AutoSSL failed to request SSL certificate Permission Denied

[rivali]

Hello, I have two domains that are suddenly failing to renew their SSL certificates. The error message is something like this:

ERROR AutoSSL failed to request an SSL certificate for “domain.com” because of an error: (XID ...) The cPanel Store returned an error (X::PermissionDenied) in response to the request “POST ssl/certificate/free”: This partner does not offer free 90-day certificates

These domains are on a dedicated server with several other domains. AutoSSL is definitely enabled on the server and the other domains were able to renew with no problems, so it doesn't seem to be the same issue as a previous thread I found on this forum that had a similar error message.

These two domains were previously able to obtain certificates via AutoSSL. I believe this is the first time they are trying to renew since the original certs were obtained via AutoSSL.

I've looked in the AutoSSL logs in WHM and the above error message is what I found. Any ideas as to why this is happening or where to start troubleshooting would be greatly appreciated.

 

[cPanelLauren]

Hello,


The error message being provided indicates that the provider you purchased your cPanel license through has disabled the 90 day certificates from cPanel's AutoSSL feature. I would suggest discussing this with your provider to identify the steps necessary to obtain a free 90-day certificate using AutoSSL

Thank you,

 

[rivali]

Thanks cPanelLauren! I'm not sure that's the reason as we own the server and we ran the AutoSSL renewals through WHM, not just cPanel. And, as I mentioned above, all the other domains (all same owner on same server) renewed automatically with no problems whatsoever. Only these two had errors and I can't figure out why. Is there any location I can check for a log that would provide more info than the above error message?

 

[rivali]

Sorry, just to clarify: we have root access to the server. We did not disable AutoSSL or the 90-day cert feature and it continues to work fine with other domains on the same server.

Would you be able to point me to:
1) Any location on the server where I might be able to find/edit the configuration files for AutoSSL? Are they in /etc somewhere?
2) Any location on the server where more detailed AutoSSL logs might be found, so I can troubleshoot better?

Thank you for any help you can give.

 

[rivali]

After investigating further, it looks like one domain was allowed to expire and then the owner renewed it a few days later after it had already lapsed. It looks like AutoSSL may have checked the domain during this expired period so it would of course have failed the DCV test at that time.

The domain is now renewed and the website is still hosted on this server (nothing was changed on the server/website side throughout), but it may be that the temporary IP during the lapsed period is still somehow cached somewhere by AutoSSL/cPanel, so it keeps thinking it can't be validated.

Is there a DNS caching period? How long would it take before AutoSSL picks up on the current IP for the renewed domain? The domain was renewed by the owner around the 16th so it's already been a week. The correct IP address should be fully propagated by now. The website was already loading fine on the 17th. Is there any command to tell AutoSSL to double-check the domain again so it will know that the website is now back on our server?

 

[cPanelLauren]

Hi @rivali

That specific error message won't come up for any other reason than if the AutoSSL 90 day certs are disabled, this isn't something that you would be able to manage from the server either, the license provider would have had to do this in their licensing interface.

If you had a temporary IP assigned to the site it may be that the IP had previously been assigned to a provided that disallowed this. When the IP was changed the AutoSSL process was able to complete.

You can run the check again any time you would like by running the following via CLI:

/usr/local/cpanel/bin/autossl_check --user=$USER |--all

You can also do this via the UI at WHM>>SSL/TLS>>Manage AutoSSL

Are you getting an error when running this now?

Thank you,

 

[rivali]

Thanks cPanelLauren!

1) Sorry, I was not clear - when I referred to the domain being renewed I meant the domain name registration being renewed by the domain owner, not to the AutoSSL cert being renewed.

From what I can tell, it looks like the domain name owner allowed the domain name registration to lapse for about 6 days. During this time AutoSSL was running its usual nightly checks and of course DCV failed because during those 6 expired days the domain name was reassigned to some other temporary IP by the domain registrar.

About 6 days after the domain name expired, the owner renewed the domain name registration. We had not removed the site or the zone file from our server during this period, so once the domain name registration was renewed, the original IP settings kicked back in and the site came back online same as before.

