AutoSSL Exclusion via API issue

[jhawkins003]

We are using the guide posted at https://support.cpanel.net/hc/en-us...-To-Exclude-Sub-domains-From-AutoSSL-In-Bulk- to exclude (mail.) subdomains from the Autossl run - as they are not used in our stack. Unfortunately we keep getting the following errors:

---
apiversion: 3
func: add_autossl_excluded_domains
module: SSL
result:
data: ~
errors:
- You do not have the feature “sslinstall”.
messages: ~
metadata: {}

status: 0
warnings: ~
---

This is being run as root so surely it should have sufficient sslinstall privileges? Are we missing a detail? Happy to get advice! I also tried this on another cPanel server we operate to see if I could replicate the problem and it does the same thing.

 

[jhawkins003]

Ok so I fixed our problem. Kindof!

I misunderstood how that API call worked. It apparently operates in lieu of the account user, not root - hence we just had to make sure all user accounts had 'SSL Host Installer' active in their feature package. That said, the script still appears to not quite fire as documented? Now getting:

---
apiversion: 3
func: add_autossl_excluded_domains
module: SSL
result:
data: ~
errors:
- The “domains” argument cannot be empty.
messages: ~
metadata: {}

status: 0
warnings: ~
---

 

[cPRex]

Hey there! I'm not seeing any issues when I run the looped command as the root user:

# SUBDOMAIN=mail;find /var/cpanel/users -type f | cut -d"/" -f5 | while read USERNAME;do LIST=`uapi --user=$USERNAME WebVhosts list_ssl_capable_domains | grep -Ei "domain:" | awk '{print $2}' | grep -Ei "^$SUBDOMAIN" | sed -z 's/\n/,/g;s/,$/\n/'` && uapi --user=$USERNAME SSL add_autossl_excluded_domains domains=$LIST ;done
---
apiversion: 3
func: add_autossl_excluded_domains
module: SSL
result:
  data: ~
  errors: ~
  messages: ~
  metadata: {}

  status: 1
  warnings: ~
---
apiversion: 3
func: add_autossl_excluded_domains
module: SSL
result:
  data: ~
  errors: ~
  messages: ~
  metadata: {}

  status: 1
  warnings: ~

Can you let me know the exact call you're using that is causing the error?

 

[jhawkins003]

Can you let me know the exact call you're using that is causing the error?

Sure! Its precisely the same call; run as root:

# SUBDOMAIN=mail;find /var/cpanel/users -type f | cut -d"/" -f5 | while read USERNAME;do LIST=`uapi --user=$USERNAME WebVhosts list_ssl_capable_domains | grep -Ei "domain:" | awk '{print $2}' | grep -Ei "^$SUBDOMAIN" | sed -z 's/\n/,/g;s/,$/\n/'` && uapi --user=$USERNAME SSL add_autossl_excluded_domains domains=$LIST ;done
--- 
apiversion: 3
func: add_autossl_excluded_domains
module: SSL
result: 
  data: ~
  errors: 
    - The “domains” argument cannot be empty.
  messages: ~
  metadata: {}

  status: 0
  warnings: ~
--- 
apiversion: 3
func: add_autossl_excluded_domains
module: SSL
result: 
  data: ~
  errors: 
    - The “domains” argument cannot be empty.
  messages: ~
  metadata: {}

  status: 0
  warnings: ~
---

... etc ...

Is there a chance there is another Feature Manager (or other) dependency we are not aware of?

 

[cPRex]

Interesting - I'm not finding any prerequisites for that API call when I test on my end. I wonder if one of your domains has an issue with userdata, and it hits that error as it works through the loop.

If you run it on just one domain as a test, does that work?

 

[jhawkins003]

Ok when running the command as a one-off I get the following (username/domain subbed out):

# uapi --output=jsonpretty --user=USERNAME SSL add_autossl_excluded_domains domains=mail.DOMAIN
{
   "apiversion" : 3,
   "func" : "add_autossl_excluded_domains",
   "module" : "SSL",
   "result" : {
      "warnings" : null,
      "status" : 0,
      "data" : null,
      "errors" : [
         "The request failed. (Error ID: e9zzzs) Ask your hosting provider to research this error in cPanel & WHM’s main error log."
      ],
      "messages" : null,
      "metadata" : {}
   }
}

When going to the error log I see this

Cpanel::Exception::DomainOwnership/(XID e9zzzs) You do not own the following domain

I can verify via WHM that A) the domain exists and B) it is owned by that user. Furthermore testing multiple domains with various users fails the same way. Also as a reminder - this function does not work on another cPanel server we operate either. Strange!

 

[cPRex]

That's definitely odd - could you create a ticket so we can take a look?

 

[jhawkins003]

That's definitely odd - could you create a ticket so we can take a look?

I knew that was coming. Thanks for the assist and Ill report back!

 

[cPRex]

Yeah, I know - only so much guessing I can do on my end - let us know!

 

[jhawkins003]

Found the issue! Didnt even have to open a ticket in the end. I completely forgot we implemented a script some time ago that pruned .mail entries from /var/cpanel/userdata entries to try to resolve this issue and that seems to have led to the issue with the API call.

 

[cPRex]

Nice!