SOLVED AutoSSL not assigning cert to FQDN properly

[MThornton]

I am struggling with AutoSSL and Let'sEncrypt on cPanel & WHM. I am trying to get a certificate for home.xyzdomain.net for a development domain on a new server. This took all of five seconds on the Plesk panel at another host. My server has a single IP address. The WHM is installed on host.xyzdomain.net and I created an account for a user xyzadmin on the domain xyzdomain.net. In that account I created a subdomain home.xyzdomain.net. The live site xyzdomain.net is hosted on another server.

The certificate for the WHM and cPanel is good as I connect to host.xyzdomain.net. When I connect to home.xyzdomain.net the certificate is invalid and shows to be issued for host.xyzdomain.net. In cPanel I see a certificate issued for home.xyzdomain.net issued by cPanel. Why isn't that certificate the one being used when I connect?

The error in the browser developer window is "This site is missing a valid, trusted certificate (net::ERR_CERT_COMMON_NAME_INVALID)." When view the certificate it is for host.xyzdomain.net and is issued by Comodo, not Let'sEncrypt or cPanel. Am I missing some secret handshake, wink wink, nudge nudge where the AutoSSL certificate is linked to the FQDN domain name in the web server?

 

[cPanelLauren]

Hello,


It's sounding like there's a certificate issued for host.xyzdomain.net but not one installed for home.xyzdomain.net. AutoSSL should automatically run for the account.

You can see the logs for it and manage it by going to WHM>>SSL/TLS>>Manage AutoSSL. When you go here and click logs do you see associated logs for that indicate what occurred when the AutoSSL check was run for the domain?

Thanks!

 

[MThornton]

The logs in Manage AutoSSL are are listed below. SSL Storage Manager on WHM doesn't show any certificates for home... but on cPanel for the account I see three certificates for home.xyzdomain.net, two self-signed and one from cPanel. Non of those are being used by the account though, it is sending the certificate associated with the WHM/cPanel hostname. Obviously I have something misconfigured but I can't find it.

Logs:
5:00:53 PM This system has AutoSSL set to use “Let’s Encrypt™”.
5:00:53 PM Checking websites for “xyzadmin” …
5:00:54 PM The website “home.xyzdomain.net”, owned by “xyzadmin”, has a valid SSL certificate, but additional SSL coverage may be possible for the domain “www.home.xyzdomain.net”. The system will attempt to replace this certificate with one that includes this additional domain.
5:00:54 PM The website “xyzdomain.net”, owned by “xyzadmin”, has a faulty SSL certificate (OPENSSL_VERIFY:0:18:DEPTH_ZERO_SELF_SIGNED_CERT NOT_ALL_DOMAINS). AutoSSL will attempt to replace this certificate.
5:00:54 PM WARN The domain “xyzdomain.net” failed domain control validation: The system queried for a temporary file at “http://xyzdomain.net/.well-known/acme-challenge/S4FTTTAO6IFL3Y390ACP6JBKTCVUPWG1”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “xyzdomain.net” resolved to an IP address “89.248.171.78” that does not exist on this server.
5:00:54 PM WARN The domain “www.xyzdomain.net” failed domain control validation: The content “<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>404 Not Found</TITLE> </HEAD><BODY> <H1>Not Found</H1> Th …” of the DCV (Domain Control Validation) file, as accessed at “http://xyzdomain.net/404.shtml” and redirected from “http://www.xyzdomain.net/.well-known/acme-challenge/2DB8Q05V_BQJD4ZHTH83AHS58XY-XAQ0”, did not match the expected value. The domain “www.xyzdomain.net” resolved to an IP address “89.248.171.78” that does not exist on this server.
5:00:55 PM WARN The domain “mail.xyzdomain.net” failed domain control validation: The system queried for a temporary file at “http://mail.xyzdomain.net/.well-known/acme-challenge/4VTGMKWMGQSFY90M24UG_9TQP0H78ROM”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “mail.xyzdomain.net” resolved to an IP address “89.248.171.78” that does not exist on this server.
5:00:55 PM WARN The domain “cpanel.xyzdomain.net” failed domain control validation: The system queried for a temporary file at “http://cpanel.xyzdomain.net/.well-known/acme-challenge/ND8192B7L8J7IYX7UIKPGHT05B20CR1C”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “cpanel.xyzdomain.net” resolved to an IP address “89.248.171.78” that does not exist on this server.
5:00:55 PM WARN The domain “webdisk.xyzdomain.net” failed domain control validation: The system queried for a temporary file at “http://webdisk.xyzdomain.net/.well-known/acme-challenge/376PS0KLRIJK0NS5F7QR9LX0-IL_463_”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “webdisk.xyzdomain.net” resolved to an IP address “89.248.171.78” that does not exist on this server.
5:00:55 PM WARN The domain “webmail.xyzdomain.net” failed domain control validation: The system queried for a temporary file at “http://webmail.xyzdomain.net/.well-known/acme-challenge/W2TY7J6IU5NH58GO4OAJCFYST4GGGU7B”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “webmail.xyzdomain.net” resolved to an IP address “89.248.171.78” that does not exist on this server.
5:00:55 PM WARN The domain “www.home.xyzdomain.net” failed domain control validation: “www.home.xyzdomain.net” does not resolve to any IPv4 addresses on the internet.
5:00:55 PM AutoSSL cannot add any new domains to SSL coverage for the website “home.xyzdomain.net”.
5:00:56 PM The system has completed the AutoSSL check for “xyzadmin”.
5:00:56 PM The system has finished checking 1 user.

