up in our faces over and over.

    We lost paying customers today. Again. Real revenue, gone, because of this nonsense.

    The only thing I'm genuinely thankful for is that we already migrated 90% of our servers to DirectAdmin. The last ones will follow now. After this stunt, we are DONE with cPanel. Permanently.

    And honestly, can someone explain to me how the prices have multiplied several times over while the service keeps getting worse and the same critical failures keep happening? You raised prices like a premium product and deliver like an abandoned open source project.

    To anyone still on the fence about migrating away: don't wait for the next outage. We did, and it cost us customers.

    2
  • Steinar Vigdel Kolnes

    Some stupendously "clever" person found out that shutting down incoming emails would be a good idea to take licensee hostages. So no-one can even contact you!!

    I am on my way, moving from cPanel.

    3
  • Jose Dieguez

    i really can't believe, Cpanel license checking system fails, and that causes hundreds if not thousands of customers UNABLE to use and check their email.

     

    Thanks Cpanel for causing downtime to every hosting provider using Cpanel.

    1
  • cPRex Jurassic Moderator

    There are two parts of the events yesterday that I can't stress enough:

    -the daily license check, and the license check being tied to the email authentication services have existed forever.  This isn't something that was recently added the product. https://support.cpanel.net/hc/en-us/articles/7284279950999-What-happens-to-my-server-when-the-cPanel-license-is-expired-or-cancelled

    -the issues yesterday with the unanticipated traffic levels is completely, 100% on us, and we've taken steps to ensure that never happens again.  

    While it did lead to the unfortunate results we saw yesterday, a knee jerk reaction of changing the entire license system for something that should never happen again isn't something we plan on doing.

    -2
  • Jose Dieguez

    cPRex but it did happen again few hours ago.

    the only truth is that your license system failed, and that caused downtime of email services for 1000's of accounts, broke entire SLA of many hosting providers, loss of revenue because of compensations, etc.

    You don't get, and Cpanel don't get the harm caused. is not an "unfortunate result". it's a complete disaster, leave entire organizations, companies, government orgs, without email.

     

    Anyway, i know nothing will come out of this from your reply.

    Unsuscribing from this thread.

    1
  • braecht

    Yes, we're well aware this isn't new. That IS the point. The same failure has occurred multiple times over the years, and the consequences on our side are always the same: a morning full of furious customers, cancellations from people who leave permanently, and negative reviews posted online, aimed at us, the hoster, not at cPanel. You break it, we pay for it. Every single time.

    A few things in your reply deserve pushback:

    1. The article you linked covers expired or cancelled licenses. Our licenses were valid and fully paid. Yesterday, your infrastructure problem effectively delicensed servers of paying partners, and the product reacted by shutting down email authentication for their end customers. "Working as designed" is precisely the accusation, not the excuse.

    2. "This has existed forever" doesn't make it acceptable. It means this single point of failure has been known for decades and was never addressed. Longevity of a design flaw is not a feature.

    3. Nobody asked you to rip out the entire license system. A fail-open behavior or a grace period for authentication services when your license servers are unreachable would fully solve this without touching your licensing model. Framing that as a "knee jerk reaction" is a convenient way to avoid doing it.

    4. "It will never happen again" is what we were told after the previous incidents too. Our lost customers don't care about that promise, and neither do we anymore.

    One last thing: if you improved your software at the same pace you keep jacking up your prices, we'd all be in a much better place.

    1
  • Daniel Santos

    "-the issues yesterday with the unanticipated traffic levels is completely, 100% on us, and we've taken steps to ensure that never happens again.  "

    not possible to 100% ensure that.. not possible.


    1
  • Cameron Worts

    I appreciate the transparency in acknowledging that yesterday's outage was caused by the licensing infrastructure and that cPanel has taken steps to prevent the same traffic issue from happening again.

    However, I think the response misses the point that hosting providers are trying to make.

    The problem isn't that your infrastructure failed yesterday. The problem is that an infrastructure failure prevented users worldwide from accessing cPanel, WHM, and Webmail.

    Saying "the licence check has always worked this way" isn't particularly reassuring. If anything, yesterday exposed a long-standing architectural weakness that many of us have never experienced at this scale before.

    As hosting providers, we build redundancy into every critical service we operate. We have redundant power, storage, and networking, clustered infrastructure, and backups and disaster recovery plans—all because we assume failures will happen. Yet one unavailable licensing service, completely outside our control, was enough to disrupt customer access worldwide.

    Our customers don't blame cPanel. They blame us. We bear the reputational damage, handle the flood of support calls, and spend hours explaining an outage we had absolutely no control over.

    The real question isn't whether yesterday's specific traffic issue will happen again. The question is why a temporary outage of a licensing service can impact customer authentication in the first place.

