AutoSSL Exclusion via API issue

jhawkins003

Well-Known Member
Jun 24, 2014
56
17
58
cPanel Access Level
Root Administrator
We are using the guide posted at https://support.cpanel.net/hc/en-us...-To-Exclude-Sub-domains-From-AutoSSL-In-Bulk- to exclude (mail.) subdomains from the Autossl run - as they are not used in our stack. Unfortunately we keep getting the following errors:

---
apiversion: 3
func: add_autossl_excluded_domains
module: SSL
result:
data: ~
errors:
- You do not have the feature “sslinstall”.
messages: ~
metadata: {}

status: 0
warnings: ~
---

This is being run as root so surely it should have sufficient sslinstall privileges? Are we missing a detail? Happy to get advice! I also tried this on another cPanel server we operate to see if I could replicate the problem and it does the same thing.
 
Last edited by a moderator:

jhawkins003

Well-Known Member
Jun 24, 2014
56
17
58
cPanel Access Level
Root Administrator
Ok so I fixed our problem. Kindof!

I misunderstood how that API call worked. It apparently operates in lieu of the account user, not root - hence we just had to make sure all user accounts had 'SSL Host Installer' active in their feature package. That said, the script still appears to not quite fire as documented? Now getting:

---
apiversion: 3
func: add_autossl_excluded_domains
module: SSL
result:
data: ~
errors:
- The “domains” argument cannot be empty.
messages: ~
metadata: {}

status: 0
warnings: ~
---
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
16,474
2,604
363
cPanel Access Level
Root Administrator
Hey there! I'm not seeing any issues when I run the looped command as the root user:

Code:
# SUBDOMAIN=mail;find /var/cpanel/users -type f | cut -d"/" -f5 | while read USERNAME;do LIST=`uapi --user=$USERNAME WebVhosts list_ssl_capable_domains | grep -Ei "domain:" | awk '{print $2}' | grep -Ei "^$SUBDOMAIN" | sed -z 's/\n/,/g;s/,$/\n/'` && uapi --user=$USERNAME SSL add_autossl_excluded_domains domains=$LIST ;done
---
apiversion: 3
func: add_autossl_excluded_domains
module: SSL
result:
  data: ~
  errors: ~
  messages: ~
  metadata: {}

  status: 1
  warnings: ~
---
apiversion: 3
func: add_autossl_excluded_domains
module: SSL
result:
  data: ~
  errors: ~
  messages: ~
  metadata: {}

  status: 1
  warnings: ~
Can you let me know the exact call you're using that is causing the error?
 

jhawkins003

Well-Known Member
Jun 24, 2014
56
17
58
cPanel Access Level
Root Administrator
Can you let me know the exact call you're using that is causing the error?
Sure! Its precisely the same call; run as root:

Code:
# SUBDOMAIN=mail;find /var/cpanel/users -type f | cut -d"/" -f5 | while read USERNAME;do LIST=`uapi --user=$USERNAME WebVhosts list_ssl_capable_domains | grep -Ei "domain:" | awk '{print $2}' | grep -Ei "^$SUBDOMAIN" | sed -z 's/\n/,/g;s/,$/\n/'` && uapi --user=$USERNAME SSL add_autossl_excluded_domains domains=$LIST ;done
--- 
apiversion: 3
func: add_autossl_excluded_domains
module: SSL
result: 
  data: ~
  errors: 
    - The “domains” argument cannot be empty.
  messages: ~
  metadata: {}

  status: 0
  warnings: ~
--- 
apiversion: 3
func: add_autossl_excluded_domains
module: SSL
result: 
  data: ~
  errors: 
    - The “domains” argument cannot be empty.
  messages: ~
  metadata: {}

  status: 0
  warnings: ~
---

... etc ...
Is there a chance there is another Feature Manager (or other) dependency we are not aware of?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
16,474
2,604
363
cPanel Access Level
Root Administrator
Interesting - I'm not finding any prerequisites for that API call when I test on my end. I wonder if one of your domains has an issue with userdata, and it hits that error as it works through the loop.

If you run it on just one domain as a test, does that work?
 

jhawkins003

Well-Known Member
Jun 24, 2014
56
17
58
cPanel Access Level
Root Administrator
Ok when running the command as a one-off I get the following (username/domain subbed out):

Code:
# uapi --output=jsonpretty --user=USERNAME SSL add_autossl_excluded_domains domains=mail.DOMAIN
{
   "apiversion" : 3,
   "func" : "add_autossl_excluded_domains",
   "module" : "SSL",
   "result" : {
      "warnings" : null,
      "status" : 0,
      "data" : null,
      "errors" : [
         "The request failed. (Error ID: e9zzzs) Ask your hosting provider to research this error in cPanel & WHM’s main error log."
      ],
      "messages" : null,
      "metadata" : {}
   }
}
When going to the error log I see this

Code:
Cpanel::Exception::DomainOwnership/(XID e9zzzs) You do not own the following domain
I can verify via WHM that A) the domain exists and B) it is owned by that user. Furthermore testing multiple domains with various users fails the same way. Also as a reminder - this function does not work on another cPanel server we operate either. Strange!
 

jhawkins003

Well-Known Member
Jun 24, 2014
56
17
58
cPanel Access Level
Root Administrator
Found the issue! Didnt even have to open a ticket in the end. I completely forgot we implemented a script some time ago that pruned .mail entries from /var/cpanel/userdata entries to try to resolve this issue and that seems to have led to the issue with the API call.