AUTO SSL Not Issuing Certificate for 1 Website

Jan 8, 2020
16
1
3
New Hampshire, USA
cPanel Access Level
Root Administrator
Hi,

I have a website on a dedicated server that is not renewing an SSL certificate during the AutoSSL process, or when done manually. The other sites on the server are being issued during AutoSSL without an issue. While there was a recent hack everything is now scanning clean with 3 different malware/virus/exploit scanners. I checked Google Search Console and there are no manual actions or security issues being reported there. Here is the AutoSSL log:

Analyzing “..........”’s domains …
12:48:38 PM Analyzing …
12:48:38 PM ERROR TLS Status: Defective
ERROR Certificate expiry: 1/5/20, 6:38 PM UTC (2.97 days ago)
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
12:48:38 PM Attempting to ensure the existence of necessary CAA records …
12:48:38 PM No CAA records were created.
12:48:38 PM Verifying “cPanel (powered by Sectigo)”’s authorization on domains via DNS CAA records …
12:48:38 PM “cPanel (powered by Sectigo)” is authorized to issue certificates for all domains.
12:48:38 PM Performing HTTP DCV (Domain Control Validation) on 12 domains …
12:48:38 PM Local HTTP DCV OK

.......

12:48:38 PM Analyzing “........”’s DCV results …
12:48:38 PM WARN Replacing an externally-signed certificate …
AutoSSL will request a new certificate.

Any help would be much appreciated! Thank you!
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,272
313
Houston
This indicates that the local checks are being completed successfully which is almost always an indicator that Sectigo's will complete as well. Does the site get flagged by Google's Safe Browsing? You can check this here: Google Transparency Report if there is an issue with Malware on the site Sectigo will not issue a certificate until it is removed from this interface.
 
Jan 8, 2020
16
1
3
New Hampshire, USA
cPanel Access Level
Root Administrator
Thank you for the info, Google Safe Browsing is not posting any warnings about the site and everything is clear in the transparency report. The site was hacked a few months ago, along with about 50 other sites on the server. I cleaned all the sites and reported them as cleaned through Google Search Console, since then everything has been fine until just recently. There may be a couple other websites with SSL issues but this is the only one that I am getting notifications on every day. Seems that no matter what I do I can't get the certificate issued for the site. It would make sense if it was a security/malware issue but im just not seeing that, neither is Google, which is why Im a bit stumped.
 
Jan 8, 2020
16
1
3
New Hampshire, USA
cPanel Access Level
Root Administrator
Taking a closer look at the notification email this morning, I see this at the bottom:
Issuer:
countryNameUS
organizationNameLet's Encrypt
commonNameLet's Encrypt Authority X3

Is there a conflict between the two different SSL companies? I couldn't find a way to remove Let's Encrypt.

Also, what would be the reason why I get the notifications that tell me I need to take action, but it doesn't say what the issue is that I need to fix? I would think if not in the email for security reasons it would tell me in the logs, but it really gives me no clue at all what is wrong. Can't cPanel/Sectigo add error codes to this? I just saw so many others with the same types of unknown SSL problems when I Google searched it.