AutoSSL not replacing all certs on domain

[Direct Web Solutions]

Hey peeps,

I have version 92.0.6 cPanel on Centos 7.9 and found this odd issue. My autoSSL renewed the certificates on all my domains, but it didn’t replace the one on port 2080 on any domain but my host name.

So when a user goes to hostname.domain.com:2080 they get asked for the CalDav sign in information and get a valid certificate until 2022 but when they go to domain.com:2080 or someotherdomain.com:2080, the SSL certificate expired on January 3, 2021 and now all of my clients CalDav is failing because they can’t connect to their own domain name on that port.

I have ran this code:

/scripts/ccs-check —run —ssl —force
SSL information changed, restarting CCS..
SSL information updated.

/scripts/restartsrv_cpanel_ccs

cpanel_ccs restarted successfully.

/use/local/cPanel/bin/checkallsslcerts

I have ran these checks, my host name domain was renewed properly, autoSSL for every other domain hasn’t replaced this cert on port 2080 but has replaced all of their other certs (webmail, FTP, cPanel, etc).

what am I missing?

 

[cPRex]

Hey there! This is something that should be happening automatically, so it might be best to submit a ticket to our team so we can look into this for you. If you do, please post the ticket number here so I can follow along and also keep the community updated with our findings.

 

[Direct Web Solutions]

Hey there! This is something that should be happening automatically, so it might be best to submit a ticket to our team so we can look into this for you. If you do, please post the ticket number here so I can follow along and also keep the community updated with our findings.

Hey cPRex, the ticket number is #94097588.

 

[cPRex]

Thanks!

 

[AlternativeInternet]

I am seeing this too. Do we have a bug number? Is there a finger fix?

If I run the ccs-check script in debug (perl -w perl -w /usr/local/cpanel/scripts/ccs-check --run --ssl), even from the /usr/local/cpanel/ folder, I get perl compilation errors:

perl -w /usr/local/cpanel/scripts/ccs-check --run --ssl --force
Can't locate experimental.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at Cpanel/NetSSLeay/ErrorHandling.pm line 11.
BEGIN failed--compilation aborted at Cpanel/NetSSLeay/ErrorHandling.pm line 11.
Compilation failed in require at Cpanel/NetSSLeay.pm line 14.
BEGIN failed--compilation aborted at Cpanel/NetSSLeay.pm line 14.
Compilation failed in require at Cpanel/NetSSLeay/Base.pm line 11.
BEGIN failed--compilation aborted at Cpanel/NetSSLeay/Base.pm line 11.
Compilation failed in require at /usr/share/perl5/vendor_perl/parent.pm line 20.
BEGIN failed--compilation aborted at Cpanel/NetSSLeay/BIO.pm line 11.
Compilation failed in require at Cpanel/SSLService.pm line 16.
BEGIN failed--compilation aborted at Cpanel/SSLService.pm line 16.
Compilation failed in require at /usr/local/cpanel/scripts/ccs-check line 54.

I wonder if it's related to my server using ECDSA SSL certificates?

 

[cPRex]

@AlternativeInternet - this doesn't seem like a problem related to the SSL system, but an issue with the perl modules on the server. Can you try running the following command on the system to see if that fixes anything?

/scripts/check_cpanel_rpms

 

[AlternativeInternet]

I get no output from the requested command. Has anything been discovered on the other customer's ticket yet? Should I open a separate ticket?

 

[AlternativeInternet]

OK, I was able to figure out the issue. To start, I have had CCS installed for a while, so I was thrown off by the presence of the "domain-TLS" folder in the ccs config. It looks like this WAS used in the past, but stopped being used on port 2080 recently (looks like it relies on the service subdomain proxy to redirect to the server hostname). Additionally, for some reason, the pem was not getting updated with my latest cpanel cert, rather it was content to keep using the expired cert. I renamed the pem file in the ccs config folder and ran the scripts above, and it properly copied over the new cert.

 

[cPRex]

I'm glad you were able to find a good workaround for that issue!

 

[Hedloff]

We also got the same issue on version 94. So this bug has not been fixed yet?
I removed the .pem file, and then restart cpanel-ccs and also ran script:

/opt/cpanel-ccs/conf/domain-TLS# /scripts/ccs-check --run --ssl --force
SSL information updated.


But .pem file was not recreated.
Can we safely remove the whole domain-TLS folder?

 

[cPRex]

Sure - just rename that folder to domain-TLS.bak so it can't be read/overwritten by the system in case you do need it.

 

[Hedloff]

mail.domain.tld:2080 is still not working and gives error:
NET::ERR_CERT_COMMON_NAME_INVALID

I can see SSL for that port and domain is now used by server hostname and not mail.domain.tld anymore. But ccs should now work since it uses a valid server SSL?

 

[cPRex]

What if you just try domain.com instead of mail.domain.com?

 

[Hedloff]

Same issue there. It's using servers hostname.

 

[cPRex]

That's definitely odd - could you submit a ticket to our team so we can check that?

 

[Hedloff]

Just an update on the issue here from our tickets with cPanel.
It's a bug and is being fixed in CPANEL-34793.