Auto SSL did not change the expired day

[HuyND]

Hi support cPanel team,
I'm administrator root in Vietnam. I'm administrator of more than 20 shared hostings. I have a trouble for 2 account didn't change the expired day when I click Run Auto SSL in SSL/TLS Status.

This hosting's log SSL show like this:

Log for the AutoSSL run for “USER”: Tuesday, November 12, 2019 9:58:39 AM GMT+0700 (cPanel (powered by Sectigo))
9:58:39 AM AutoSSL’s configured provider is “cPanel (powered by Sectigo)”.
This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
Analyzing “USER”’s domains …
9:58:39 AM Analyzing “mail.domain.com” …
9:58:39 AM TLS Status: Incomplete
Certificate expiry: 11/27/19, 8:17 PM UTC (15.72 days from now)
Impediment: CERTIFICATE_IS_EXTERNALLY_SIGNED: The certificate is neither self-signed nor from AutoSSL.
9:58:39 AM Analyzing “domain.com” …
9:58:39 AM TLS Status: Incomplete
Certificate expiry: 11/27/19, 8:17 PM UTC (15.72 days from now)
Impediment: CERTIFICATE_IS_EXTERNALLY_SIGNED: The certificate is neither self-signed nor from AutoSSL.
9:58:39 AM SUCCESS This user’s SSL coverage is already optimal.

It display "This users's SSL coverage is already optimal", but the Certificate expiry doesn't change the date, I tried to Run AutoSSL on this hosting many time but nothing effect. So this is about one hosting.

===================================================================================================================================

On another hosting, some domain get the error when each time I run AutoSSL:

DNS DCV: The DNS query to “_cpanel-dcv-test-record.domain2.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=hash”.; HTTP DCV: The system queried for a temporary file at “http://domain2.com/.well-known/pki-validation/hash.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “domain2.com” resolved to an IP address “103.20.XXX.X” that does not exist on this server.

DNS DCV: The DNS query to “_cpanel-dcv-test-record.domain2.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=hash”.; HTTP DCV: The system queried for a temporary file at “http://mail.domain2.com/.well-known/pki-validation/hash.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “mail.domain2.com” resolved to an IP address “103.20.XXX.X” that does not exist on this server.

Please help me, thanks team

 

[cPanelLauren]

Hello,

The first issue is a result of the domain having an existing certificate which is detailed in the following:

Impediment: CERTIFICATE_IS_EXTERNALLY_SIGNED: The certificate is neither self-signed nor from AutoSSL.

The second issue is that the domain doesn't resolve to the server:

The domain “domain2.com” resolved to an IP address “103.20.XXX.X” that does not exist on this server.

Domain control validation can not be completed if the domain is hosted on another server.

 

[HuyND]

Hi team,
Thanks for your support.

In the first issue, when I check issuer in WHM -> SSL/TLS -> Manage SSL Hosts, the issuer display "Let's Encrypt", so how can I renew this Ceritificate ??? Or can you support to me others solution SSL/TLS about this issue.

The second issue, this domain is on the same server but It get the dedicated IP, so how can i solve it ???

I just took this administrator job from the old co-worker. I don't know what he did before about this hosting. Thanks you.

 

[cPanelLauren]

In the first issue, when I check issuer in WHM -> SSL/TLS -> Manage SSL Hosts, the issuer display "Let's Encrypt", so how can I renew this Ceritificate ??? Or can you support to me others solution SSL/TLS about this issue.

For the first issue, it sounds like you may have recently switched from Let's Encrypt to Sectigo as the provider. In order to allow WHM to automatically replace the certificate when it's due for renewal (only relevant if you have a certificate installed from another provider) You'd need to go to WHM>>SSL/TLS>>Manage AutoSSL->Options -> Select Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates.

The second issue, this domain is on the same server but It get the dedicated IP, so how can i solve it ???

A couple of questions to find the answer to before I can give you advice on this.

1. Is the server NAT routed?
2. Is the IP address shown as configured properly on the server? Meaning when you go to WHM>>IP Functions>>Show or Delete Current IP addresses is it present?

 

[HuyND]

For the first issue, it sounds like you may have recently switched from Let's Encrypt to Sectigo as the provider. In order to allow WHM to automatically replace the certificate when it's due for renewal (only relevant if you have a certificate installed from another provider) You'd need to go to WHM>>SSL/TLS>>Manage AutoSSL->Options -> Select Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates.

So, It mean "Let's Encrypt" is just the plugin of cPanel (not default), if i want to have more the provider except Sectigo I have to install more through SSH ?

A couple of questions to find the answer to before I can give you advice on this.

1. Is the server NAT routed?
2. Is the IP address shown as configured properly on the server? Meaning when you go to WHM>>IP Functions>>Show or Delete Current IP addresses is it present?

1. No, It's not server NAT routed, it's IP Public.
2. Yes, it's shown as configured properly on the server, it's present in "Show or Delete Current IP addresses"

 

[cPanelLauren]

So, It mean "Let's Encrypt" is just the plugin of cPanel (not default), if i want to have more the provider except Sectigo I have to install more through SSH ?

No you don't need to install anything. You need to allow AutoSSL to replace the certificate by going to WHM>>SSL/TLS>>Manage AutoSSL->Options -> Select Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates.

For the second issue - what is shown for interface at WHM>>IP Functions>>Show or Delete Current IP addresses?

 

[HuyND]

No you don't need to install anything. You need to allow AutoSSL to replace the certificate by going to WHM>>SSL/TLS>>Manage AutoSSL->Options -> Select Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates.

Alright, I did it already, just wait to this November 27th.

For the second issue - what is shown for interface at WHM>>IP Functions>>Show or Delete Current IP addresses?

I show it to you. For my customer's security, I clean their domain. hope you understand it for me.

 

[cPanelLauren]

Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!

 

[HuyND]

Hello Lauren,
I update the ticket ID: 13802737

 

[cPanelLauren]

Hi @HuyND

I checked in on this ticket and added some information, the analyst is going to be looking into the issue again as I don't believe the case noted is related to your issue. It does look like they need access to the server and they should be responding to you in the ticket shortly.

Thanks!