AutoSSL (cPanel/Sectigo) fails to automatically renew

[jnyr5478]

Hi

In short, a cPanel/Sectigo certificate should have been renewed automatically by 3/4/20 but was not. The certificate was renewed manually and is now working.

I created a similar thread here, but this problem is a bit different. My previous thread was solved by enabling Global DCV Passthrough. This VPS runs WHM 86.0.8, and I believe Global DCV Passthrough is no longer available (and I think it was specific to the Let's Encrypt plugin).

1. I ran

whmapi1 get_autossl_problems_for_user username=$user

and the following was returned:

data:
  problems_by_domain: []

metadata:
  command: get_autossl_problems_for_user
  reason: OK
  result: 1
  version: 1

2. I have searched /usr/local/cpanel/logs/error_log and have not found any pki-validation problems.

3. In SSL/TLS > Manage AutoSSL > Logs, the only entries I see are the result of manual checks. Here's the most recent log:

Log for the AutoSSL run for “{{ $user }}”: Wednesday, March 4, 2020 11:00:15 AM GMT-0500 (cPanel (powered by Sectigo))
11:00:15 AM AutoSSL’s configured provider is “cPanel (powered by Sectigo)”.
This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
Analyzing “{{ $user }}”’s domains …
11:00:15 AM Analyzing “{{ $domain }}” …
11:00:15 AM ERROR TLS Status: Defective
ERROR Certificate expiry: 3/4/20, 12:00 AM UTC (0.67 days ago)
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
11:00:15 AM Attempting to ensure the existence of necessary CAA records …
11:00:15 AM No CAA records were created.
11:00:15 AM Verifying 11 domains’ DNS management …
Verifying “cPanel (powered by Sectigo)”’s authorization on 11 domains via DNS CAA records …
11:00:15 AM DNS manages “www.{{ $domain }}”.
DNS manages “{{ $domain }}”.
DNS manages “mail.{{ $domain }}”.
DNS manages “cpanel.{{ $domain }}”.
DNS manages “webdisk.{{ $domain }}”.
DNS manages “webmail.{{ $domain }}”.
DNS manages “cpcontacts.{{ $domain }}”.
DNS manages “cpcalendars.{{ $domain }}”.
DNS manages “www.{{ $parkedDomain }}”.
DNS manages “{{ $parkedDomain }}”.
DNS manages “mail.{{ $parkedDomain }}”.
DNS manages 11 of this user’s 11 domains.
CA authorized: “{{ $parkedDomain }}”
CA authorized: “www.{{ $parkedDomain }}”
CA authorized: “{{ $domain }}”
CA authorized: “www.{{ $domain }}”
CA authorized: “mail.{{ $domain }}”
CA authorized: “cpanel.{{ $domain }}”
CA authorized: “cpcalendars.{{ $domain }}”
CA authorized: “cpcontacts.{{ $domain }}”
CA authorized: “webmail.{{ $domain }}”
CA authorized: “webdisk.{{ $domain }}”
CA authorized: “mail.{{ $parkedDomain }}”
“cPanel (powered by Sectigo)” is authorized to issue certificates for 11 of this user’s 11 domains.
11:00:15 AM Performing HTTP DCV (Domain Control Validation) on 11 domains …
11:00:15 AM Local HTTP DCV OK: {{ $domain }}
Local HTTP DCV OK: {{ $parkedDomain }}
Local HTTP DCV OK: www.{{ $domain }} (via {{ $domain }})
Local HTTP DCV OK: mail.{{ $domain }} (via {{ $domain }})
Local HTTP DCV OK: cpanel.{{ $domain }} (via {{ $domain }})
Local HTTP DCV OK: webdisk.{{ $domain }} (via {{ $domain }})
Local HTTP DCV OK: webmail.{{ $domain }} (via {{ $domain }})
Local HTTP DCV OK: www.{{ $parkedDomain }} (via {{ $parkedDomain }})
Local HTTP DCV OK: mail.{{ $parkedDomain }} (via {{ $parkedDomain }})
Local HTTP DCV OK: cpcontacts.{{ $domain }} (via {{ $domain }})
Local HTTP DCV OK: cpcalendars.{{ $domain }} (via {{ $domain }})
11:00:15 AM No local DNS DCV is necessary.
11:00:15 AM Processing “{{ $user }}”’s local DCV results …
11:00:15 AM Analyzing “{{ $domain }}”’s DCV results …
11:00:15 AM AutoSSL will request a new certificate.
11:00:15 AM The system will attempt to renew the SSL certificate for the website ({{ $domain }}: {{ $domain }} www.{{ $domain }} mail.{{ $domain }} {{ $parkedDomain }} www.{{ $parkedDomain }} mail.{{ $parkedDomain }} webmail.{{ $domain }} cpanel.{{ $domain }} webdisk.{{ $domain }} cpcontacts.{{ $domain }} cpcalendars.{{ $domain }}).
11:00:40 AM The cPanel Store received “{{ $domain }}”’s certificate order. (Order Item ID: 858318653) The system will periodically poll the cPanel Store for the issued certificate and then install it after a successful retrieval.
The system has completed “{{ $user }}”’s AutoSSL check.
11:02:02 AM Polling for “{{ $user }}”’s new certificate for “{{ $domain }}” (order item ID “858318653”) …
11:02:04 AM The certificate is not available. (processing)
11:04:02 AM Polling for “{{ $user }}”’s new certificate for “{{ $domain }}” (order item ID “858318653”) …
The certificate is available. The system will now attempt to install it.
SUCCESS The certificate is now installed!

