Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED AutoSSL has stopped working

Discussion in 'Security' started by Krydos, Aug 3, 2017.

Tags:
  1. Krydos

    Krydos Well-Known Member

    Joined:
    Jun 2, 2012
    Messages:
    48
    Likes Received:
    4
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    AutoSSL has been working great. That's really an awesome feature. Thanks for implementing it.

    My problem is it has suddenly stopped working. The queue of pending certificate installs is getting longer and longer and not all of them are because of the usual .htaccess issues or domains not resolving to IP addresses. Brand new accounts with nothing on them at all are just pending forever too. The .txt files are getting created, and they are accessible externally so that's not the issue. I have it set to the cPanel provided by Comodo option. Is there some sort of server wide rate limit that we're exceeding, and that's why the pending queue is piling up? I know the documentation says 200 per virtualhost, but that's not the issue here.

    Anyways, I'm going to try switching it to the Let's Encrypt provider to see if that gets the pending queue moving again, but I'm fairly certain that they have rate limits though so I'd like to figure out why Comodo certs have stopped being issued.

    Here is an example of a log:
    Code:
    4:17:47 PM The system will attempt to renew SSL certificates for the following websites:
     4:17:47 PM example.com (sub1.example.com www.sub1.example.com mail.sub1.example.com etc )
     4:17:50 PM The system has completed the AutoSSL check for “krydos”.
     4:22:03 PM The queue contains a request for a certificate for “krydos”’s website “sub1.example.com”. The system last polled for this certificate at Jul 31, 2017, 9:17:50 PM UTC. The next poll will be no earlier than Jul 31, 2017, 9:22:50 PM UTC.
    ...
    7:12:02 PM The queue contains a request for a certificate for “krydos”’s website “sub1.example.com”. The system last polled for this certificate at Aug 3, 2017, 9:12:06 PM UTC. The next poll will be no earlier than Aug 4, 2017, 9:12:06 AM UTC.
    
    I snipped out the 50 pages of log files where cPanel has checked every 5 minutes for the last 4 days to see if that certificate is ready.

    Any ideas of something to get this working again?

    (I'm not going to submit a ticket and grant root access to cPanel technicians to look for themselves. Sorry. I am willing to run any commands for you and post the results though.)
     
  2. Krydos

    Krydos Well-Known Member

    Joined:
    Jun 2, 2012
    Messages:
    48
    Likes Received:
    4
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    UPDATE:

    I switched to Let's Encrypt instead of cPanel (powered by Comodo) and everything is working as expected now. It wiped my entire pending queue out, but the certificates are getting installed/renewed now. I suspect the problem with cPanel/Comodo is some unpublished (or at least for me unfindable) rate limit that I exceeded. If a cPanel rep can confirm that would it be possible to get that limit raised on a case by case basis perhaps? AutoSSL is a huge draw that excites a lot of our users, and I'd hate to have to disable it just because it's too popular.
     
  3. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,480
    Likes Received:
    60
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    I want you to do one thing:
    1) Go to AutoSSL (use Comodo).
    2) Select the user and check if mange by AutoSSL is enabled.
    3) Initiate the SSL check for this user (wait for a minute).
    4) Go to the logs section in the AutoSSL page itself.
    5) Hit the refresh button and select the most recent poll from it (User you just initiated the SSL check on)..

    Check what you see in that log for this user only and send it here..
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,419
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Feel free to open a support ticket using the link in my signature so we can take a closer look to see why the Comodo certificates were still pending on the system.

    Thank you.
     
