AutoSSL not renewing expired certificates

GoWilkes

Well-Known Member
Sep 26, 2006
611
24
168
cPanel Access Level
Root Administrator
Switching to Let's Encrypt was SUCH a mistake! I guess I didn't have a choice because Sectigo was messing up, but still. I made a thread awhile back on it, I had to switch back to Sectigo because it has a limit of 100 domains per account (including www, non-www, and mail).

(Although Let's Encrypt swears that this limitation doesn't exist)

Well, the domains that still had a cert under Let's Encrypt all had the cert to expire 2 days ago, and AutoSSL didn't renew them under Sectigo! So I have 60 or so accounts that are throwing a cert error for close to 24 hours. Including the main domain that I use to access WHM!

So when I log in to WHM I have to go through the "Safety" checkpoint.

I go to WHM > Manage AutoSSL and see that it's set to Sectigo (as it should be). But when I click on Options, Logs, Manage Users, or Pending Queue, it just refreshes the page. I right-clicked and tried to open that in a new tab, but then I'm giving the Safety checkpoint again. I click to proceed, and it just takes me back to the main page for Manage AutoSSL.

I found the AutoSSL log at /var/cpanel/logs/autossl, though, and at around 5:30pm EST the latest entry said:

The queue contains a request for a certificate for “example”’s website “example.com” (order item ID “12345”). The system last polled for this certificate at Sep 25, 2019, 8:12:08 PM UTC. The next poll will be no earlier than Sep 25, 2019, 8:12:08 PM UTC.

Great, fine, OK. But now it's 10:30pm EST and the entry says:

... The system last polled for this certificate at Sep 26, 2019, 1:37:08 AM UTC. The next poll will be no earlier than Sep 26, 2019, 1:37:08 AM UTC.

What the... ? Since it's been 2 full days since the cert expired, it looks like it's just going to keep pushing up the poll time and not install a new one. Which is just wonderful, I lost clients the first time it messed up, and now I'm definitely going to lose a lot more!

Is there a magic trick to make this work?
 

quietFinn

Well-Known Member
Feb 4, 2006
1,308
133
193
Finland
cPanel Access Level
Root Administrator

GoWilkes

Well-Known Member
Sep 26, 2006
611
24
168
cPanel Access Level
Root Administrator
I'm afraid not :-( I was able to run it for all users through WHM, but it didn't create anything. So I ran it through SSH using the command you posted, but still nothing.

I also managed to figure this one out (started from the link you gave, then intentionally left off the --all to see documentation):

/usr/local/cpanel/bin/autossl_check --user=example

For future readers, options are:

autossl_check ( --user=<username> | --all | --help )

That was faster to process, but still nothing.

Through WHM I deleted 2 of the SSL Hosts that are expired, because that worked to force a renewal last time. Then I ran AutoSSL via command line for the two users.

Every few hours last night the log has this:

[2019-09-26T03:47:03Z] Setting up for Sectigo’s DCV (Domain Control Validation) for this certificate request …
[2019-09-26T03:47:04Z] Polling for “example”’s new certificate for “example.com” (order item ID “12345”) …
[2019-09-26T03:47:04Z] The certificate is not available. (processing)


Is Sectigo messing up again?
 

GoWilkes

Well-Known Member
Sep 26, 2006
611
24
168
cPanel Access Level
Root Administrator
Update: I tried to change the provider to Let's Encrypt (temporary, that won't work for my other domains that expire later), but I can't do it through WHM because of the expired cert! I click to Save and it just runs and runs. I let it go for 5 minutes and it never completed. When I refreshed the page it still showed Sectigo as the provider.

I found a command line script to install Let's Encrypt:

/scripts/install_lets_encrypt_autossl_provider

But that didn't help; it's already installed, I just need to change it to the default. I found this:


But the command given uses le-cp, and my server doesn't have that file installed.

Any other ideas on how to set Let's Encrypt as the default provider via SSH?
 
Last edited:

cPJeremy

Technical Analyst
Staff member
Feb 13, 2019
58
3
83
Houston TX
cPanel Access Level
Root Administrator
Hello,

If you are still wanting to set Let's Encrypt as the default provider via the command line, you can use the the API Command below:

whmapi1 set_autossl_provider provider=LetsEncrypt

Also, can you please ensure that from WHM's Home »SSL/TLS »Manage AutoSSL under the "Options" tab you have the following checkbox enabled: "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates."

If the certificates were previously Let's Encrypt, you will be required to have that option enabled. If this is not able to resolve the issue, can you please open a ticket using the link in my signature? You can then post the ticket number in this thread so that we can monitor the ticket and post necessary details and the outcome of the ticket to the thread.

Thank you!