SOLVED AutoSSL not generating cert after 24 hours

[GoWilkes]

I have a hosting client that attempted to install a 3rd party cert on their own, not realizing that cPanel now came with one. After some errors they contacted me, and I suggested switching back to the cPanel cert.

To do so, in WHM I went to "Manage SSL Hosts" and clicked "Delete" by their domain. Then I went to "Manage AutoSSL > Manage Users", found their account, changed the option to "Enable", then clicked "Check". It ran for a minute, and a few minutes later I had a log file that said:

AutoSSL will request a new certificate.
The system will attempt to renew the SSL certificate for the website

I can post the entire log if you like, but it seemed pretty standard.

But it never successfully processed, and when AutoSSL ran for all accounts at 2:40am, I see that its log has the same "AutoSSL will request a new certificate" for that account.

Under "Pending Queue", the account is Pending and shows a Request Time of Jul 26, 2020 12:40:01 AM.

The last time I had this problem, all of cPanel was having a problem with Sectigo :-( Any suggestions on how I might make this process more quickly? The client is (rightfully) getting impatient.

 

[ZenHostingTravis]

Hi @GoWilkes,

I believe under some conditions, certificates may require up to 48 hours to process.

If the client is impatient as you say, perhaps open a ticket with the cPanel support team so they can check why there has been a delay.

 

[cPanelLauren]

@GoWilkes if you give me the domain name in PM I'd be happy to look up the status of that certificate internally.

 

[Michael-Inet]

If you give me the domain name in PM I'd be happy to look up the status of that certificate internally.

Hi Lauren,

I don’t particularly want to spam you with a PM, and my domain isn’t secret or anything, but it’s been pending for ~3 days, would you lookup?:

Main domain: domain.com
IP: x.x.x.x

I’m moving domains to a new server we’re opening (did mine first) and don’t want the client's new AutoSSLs to have issues in case there something odd with the new box’s IPs/range/etc.

Thank you,
Michael

Filtered output of last AutoSSL Log

Log for the AutoSSL run for all users: Saturday, November 7, 2020 11:31:01 PM GMT-0600 (cPanel (powered by Sectigo))

11:31:11 PM The system will attempt to renew the SSL certificates for the websites (REDACTED) and <filter>.

The provider “cPanel (powered by Sectigo)”’s AutoSSL queue already contains a certificate request for “<filter>”’s website “REDACTED”. The request’s start time is Nov 5, 2020, 5:31:01 AM UTC.

The provider “cPanel (powered by Sectigo)”’s AutoSSL queue already contains a certificate request for “<filter>”’s website “<filter>”. The request’s start time is Nov 8, 2020, 3:27:56 AM UTC.

 

[Michael-Inet]

Cert process went bad? I'm now getting cert installed (took 4 days, yikes!) and:

domain.com uses an invalid security certificate. The certificate is only valid for the following names: otherdomain.com

Opened a Support Ticket ID is: 93900231

Any cPanel personell, feel free to delete this and my last post

 

[cPRex]

Feel free to spam us anytime!

It looks like this was resolved by reloading nginx after the SSL has been updated. Since nginx isn't handled by cPanel this isn't a step that was handled automatically by the system when the SSL was issued.

 

[Michael-Inet]

Feel free to spam us anytime!
It looks like this was resolved by reloading nginx after the SSL has been updated. Since nginx isn't handled by cPanel this isn't a step that was handled automatically by the system when the SSL was issued.

Hi Rex,

Doesn’t seem to have had anything to do with Nginx. My best guess is something in the AutoSSL process has changed in the last six months or so. I’ve been using this general procedure for 10+ years to move sites from one server to another:

- Leave site.com running on old.server.com
- Build new.server.com
- Dup site.com to new.server.com
- Add a dedicated IP to site.com on new server
- Update mailhelo/mailips
- Do testing and QA under site.new.server.com
- Once client signs-off on site.new.server.com, update DNSOnly boxes with new IP/spf1/DKIM1/_cpanel-dcv-test-record/default._domainkey/etc. for site.com [1]
- Update site.com PTR record at new Host
- Wait ~4 days for every DNS cache to actually clear, if no issues, then remove site.com from old.server.com

My guess on the six months is I moved several sites at the beginning of Summer and had no issues with AutoSSL ‘just working.’ This time both sites being moved had the same two domain patterns break and not issue correctly. The steps to fix (thank you John in support!) are these (I’m basically copy/pasting what John wrote):

- Delete the broken SSL(s) in WHM >> Home »SSL/TLS »Manage SSL Hosts
- Then install the new AutoSSL certificate via WHM >> Home »SSL/TLS »Install an SSL Certificate on a Domain
(To install the SSL type "site.com" in the Domain field, then click "Autofill by domain", then scroll to the bottom to install the certificate.)
- Note that you may also need to reload NGINX to load the change. (systemctl reload nginx) *

For me, just deleting both broken certs and installing one cert ‘fixed’ the second cert. Yeah, that baffled me too, but cPanel did it’s job perfectly then as it automagically picked up the dedicated IPs and everything else for the 2 new certs.

* I didn’t need to reload NGINX, browsers picked up the cert within seconds, but reloading is never going to hurt anything (and quite frankly is good QA as you then know a reboot isn’t going to kill you).

I couldn't find (using Google, which is why I hit this post) where to delete/regen an AutoSSL cert, so you are more that welcome to use anything here (it’s mostly John’s anyway) to add/update whatever relevant cPanel docs handle this. I do ask that you add a link in the OP of this thread to that doc (would save a bunch of other people’s time).

Best Regards,
Michael

[1] I only have completely independent DNSOnly boxes in my DNS cluster. None of my [web]servers feed DNS to anything, which is not the norm for most, so, don’t break your stuff by blindly copy/pasting from this!

 

[cPRex]

I do ask that you add a link in the OP of this thread to that doc (would save a bunch of other people’s time).

Which specific page were you looking at?

 

[Michael-Inet]

Which specific page were you looking at?

you are more that welcome to use anything here (it’s mostly John’s anyway) to add/update whatever relevant cPanel docs handle this

I was typing too fast and didn't combine those very well. "If you add/update a cPanel doc, please add a link to it," is what I was trying to say

Thank you for adding the SOLVED label.

Best,
Michael

 

[cPRex]

I got it now :D