 

[MThornton]

A few minutes ago a valid certificate began being issued for the home.xyzdomain.net connection, but the certificate path goes back to Comodo Secure, not Let's Encrypt. Very odd.

 

[cPanelLauren]

Hello @MThornton

Yea it does appear that home.xyzdomain.net has an SSL certificate based on:

The website “home.xyzdomain.net”, owned by “xyzadmin”, has a valid SSL certificate, but additional SSL coverage may be possible for the domain “www.home.xyzdomain.net”.

Can you do the following and let me know if it clears the issue up?

1. Update the userdomains:

   /scripts/updateuserdomains

2. Update the userdatacache

   /scripts/updateuserdatacache

3. backup and rebuild the apache configuration:
   

   mv /etc/apache2/conf/httpd.conf{,.bk}
   /scripts/rebuildhttpdconf
   /scripts/restartsrv_httpd

4. Clear your browser's cache

Thanks!

 

[MThornton]

It is still serving a certificate traced to Comodo.

 

[cPanelLauren]

Hi @MThornton

That leads me to a few more questions:

Is the certificate a valid certificate which includes the domain name?
How old is the certificate/how many days are left on it?
How long has the account been on this server?
Did the domain have a certificate on it where it was hosted previously?

Thanks!

 

[MThornton]

The cert that is now being served is valid through 8/1/2018 and is issued to the fqdn of the website. This is a VPS less than a week old. The root domain exists on another server and does not currently have a cert applied. This hostname did have a cert from Let'sEncrypt at another host we tried using and had to abandon due to storage performance reasons (they were trying to run a SAN for the hosted sites over a 10 mbit network connection, the same connection shared with the internet). That was where I was introduced to Let'sEncrypt via their Plesk panel. I'm having a lot more trouble on the cPanel but I am suspect it is something I don't understand or missed in the original setup. I'm hoping it isn't because I set up WHM and cPanel on one hostname, and the new website on another, of the same root domain.

 

[cPanelLauren]

Hi @MThornton

It sounds like when the initial AutoSSL process ran (once you added the domain) the AutoSSL service was using the Comodo provider opposed to the Let's Encrypt provider. If you remove the SSL host by going to WHM>>SSL/TLS>>Manage SSL hosts and delete the current certificate, then run the AutoSSL check for the domain once more (since you now have Let's Encrypt set as the provider) you should get the Let's Encrypt certificate issued for the domain.


Thanks!

 

[MThornton]

I deleted the certificate then ran AutoSSL and see that it did succeed in creating a new certificate. But I am back to the problem of apache/nginx are serving the wrong certificate to my clients. I have restarted Apache, nginx, PHP-FPM with no change. What am I missing in this process?

I got it fixed. I went back and found it still had not made the certificate the primary one for the domain. I ran that process again and now it is correct.

 

[cPanelLauren]

Hi @MThornton

Just to confirm, the correct certificate is being served currently?

 

[MThornton]

Yes, it is serving the correct certificate. Thank you for your guidance.

 

[cPanelLauren]

HI @MThornton

I'm really happy to hear that and glad I could help!

Thanks!