It has now been about a week or slightly longer since the domain name registration was renewed, so the live website IP should already have propagated.

But AutoSSL is still giving the same error when it tries to renew the SSL certificate, which is why I asked whether it was somehow caching an old DNS record - because maybe it is still thinking that the IP is the temporary one from the expired period, whereas the current/new IP should be the correct one pointing to our own server and ought to pass DCV with no problems.

2) Another domain may have a similar problem. It is partly hosted on a different server with a different hosting company. Some subdomains, including the mail server subdomains, are hosted on this server, but the main domain and the www subdomain are on another server.

In cPanel I disabled AutoSSL renewal for the main domain and the www subdomain but enabled AutoSSL renewal for the mail subdomain. The IP address for the mail subdomain is that of our server. It is also getting the same AutoSSL renewal error message.

3) A third domain originally had no website. It was just used as a pointer to another site. The pointer was originally set using the domain registrar's control panel. A few days ago I changed the DNS settings so that the DNS and the website are now hosted on our server.

There is a 301 redirect in cPanel from this third domain to another site. There is also an A record for this third domain in our server's zone file, going to this server's IP address.

This third domain is also getting the same error message. I am wondering whether it is because AutoSSL is still seeing the old IP address set at the domain name registrar (which went nowhere), or if it is because the pointer redirect causes problems with DCV.

Since it is just a pointer it is fine if it doesn't get an SSL cert, but we would at least like the mail subdomain to have a cert. There is no redirect for the mail subdomain and the A record for the mail subdomain is the correct IP address for our server.

4) AutoSSL was originally able to give SSL certificates to all three problem domains the first time around, so I am not sure why things have changed now.

I noticed that the change log in WHM mentions an update on 3/26: "Implemented case CPANEL-18952: Update AutoSSL provider to sort vhost FQDNs for Apache TLS."

Could this change have had any effect on the renewals of the above 3 domains?

5) I temporarily disabled AutoSSL on the problem domain names yesterday. I was hoping maybe if I gave it a short break it would realize the IP had changed back to that of our own server after I re-enabled it.

However, I just tested it again via the WHM UI as per your post, and it is still giving the same error for all three domains.

Could you please clarify who you meant by "license provider"? Is that a reference to the hosting company or the domain name registrar, or the certificate provider, or some other party?

If it's the hosting company I could try to ask them whether they manually disabled AutoSSL on those three domains. Could be they noticed the repeated errors and took action without letting us know.

Sorry for the lengthy reply (bolding added to hopefully make the key points stand out more from the wall of text ) and thanks very much for your help!

 

[cPanelLauren]

Hi @rivali

From what it looks like all the domains are getting the same error regardless of the status of the domain or extenuating circumstances - if this is incorrect and you have some domains getting certificates and some NOT getting certificates and all are using Comodo as the provider I would urge you to open a ticket using the link in my signature so that we can take a closer look.

Could you please clarify who you meant by "license provider"? Is that a reference to the hosting company or the domain name registrar, or the certificate provider, or some other party?

The AutoSSL 90-day certificate is something that can be disabled by the provider you purchased your cPanel license from. There are a few ways to purchase a cPanel license, you can get one directly from cPanel or you can purchase one from a 3rd party or your hosting provider can provide you with one. You can check who you purchased your license from by going to cPanel & WHM License Verification | cPanel Inc. and entering your IP address for your license.

The AutoSSL 90-day certificate is able to be disabled per licensed IP address and would affect all domains on the server using AutoSSL 90-day certificates from Comodo.


Thank you,

 

[rivali]

Thanks very much for the quick reply, cPanelLauren! There are more than 20 domains on the server at the moment and all the rest have been renewing without any problems.

Only these three domains are having AutoSSL renewal issues, and these are also the only three with "unusual" setups/issues relating to their domain name registrations or hosting setups. (ie. one temporarily expired domain name registration, one using a 301 pointer redirect, and one partly hosted on a different server with AutoSSL requested only for the subdomain hosted on our server.)