  5. Krydos

    Krydos Well-Known Member

    Joined:
    Jun 2, 2012
    Messages:
    48
    Likes Received:
    4
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    1) Changed back to Comodo.
    2) "Reset to Feature List Settings" is selected for every account on the server, and after that it says "Use setting established by the feature list 'default' which is currently set to 'enabled'".
    3) Clicked "Check rd".
    4) Done.
    5) Log:
    Code:
    Log for the AutoSSL run for “rd”: Friday, August 4, 2017 3:23:48 PM GMT-0500 (cPanel (powered by Comodo))
     3:23:48 PM This system has AutoSSL set to use “cPanel (powered by Comodo)”.
     3:23:48 PM Checking websites for “rd” …
     3:23:49 PM The website “domain.example.tk”, owned by “rd”, has no SSL certificate. AutoSSL will attempt to obtain a new certificate and install it.
     3:23:52 PM The system will attempt to renew SSL certificates for the following websites:
     3:23:52 PM domain.example.tk (domain.tk www.domain.tk mail.domain.tk webmail.domain.tk cpanel.domain.tk webdisk.domain.tk)
     3:23:52 PM The system has completed the AutoSSL check for “rd”.
    
    It's just been sitting there for like an hour now.
     
    #5 Krydos, Aug 4, 2017
    Last edited by a moderator: Aug 4, 2017
  6. Krydos

    Krydos Well-Known Member

    Joined:
    Jun 2, 2012
    Messages:
    48
    Likes Received:
    4
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    What is the first thing you would check?
     
  7. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,480
    Likes Received:
    60
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    Refresh the AutoSSL log and see if you see any update on issue of SSL..
     
