AutoSSL not replacing all certs on domain

Operating System & Version
Centos 7.9
cPanel & WHM Version
92.0.6
Apr 12, 2018
10
1
3
Canada
cPanel Access Level
Root Administrator
Hey peeps,

I have version 92.0.6 cPanel on Centos 7.9 and found this odd issue. My autoSSL renewed the certificates on all my domains, but it didn’t replace the one on port 2080 on any domain but my host name.

So when a user goes to hostname.domain.com:2080 they get asked for the CalDav sign in information and get a valid certificate until 2022 but when they go to domain.com:2080 or someotherdomain.com:2080, the SSL certificate expired on January 3, 2021 and now all of my clients CalDav is failing because they can’t connect to their own domain name on that port.

I have ran this code:
Code:
/scripts/ccs-check —run —ssl —force
SSL information changed, restarting CCS..
SSL information updated.

/scripts/restartsrv_cpanel_ccs

cpanel_ccs restarted successfully.

/use/local/cPanel/bin/checkallsslcerts
I have ran these checks, my host name domain was renewed properly, autoSSL for every other domain hasn’t replaced this cert on port 2080 but has replaced all of their other certs (webmail, FTP, cPanel, etc).

what am I missing?
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
4,503
567
273
cPanel Access Level
Root Administrator
Hey there! This is something that should be happening automatically, so it might be best to submit a ticket to our team so we can look into this for you. If you do, please post the ticket number here so I can follow along and also keep the community updated with our findings.
 

AlternativeInternet

Registered
Sep 20, 2016
4
1
1
Ottawa, ON, Canada
cPanel Access Level
Root Administrator
I am seeing this too. Do we have a bug number? Is there a finger fix?

If I run the ccs-check script in debug (perl -w perl -w /usr/local/cpanel/scripts/ccs-check --run --ssl), even from the /usr/local/cpanel/ folder, I get perl compilation errors:

Bash:
perl -w /usr/local/cpanel/scripts/ccs-check --run --ssl --force
Can't locate experimental.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at Cpanel/NetSSLeay/ErrorHandling.pm line 11.
BEGIN failed--compilation aborted at Cpanel/NetSSLeay/ErrorHandling.pm line 11.
Compilation failed in require at Cpanel/NetSSLeay.pm line 14.
BEGIN failed--compilation aborted at Cpanel/NetSSLeay.pm line 14.
Compilation failed in require at Cpanel/NetSSLeay/Base.pm line 11.
BEGIN failed--compilation aborted at Cpanel/NetSSLeay/Base.pm line 11.
Compilation failed in require at /usr/share/perl5/vendor_perl/parent.pm line 20.
BEGIN failed--compilation aborted at Cpanel/NetSSLeay/BIO.pm line 11.
Compilation failed in require at Cpanel/SSLService.pm line 16.
BEGIN failed--compilation aborted at Cpanel/SSLService.pm line 16.
Compilation failed in require at /usr/local/cpanel/scripts/ccs-check line 54.
I wonder if it's related to my server using ECDSA SSL certificates?
 
Last edited:

AlternativeInternet

Registered
Sep 20, 2016
4
1
1
Ottawa, ON, Canada
cPanel Access Level
Root Administrator
OK, I was able to figure out the issue. To start, I have had CCS installed for a while, so I was thrown off by the presence of the "domain-TLS" folder in the ccs config. It looks like this WAS used in the past, but stopped being used on port 2080 recently (looks like it relies on the service subdomain proxy to redirect to the server hostname). Additionally, for some reason, the pem was not getting updated with my latest cpanel cert, rather it was content to keep using the expired cert. I renamed the pem file in the ccs config folder and ran the scripts above, and it properly copied over the new cert.
 
  • Like
Reactions: cPRex

Hedloff

Well-Known Member
Jun 7, 2004
167
8
168
Up north!
cPanel Access Level
DataCenter Provider
We also got the same issue on version 94. So this bug has not been fixed yet?
I removed the .pem file, and then restart cpanel-ccs and also ran script:

/opt/cpanel-ccs/conf/domain-TLS# /scripts/ccs-check --run --ssl --force
SSL information updated.


But .pem file was not recreated.
Can we safely remove the whole domain-TLS folder?
 

Hedloff

Well-Known Member
Jun 7, 2004
167
8
168
Up north!
cPanel Access Level
DataCenter Provider
mail.domain.tld:2080 is still not working and gives error:
NET::ERR_CERT_COMMON_NAME_INVALID

I can see SSL for that port and domain is now used by server hostname and not mail.domain.tld anymore. But ccs should now work since it uses a valid server SSL?