    A licence should determine whether a server is authorised to run cPanel—not whether a customer can log into software that was already licensed and functioning perfectly yesterday. A cached validation or grace period would have prevented virtually all of yesterday's disruption while still protecting your licensing model.

    Yesterday wasn't just an infrastructure incident. It exposed a single point of failure that affected hosting providers and their customers worldwide. That's the issue many of us are asking cPanel to address.

    2
  • Daniel Bazaes

    I think this was avoidable.

    cPanel bills monthly, so a temporary failure reaching the licensing servers should not immediately put production servers in a broken state. There is a big difference between “the license is revoked or inactive” and “the licensing servers are not responding.”

    A safer design would be to keep a recently validated license trusted for a grace period, use multiple validation endpoints, and fail open in a limited way when the error is network-related. At most, WHM could show a warning or restrict some administrative actions, but webmail, WHM access, or core services should not be taken down because a single license check failed.

    This is especially important now that security updates can be forced outside the normal update schedule. If thousands of servers are pushed to update and validate at the same time, the licensing system needs backoff, jitter, caching, and redundancy.

    Finally, this kind of protection doesn't really stop pirated installations. Those are typically modified specifically to bypass license validation. In practice, the people most affected by this design are paying customers running legitimate licenses.

    2
  • David Cordovez

    Cameron Worts "As hosting providers, we build redundancy into every critical service we operate. We have redundant power, storage, and networking, clustered infrastructure, and backups and disaster recovery plans—all because we assume failures will happen. Yet one unavailable licensing service, completely outside our control, was enough to disrupt customer access worldwide."

    I fully agree with those words; that sums it all up perfectly, and it is unfortunate that cPanel doesn't seem to understand it.

    It is regrettable that cPanel refuses to listen to its customers—the ones paying monthly bills amounting to thousands of dollars. It is almost ridiculous that users of "cheap licenses" haven't been affected while we have, yet our requests for improvements go unheard.

    1
  • David Cordovez

    An important additional piece of information:

    During the outage, running cpkeyclt returned:
    statusmsg: Invalid License File. Incorrect authority delivering the license.

    This specific message indicates that the issue wasn't merely a network lockout or a simple DDoS preventing connection. Instead, it implies that during one of the validation cycles, the local system received a corrupted, misconfigured, or malformed upstream response.

    Instead of failing safely or falling back to a local cache window, the cPanel binary actively decided to invalidate the local license file. This proactive destruction of a valid, prepaid license due to an anomalous server-side payload is the architectural flaw that needs an urgent review.

    0
  • ffeingol

    cPRex the page you linked to is vague at best.  While it clearly states that WHM, cPanel and Webmail will not accept logins (and that make sense) locking out POP/IMAP/SMTP "seems" be be something relatively new (i.e. last 12 - 18 months).  We've had licenses get cancelled by "oops" in the past and I can't ever remember email going down.

    I think another big point is also being missed (passed this along in a support ticket and to our Account Manger).  Because of this incident every bad actor in the world now knows that they can cripple vast amounts of cPanel servers by attacking the license servers.  While we appreciate the fact that you were able to quickly scale up yesterday and resolve this and actual DDoS attack could be something entirely different.

    0
  • tvcnet

    This was a wake-up call for much of the cPanel world.

    In case you don't have time to read through more than a few dozen comments, here's the consensus:

    General Sentiment

    • Widespread Alarm: Users are reporting the issue across multiple servers simultaneously, causing panic for server administrators who manage many client accounts.

    • Cynicism Toward cPanel: There is significant animosity toward recent cPanel policy changes. Commenters are sarcastically criticizing the company for recent price hikes, layoffs, and a perceived decline in quality control.

    • Disbelief at Architecture: Many users are shocked/outraged that a license validation failure is capable of taking down live websites. There is a strong consensus that "if the license server is down, the control panel interface should be unreachable, but sites should stay online."

    • Frustration with Automation: Much of the anger is directed at the newly introduced "hourly security update" process, which many users suspect caused a self-inflicted Distributed Denial of Service (DDoS) on cPanel’s own authentication and repository servers.

    So there we are...

    0
  • Lew Komarow

    So, all I know is my site is down and has been down all day (Thursday 7/9). Users are receiving errors such as "ERR_TOO_MANY_REDIRECTS." I cannot get into cPanel (ERR_CONNECTION_REFUSED). Can someone tell me if this is likely the same licensing issue from this thread, and is cPanel still working on a resolution?

    0
  • cPRex Jurassic Moderator

    Lew Komarow - that issue wouldn't be related to the problem in this thread.  It would be best to reach out to your hosting provider to have them check this directly on the system.

    0

Please sign in to leave a comment.