I don't think that the parked domain is the cause- we've experienced this problem in the past, prior to the parked domain being added.

The following lines are present in .htaccess before every rewrite that we created:

RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Sectigo\ DCV)?$

As mentioned previously, Global DCV Passthrough solved this on another server, but I don't think that's an option here.

I do see /.well-known/pki-validation on the server, but the folder is empty.

Thanks!

 

[cPanelLauren]

Are you at all aware if the order was pending (DCV was successful) but the certificate had not been issued yet? There was an issue over the last few days (which ended yesterday) where Sectigo certificate requests were not being validated for an extended period of time.

 

[jnyr5478]

I haven't seen anything that would suggest a stuck pending order. All of the logs in SSL/TLS > Manage AutoSSL > Logs are the result of having manually run a check. I've looked through the error log and don't see anything obvious regarding AutoSSL on 2/18 (15 days prior to expiration). And this same scenario has happened previously on this server so I don't think it's related to the recent Sectigo issue.

 

[cPanelLauren]

@jnyr5478

If this has occurred before and based on your analysis I'd suggest opening a ticket so that the issue can be investigated more in-depth by our analysts.

 

[SlapHappy]

There was an issue over the last few days (which ended yesterday) where Sectigo certificate requests were not being validated for an extended period of time.

Has the issue indeed been fixed? Usually a certificate request could take up 30 minutes to complete but it has been 5+ hours now for a single certificate.

 

[jnyr5478]

@cPanelLauren This server is licensed through its hosting provider so I'll open a ticket with them first, referencing this thread. Thank you.

 

[jnyr5478]

@cPanelLauren The hosting provider didn't help too much. I've just opened a cPanel support ticket, #93458823. Thank you.

 

[cPanelLauren]

@cPanelLauren This server is licensed through its hosting provider so I'll open a ticket with them first, referencing this thread. Thank you.

Sounds good, though if they're not able to identify the cause - please feel welcome to open a ticket with us.

Has the issue indeed been fixed? Usually a certificate request could take up 30 minutes to complete but it has been 5+ hours now for a single certificate.

According to Sectigo the delays were resolved on the 3rd, we've not had further reports of this issue occurring.

 

[cPanelLauren]

@cPanelLauren The hosting provider didn't help too much. I've just opened a cPanel support ticket, #93458823. Thank you.

I guess I should have waited a couple minutes to respond I'll check out your ticket and note this thread on it. I'll update here with the outcome as well. Thanks!