The cPanel came with the server so I'm guessing it came from the hosting provider. I will check using the license verification link you provided and open a support ticket as you recommended, since none of our other domains are having this renewal problem.

 

[cPanelLauren]

Hi @rivali

I think it may be best to open a ticket so we can look closer, either way. This shouldn't be happening for just a few domains on the server.

Please post the ticket ID here once it's open so we can follow up here once the ticket is complete.

Thank you,

 

[rivali]

Yes, based on what you said, if it had been disabled by the license provider then all the domains on the server would have failed since they are all on the same IP address, but all of them renewed successfully except for these three.

I'm kind of wondering if it had something to do with the cPanel update of 3/26 mentioned in the cPanel changelogs, because these errors seem to have started just about then.

I have opened a ticket with the same subject as this thread title. The ticket # is 9464277.

Thank you very much for all your help, cPanelLauren!

 

[cPanelLauren]

Hi @rivali

You're most welcome, thank you for posting the Ticket Id here I've checked your ticket and I'll update here as soon as there's more information.


Thank you,

 

[cPanelLauren]

Hi @rivali

Something I noticed when I looked at your ticket, it does indicate that your provider has disabled purchase certificates and 90-day certificates. I am curious, if you attempt to run the AutoSSL check on a domain that previously worked, do you get the same error?

Thank you,

 

[rivali]

Hi cPanelLauren,

No, the error is only appearing for three domains which previously worked. All of the other domains which previously worked are still continuing to work fine and are all being renewed normally.

To clarify:

• There are 20+ domains on the same server on the same IP address
• All of them previously worked fine when obtaining an SSL cert via AutoSSL for the first time.
• Now, 3 out of these 20+ domains are giving errors and are unable to renew via AutoSSL.
• The rest of the 20+ domains are able to renew successfully via AutoSSL and have no errors whatsoever.

According to what you said, if the license provider had disabled the renewals, it would have affected all the domains on the same IP. But only three domains on this IP are affected. The rest are all renewing just fine. So it would seem to suggest that it is not because the license provider disabled something.

However, if it is possible for a license provider to selectively disable only a few domains on the same IP, then please let me know and I will check with my hosting company to see if they have done something.

Thanks very much for all your help!

 

[cPanelLauren]

I completely understand, I am sorry for any confusion. This setting is something of an all or none setting as I mentioned before you can't just disallow some domains, or rather that isn't the purpose of the setting and why I asked you to open the ticket.

The Comodo 90-day certificates shouldn't be getting issued for any of the domains on the server with that setting enabled which is only accessible for your provider. I did see your response to the ticket and the analyst is looking further into the issue now for you.


Thank you,

 

[rivali]

Thanks very much cPanelLauren!

Yes, the AutoSSL logs on WHM clearly show other domains on the same server, on the same IP, renewing without any problems before, at the same time as, and after the three problem domains had issues. So far it is only affecting these three domains and not any others.

 

[cPanelLauren]

Hi @rivali

Thank you for that information, I added it to the ticket for the analyst!

 

[rivali]

Thanks very much cPanelLauren! The analyst thinks AutoSSL was disabled so I am checking with my hosting company now. I will update again to let you know what they say.

 

[cPanelLauren]

hi @rivali

Yes and to elaborate further it appears that the change to disallow 90-day certificates was not made until the 17th of this month, which explains why the previous AutoSSL runs were successful.

Please let us know how things go after you speak with the provider.

Thank you,

 

[rivali]

Thanks cPanelLauren!

My hosting company confirms that AutoSSL is enabled on my server, so it's not because of the license provider disabling renewals.

April 17th may have been a coincidence, or perhaps something else changed around then. It does match the date on which the expired domain was renewed (as mentioned earlier), but that only relates to one of the domains and not the other two.

I'm still suspecting something to do with the March 26th cPanel update, or maybe some kind of IP caching issue. I've updated the support ticket accordingly.