Auto SSL did not change the expired day

HuyND

Active Member
Oct 29, 2019
26
4
3
Viet Nam
cPanel Access Level
Root Administrator
Hi support cPanel team,
I'm administrator root in Vietnam. I'm administrator of more than 20 shared hostings. I have a trouble for 2 account didn't change the expired day when I click Run Auto SSL in SSL/TLS Status.

This hosting's log SSL show like this:
Code:
Log for the AutoSSL run for “USER”: Tuesday, November 12, 2019 9:58:39 AM GMT+0700 (cPanel (powered by Sectigo))
9:58:39 AM AutoSSL’s configured provider is “cPanel (powered by Sectigo)”.
This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
Analyzing “USER”’s domains …
9:58:39 AM Analyzing “mail.domain.com” …
9:58:39 AM TLS Status: Incomplete
Certificate expiry: 11/27/19, 8:17 PM UTC (15.72 days from now)
Impediment: CERTIFICATE_IS_EXTERNALLY_SIGNED: The certificate is neither self-signed nor from AutoSSL.
9:58:39 AM Analyzing “domain.com” …
9:58:39 AM TLS Status: Incomplete
Certificate expiry: 11/27/19, 8:17 PM UTC (15.72 days from now)
Impediment: CERTIFICATE_IS_EXTERNALLY_SIGNED: The certificate is neither self-signed nor from AutoSSL.
9:58:39 AM SUCCESS This user’s SSL coverage is already optimal.
It display "This users's SSL coverage is already optimal", but the Certificate expiry doesn't change the date, I tried to Run AutoSSL on this hosting many time but nothing effect. So this is about one hosting.

===================================================================================================================================

On another hosting, some domain get the error when each time I run AutoSSL:
Code:
DNS DCV: The DNS query to “_cpanel-dcv-test-record.domain2.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=hash”.; HTTP DCV: The system queried for a temporary file at “http://domain2.com/.well-known/pki-validation/hash.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “domain2.com” resolved to an IP address “103.20.XXX.X” that does not exist on this server.
Code:
DNS DCV: The DNS query to “_cpanel-dcv-test-record.domain2.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=hash”.; HTTP DCV: The system queried for a temporary file at “http://mail.domain2.com/.well-known/pki-validation/hash.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “mail.domain2.com” resolved to an IP address “103.20.XXX.X” that does not exist on this server.
Please help me, thanks team
 
Last edited by a moderator:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,298
1,279
313
Houston
Hello,

The first issue is a result of the domain having an existing certificate which is detailed in the following:

Code:
Impediment: CERTIFICATE_IS_EXTERNALLY_SIGNED: The certificate is neither self-signed nor from AutoSSL.
The second issue is that the domain doesn't resolve to the server:
Code:
The domain “domain2.com” resolved to an IP address “103.20.XXX.X” that does not exist on this server.
Domain control validation can not be completed if the domain is hosted on another server.
 

HuyND

Active Member
Oct 29, 2019
26
4
3
Viet Nam
cPanel Access Level
Root Administrator
Hi team,
Thanks for your support.

In the first issue, when I check issuer in WHM -> SSL/TLS -> Manage SSL Hosts, the issuer display "Let's Encrypt", so how can I renew this Ceritificate ??? Or can you support to me others solution SSL/TLS about this issue.

The second issue, this domain is on the same server but It get the dedicated IP, so how can i solve it ???

I just took this administrator job from the old co-worker. I don't know what he did before about this hosting. Thanks you.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,298
1,279
313
Houston
In the first issue, when I check issuer in WHM -> SSL/TLS -> Manage SSL Hosts, the issuer display "Let's Encrypt", so how can I renew this Ceritificate ??? Or can you support to me others solution SSL/TLS about this issue.
For the first issue, it sounds like you may have recently switched from Let's Encrypt to Sectigo as the provider. In order to allow WHM to automatically replace the certificate when it's due for renewal (only relevant if you have a certificate installed from another provider) You'd need to go to WHM>>SSL/TLS>>Manage AutoSSL->Options -> Select Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates.

The second issue, this domain is on the same server but It get the dedicated IP, so how can i solve it ???

A couple of questions to find the answer to before I can give you advice on this.

1. Is the server NAT routed?
2. Is the IP address shown as configured properly on the server? Meaning when you go to WHM>>IP Functions>>Show or Delete Current IP addresses is it present?
 

HuyND

Active Member
Oct 29, 2019
26
4
3
Viet Nam
cPanel Access Level
Root Administrator
For the first issue, it sounds like you may have recently switched from Let's Encrypt to Sectigo as the provider. In order to allow WHM to automatically replace the certificate when it's due for renewal (only relevant if you have a certificate installed from another provider) You'd need to go to WHM>>SSL/TLS>>Manage AutoSSL->Options -> Select Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates.
So, It mean "Let's Encrypt" is just the plugin of cPanel (not default), if i want to have more the provider except Sectigo I have to install more through SSH ?


A couple of questions to find the answer to before I can give you advice on this.

1. Is the server NAT routed?
2. Is the IP address shown as configured properly on the server? Meaning when you go to WHM>>IP Functions>>Show or Delete Current IP addresses is it present?
1. No, It's not server NAT routed, it's IP Public.
2. Yes, it's shown as configured properly on the server, it's present in "Show or Delete Current IP addresses"
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,298
1,279
313
Houston
So, It mean "Let's Encrypt" is just the plugin of cPanel (not default), if i want to have more the provider except Sectigo I have to install more through SSH ?
No you don't need to install anything. You need to allow AutoSSL to replace the certificate by going to WHM>>SSL/TLS>>Manage AutoSSL->Options -> Select Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates.

For the second issue - what is shown for interface at WHM>>IP Functions>>Show or Delete Current IP addresses?
 

HuyND

Active Member
Oct 29, 2019
26
4
3
Viet Nam
cPanel Access Level
Root Administrator
No you don't need to install anything. You need to allow AutoSSL to replace the certificate by going to WHM>>SSL/TLS>>Manage AutoSSL->Options -> Select Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates.
Alright, I did it already, just wait to this November 27th.

For the second issue - what is shown for interface at WHM>>IP Functions>>Show or Delete Current IP addresses?
I show it to you. For my customer's security, I clean their domain. hope you understand it for me.
 

Attachments

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,298
1,279
313
Houston
Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,298
1,279
313
Houston
Hi @HuyND

I checked in on this ticket and added some information, the analyst is going to be looking into the issue again as I don't believe the case noted is related to your issue. It does look like they need access to the server and they should be responding to you in the ticket shortly.

Thanks!