SOLVED AutoSSL "does not own" errors for www.mail subdomains

Customer contacted us saying his AutoSSL cert stopped working. It expired a week ago and wasn't auto renewed. Its the primary domain on his plan. All his addon domains have up to date certs.

When I run a check from WHM, on his account it comes back with this...

WARN (XID fzekvz) “username” does not own a domain named “www.mail.domain.com” on this server.

That's just a warn - so it most likely isn't the cause of the cert not being renewed - unfortunately, it doesn't get any further on the domain and doesn't list anything else about his primary domain - and it doesn't get renewed. The ssl check proceeds to check the remaining addons as normal. It's like this...

3:43:38 PM Checking “sub.domain.com” …
3:43:38 PM SUCCESS TLS Status: OK
Certificate expiry: 9/12/18, 12:00 AM UTC (90.39 days from now)
3:43:38 PM Checking “domain.com” …
3:43:38 PM WARN (XID fzekvz) “username” does not own a domain named “www.mail.domain.com” on this server.
3:43:38 PM Checking “sub.domain.com” …
3:43:38 PM SUCCESS TLS Status: OK

So it seems to be skipping it. when I look in the SSL Host Manager in WHM the certificate is showing as expired.

I'm wondering if anyone else has seen this before?

 

Thanks Michael, yes that resolved it but this could be a bigger issue for us.

The "www.mail.domain" entries were added some time ago by the EA4 to EA3 downgrade script which must have contained a bug.

Soon after EA4 was released, we updated our servers but we came up against a number of issues that meant we had to go back to EA3. We ran the downgrade script provided by cpanel, which for some reason created full subdomains of www.mail.domain - for every domain on every server.

We used the "list subdomains" option in WHM to remove these manually. It was very time consuming.

It seems even after doing that - these www.mail entries are still hanging around in those /var/cpanel/userdata/ files.

If I look at "Manage SSL Hosts" in WHM I see lots of www.mail.domain entries - all showing red padlocks. If the SSL check script now skips primary domains that are in this situation, we will potentially see lots of certificates not being renewed when they are due.

Can you suggest a way to remove these across all of our servers? I'd need to find a way to search for the www.mail.domain string for every domain on the server and remove the entries from those files.

 

Thanks for that Michael. i appreciate you taking the time to look into that for me. Looks good. Does it exclude deleting the entries from the cache files?
I notice that the script removes the www.mail.domain entry from the "serveralias" section of the file. In some cases it seems the file is named like this -
/var/cpanel/userdata/mail.domain.com and the serveralias line only contains www.mail.domain.com - so when the script would be run against that file, it would completely remove the text after serveralias: line - leaving it empty.

Is that going to cause a problem?

 

Yes that makes sense, thanks for your help.