  8. Krydos

    Krydos Well-Known Member

    Joined:
    Jun 2, 2012
    Messages:
    48
    Likes Received:
    4
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    Code:
    Log for the AutoSSL run for “rzurita”: Sunday, August 6, 2017 8:57:45 PM GMT-0500 (cPanel (powered by Comodo))
     8:57:45 PM This system has AutoSSL set to use “cPanel (powered by Comodo)”.
     8:57:45 PM Checking websites for “rzurita” …
     8:57:46 PM The website “woo.rzurita.example.com”, owned by “rzurita”, has a faulty SSL certificate (OPENSSL_VERIFY:0:18:DEPTH_ZERO_SELF_SIGNED_CERT NOT_ALL_DOMAINS). AutoSSL will attempt to replace this certificate.
     8:57:46 PM The website “zureshop.rzurita.example.com”, owned by “rzurita”, has a valid SSL certificate, but additional SSL coverage may be possible for the domains “www.example.tk” and “example.tk”. The system will attempt to replace this certificate with one that includes these additional domains.
     8:57:47 PM The system will attempt to renew SSL certificates for the following websites:
     8:57:47 PM woo.rzurita.example.com (zureshop.gq www.example.gq mail.example.gq woo.rzurita.example.com www.woo.rzurita.example.com webmail.example.gq cpanel.example.gq webdisk.example.gq)
     8:57:47 PM zureshop.rzurita.example.com (mail.example.tk webmail.example.tk cpanel.example.tk webdisk.example.tk zureshop.rzurita.example.com www.zureshop.rzurita.example.com example.tk www.example.tk)
     8:57:54 PM The system has completed the AutoSSL check for “rzurita”.
     9:02:06 PM The queue contains a request for a certificate for “rzurita”’s website “woo.rzurita.example.com”. The system last polled for this certificate at Aug 7, 2017, 1:57:50 AM UTC. The next poll will be no earlier than Aug 7, 2017, 2:02:50 AM UTC.
     9:02:06 PM The queue contains a request for a certificate for “rzurita”’s website “zureshop.rzurita.example.com”. The system last polled for this certificate at Aug 7, 2017, 1:57:54 AM UTC. The next poll will be no earlier than Aug 7, 2017, 2:02:54 AM UTC.
     9:07:04 PM Polling for “rzurita”’s new certificate for “zureshop.rzurita.example.com” (order item ID “227127647”) …
     9:07:04 PM The certificate is not available. (processing)
     9:07:04 PM Polling for “rzurita”’s new certificate for “woo.rzurita.example.com” (order item ID “227127629”) …
     9:07:05 PM The certificate is not available. (processing)
     9:13:24 PM Polling for “rzurita”’s new certificate for “woo.rzurita.example.com” (order item ID “227127629”) …
     9:13:25 PM The certificate is not available. (processing)
     9:13:25 PM Polling for “rzurita”’s new certificate for “zureshop.rzurita.example.com” (order item ID “227127647”) …
     9:13:25 PM The certificate is not available. (processing)
     9:17:52 PM The queue contains a request for a certificate for “rzurita”’s website “woo.rzurita.example.com”. The system last polled for this certificate at Aug 7, 2017, 2:13:25 AM UTC. The next poll will be no earlier than Aug 7, 2017, 2:18:25 AM UTC.
     9:17:52 PM The queue contains a request for a certificate for “rzurita”’s website “zureshop.rzurita.example.com”. The system last polled for this certificate at Aug 7, 2017, 2:13:25 AM UTC. The next poll will be no earlier than Aug 7, 2017, 2:18:25 AM UTC.
     9:22:02 PM Polling for “rzurita”’s new certificate for “zureshop.rzurita.example.com” (order item ID “227127647”) …
     9:22:04 PM The certificate is not available. (processing)
     9:22:04 PM Polling for “rzurita”’s new certificate for “woo.rzurita.example.com” (order item ID “227127629”) …
     9:22:04 PM The certificate is not available. (processing)
     9:27:03 PM The queue contains a request for a certificate for “rzurita”’s website “zureshop.rzurita.example.com”. The system last polled for this certificate at Aug 7, 2017, 2:22:04 AM UTC. The next poll will be no earlier than Aug 7, 2017, 2:27:04 AM UTC.
     9:27:03 PM The queue contains a request for a certificate for “rzurita”’s website “woo.rzurita.example.com”. The system last polled for this certificate at Aug 7, 2017, 2:22:04 AM UTC. The next poll will be no earlier than Aug 7, 2017, 2:27:04 AM UTC.
     9:32:02 PM Polling for “rzurita”’s new certificate for “woo.rzurita.example.com” (order item ID “227127629”) …
     9:32:04 PM The certificate is not available. (processing)
     9:32:04 PM Polling for “rzurita”’s new certificate for “zureshop.rzurita.example.com” (order item ID “227127647”) …
     9:32:04 PM The certificate is not available. (processing)
     9:37:03 PM The queue contains a request for a certificate for “rzurita”’s website “zureshop.rzurita.example.com”. The system last polled for this certificate at Aug 7, 2017, 2:32:04 AM UTC. The next poll will be no earlier than Aug 7, 2017, 2:37:04 AM UTC.
     9:37:03 PM The queue contains a request for a certificate for “rzurita”’s website “woo.rzurita.example.com”. The system last polled for this certificate at Aug 7, 2017, 2:32:04 AM UTC. The next poll will be no earlier than Aug 7, 2017, 2:37:04 AM UTC.
     9:42:02 PM Polling for “rzurita”’s new certificate for “zureshop.rzurita.example.com” (order item ID “227127647”) …
     9:42:03 PM The certificate is not available. (processing)
     9:42:03 PM Polling for “rzurita”’s new certificate for “woo.rzurita.example.com” (order item ID “227127629”) …
     9:42:04 PM The certificate is not available. (processing)
     9:47:18 PM Polling for “rzurita”’s new certificate for “zureshop.rzurita.example.com” (order item ID “227127647”) …
     9:47:18 PM The certificate is not available. (processing)
     9:47:18 PM Polling for “rzurita”’s new certificate for “woo.rzurita.example.com” (order item ID “227127629”) …
     9:47:18 PM The certificate is not available. (processing)
     9:52:03 PM The queue contains a request for a certificate for “rzurita”’s website “woo.rzurita.example.com”. The system last polled for this certificate at Aug 7, 2017, 2:47:18 AM UTC. The next poll will be no earlier than Aug 7, 2017, 2:52:18 AM UTC.
     9:52:03 PM The queue contains a request for a certificate for “rzurita”’s website “zureshop.rzurita.example.com”. The system last polled for this certificate at Aug 7, 2017, 2:47:18 AM UTC. The next poll will be no earlier than Aug 7, 2017, 2:52:18 AM UTC.
     9:57:02 PM Polling for “rzurita”’s new certificate for “woo.rzurita.example.com” (order item ID “227127629”) …
     9:57:03 PM The certificate is not available. (processing)
     9:57:03 PM Polling for “rzurita”’s new certificate for “zureshop.rzurita.example.com” (order item ID “227127647”) …
     9:57:04 PM The certificate is not available. (processing)
    
    The certificate is never available even if it polls for days. Any ideas?
     
