AutoSSL is very slow and missing certificates

sunmacet

Active Member
Jan 24, 2009
26
8
53
cPanel Access Level
Root Administrator
We have been receiving complaints from our customers on multiple servers that certificates with AutoSSL has not been renewed. When we run the AutoSSL manually for the user the certificate will be renewed.

In one of the affected server we have run autossl manually in command line and it has been running now over two days!

We have checked resolving and it is fast. Also the resolvers are the same as for servers that has not been affected.

The autossl command seems to be very slow at each "AutoSSL will attempt a DNS-based DCV for ..."

Only clue so far is these error messages in output of the autossl:

[1637931458] libunbound[2391132:0] error: event_add failed. in cpsl.
[1637931458] libunbound[2391132:0] error: could not event_del on close

Any help would be greatly appreciated!
 

sunmacet

Active Member
Jan 24, 2009
26
8
53
cPanel Access Level
Root Administrator
There is not much. Of course there is errors for the domains that are expired or do not point to our server but they are not relevant.

These are produces when run in command line:

[1637951124] libunbound[2391132:0] error: event_add failed. in cpsl.
[1637951124] libunbound[2391132:0] error: could not event_del on close
[1637951126] libunbound[2391132:0] error: event_add failed. in cpsl.
[1637951126] libunbound[2391132:0] error: could not event_del on close


This user was missing certificate after one night and only this was in the log of the previous AutoSSL run:

10:06:24 PM Analyzing “XXX”’s domains …
10:06:24 PM Analyzing “XXX” (website) …
10:06:24 PM ERROR TLS Status: Defective
ERROR Certificate expiry: 11/25/21, 12:00 AM UTC (0.12 days from now)
ERROR Defect: ALMOST_EXPIRED: The certificate will expire very soon.
10:06:24 PM Attempting to ensure the existence of necessary CAA records …
10:06:25 PM No CAA records were created.
10:06:25 PM Verifying 1 domains’ management status …
Verifying “cPanel (powered by Sectigo)”’s authorization on 1 domains via DNS CAA records …
10:06:25 PM “XXX” is managed.
CA authorized: “XXX”
All of this user’s 1 domains are managed.
“cPanel (powered by Sectigo)” is authorized to issue certificates for 1 of this user’s 1 domains.
10:06:25 PM Performing HTTP DCV (Domain Control Validation) on 1 domains …
10:06:26 PM Local HTTP DCV OK: XXX
10:06:26 PM No local DNS DCV is necessary.

And there was no other log entries for the user.
 

sunmacet

Active Member
Jan 24, 2009
26
8
53
cPanel Access Level
Root Administrator
Yes I can confirm that this seemed to be the case.

When we ran AutoSSL per user as explained in the article the AutoSSL finished in under 3 hours without problems.

With normal run it took over 2 days and was interrupted before finishing.
 
  • Like
Reactions: cPanelAnthony

JboyJW

Registered
Feb 20, 2022
1
0
1
Midland
cPanel Access Level
Root Administrator
FYI, I experienced this same issue today, it's still not resovled. I had a client complain about SSL issues and found that 6 of my clients had the ALMOST_EXPIRED defect in the latest log. Running AutoSSL on each account worked to restore their SSL certs.

I tried running the loop command suggested on the Local DNS DCVs can push libunbound over its limits article and although it ran quickly (only 1-3 seconds per account), I found that it only worked for some and not all that had expired. Some had the message "The “cPanel (powered by Sectigo)” provider cannot currently accept incoming requests. The system will try again later."

Frustrating that this is not reliable. Is there a threshold amount of users or domains that causes this bug in the AutoSSL for All Users? I have 137 accounts on my service accumulating to 259 domains.
 

microvax

Well-Known Member
Mar 4, 2021
62
4
8
Lima
cPanel Access Level
Root Administrator
Time ago we decided to reduce the use of Let's Encrypt certificates because of the warning
messages shown by FORTINET firewalls.
BTW if you would use paid certificates what kind of SSL certificates would you buy?
Wilcards?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
11,743
1,868
363
cPanel Access Level
Root Administrator
I haven't heard anything specific about firewalls not handling Let's Encrypt well, but there wouldn't be anything I could do on my end for that.

For a paid certificate, you're welcome to get any type you want. cPanel works with Let's Encrypt wildcard certificates since version 84.