    #8 Krydos, Aug 6, 2017
    Last edited by a moderator: Aug 7, 2017
  9. Krydos

    Krydos Well-Known Member

    Joined:
    Jun 2, 2012
    Messages:
    48
    Likes Received:
    4
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    I'm going to try contacting Comodo. Maybe they will know what is going on.
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,419
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Our Technical Support Department has access to some additional internal tools to help determine why a certificate is stuck at the pending status (e.g. possible brand violations).

    Thank you.
     
  11. Krydos

    Krydos Well-Known Member

    Joined:
    Jun 2, 2012
    Messages:
    48
    Likes Received:
    4
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    Awesome! What log or file or whatever do you need me to submit to use your additional tools on?
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,419
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You can simply let us know the specific domain name that's stuck as "pending" when opening the support ticket. Let us know if you have any trouble opening the ticket (there's a link in my signature you can use).

    Thank you.
     
  13. Krydos

    Krydos Well-Known Member

    Joined:
    Jun 2, 2012
    Messages:
    48
    Likes Received:
    4
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    I'm making some progress with Comodo. They at least see the certificate request from AutoSSL in their system. He wants me to do a manual HTTP DCV by creating the text file with the specific random letters and numbers that he emailed me. I asked him why the text file that AutoSSL created that is accessible from the internet didn't work? I'll keep you all updated.

    I'll submit a support ticket I guess. As long as it doesn't require giving root access to the server as that would violate our privacy policy. I'll keep you all updated on how that goes too.
     
  14. Krydos

    Krydos Well-Known Member

    Joined:
    Jun 2, 2012
    Messages:
    48
    Likes Received:
    4
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    Ticket submitted: 8770923
     
  15. Krydos

    Krydos Well-Known Member

    Joined:
    Jun 2, 2012
    Messages:
    48
    Likes Received:
    4
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    Comodo just says they can see the AutoSSL requests in their system, but the automatic DCV failed. His suggestion was to contact cPanel to figure out why the DCV failed, or just do manual DCV on each and every domain.

    The cPanel technician has replied and had me check a couple access logs. It seems like cPanel is creating public_html/H43J...28V.txt but Comodo is looking for public_html/.well-known/pki-challenge/H43J...28V.txt instead and getting a 404 error. I asked the support technician if there was a way to configure AutoSSL to create the validation file in the place that Comodo is looking for it. Anyone have any suggestions on how to do that?
     
  16. Krydos

    Krydos Well-Known Member

    Joined:
    Jun 2, 2012
    Messages:
    48
    Likes Received:
    4
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    Alright, the technician says it's probably because I'm running cpanel/whm version 64.0.19 and AutoSSL has been changed since that version. Upgrading to 64.0.36 now to see if it fixes the issue of the certificates not being installed.
     
  17. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,419
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Yes, the update is required. Here's the blog post explaining this:

    Urgent DCV Updates This Week | cPanel Blog

    Thanks!
     
  18. Krydos

    Krydos Well-Known Member

    Joined:
    Jun 2, 2012
    Messages:
    48
    Likes Received:
    4
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    Yeah, I'm always really careful with upcp. Since we run a lot of custom code it tends to break things every time.

    I might have to check out that blog more often. :)
     
    #18 Krydos, Aug 9, 2017
    Last edited: Aug 9, 2017
    cPanelMichael likes this.
Loading...

Share This Page