Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED AutoSSL Notifications and Renewal

Discussion in 'Security' started by SteveK, Jan 24, 2017.

Tags:
  1. SteveK

    SteveK Member

    Joined:
    Apr 21, 2016
    Messages:
    18
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Canada
    cPanel Access Level:
    DataCenter Provider
    I am receiving hundreds of daily notifications from certwatch that domains need to run genkey. It is about 1 year since I installed WHM/Cpanel/Cloudlinux.

    I've been told once they are ready to expire it should auto-renew. Is there any way to manually run this ahead of time?

    When I run autossl for all users I check the log file and in many cases it does say it ran for certain domains. But there also is a ton of errors.

    Some are legit because DNS doesn't match as I've got some private IP based domains which is fine. There are only really maybe 3 people who actually have their own SSL certs. The rest were all auto generated when I installed.

    Most people do not have SSH enabled. We have changed the SSH port to something else as well.

    Some of the errors are because we are hosting email only and the website is elsewhere or vice versa.

    Anyone clue me in on how to actually get this to stop spamming me daily and how to update all the certs?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,659
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You can turn off the AutoSSL feature for any accounts where you prefer it not attempt to issue a SSL certificate per the instructions at:

    Manage AutoSSL - Documentation - cPanel Documentation

    If you wish to allow AutoSSL to replace certificates that it did not issue, select the Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates. option under the "Options" tab in "WHM >> Manage AutoSSL". AutoSSL will not attempt to replace pre-existing valid certificates that expire in more than three days. You'd have to delete those existing certificates if you wanted to override the expiration time frame.

    Thank you.
     
  3. SteveK

    SteveK Member

    Joined:
    Apr 21, 2016
    Messages:
    18
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Canada
    cPanel Access Level:
    DataCenter Provider
    Already did. And autossl IS enabled for every single account. But I'm still getting a hundred or so emails per day (down to day 15 before expiry). Is there a way to force it to renew it before it expires?
     
  4. SteveK

    SteveK Member

    Joined:
    Apr 21, 2016
    Messages:
    18
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Canada
    cPanel Access Level:
    DataCenter Provider
    Ok so I'd have to get notified for 27-28 days before expiry every single year? If I don't want to I need to manually go in and delete the old keys and manually run autossl?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,659
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You'd need to delete the existing certificates if you want AutoSSL to issue a new certificate right away instead of waiting for the certificate issuance within the expiration window. AutoSSL certificates are automatically renewed based on the time frames referenced at:

    Manage AutoSSL - Documentation - cPanel Documentation

    The yearly expiration you are referring to would only occur on existing SSL certificates that were installed outside of the AutoSSL feature.

    Thank you.
     
  6. SteveK

    SteveK Member

    Joined:
    Apr 21, 2016
    Messages:
    18
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Canada
    cPanel Access Level:
    DataCenter Provider
    Thanks for your help. Right now all our certs except the main site's certs are issued by Cpanel during the original Install. I'm not sure if AutoSSL came in to CPanel in the last year? I'm wondering if it will replace these Cpanel issued certs. I don't think they were AutoSSL.

    I tested by having it overwrite everything (except ours) and someone immediately called in with their email giving them SSL errors on their iphone. I had to remove the newly generated key file for them to work again.

    So what I'm thinking is that all our SSL certs were never generated by AutoSSL.

    Will these new auto-ssl certs be valid 3rd party signed (so you don't get the browser warnings etc) ?
     
  7. SteveK

    SteveK Member

    Joined:
    Apr 21, 2016
    Messages:
    18
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Canada
    cPanel Access Level:
    DataCenter Provider
    Other question is - I can't find anywhere that you can modify the alerting parameters for certwatch. I don't need to get daily warnings.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,659
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    AutoSSL was introduced as a new feature in cPanel version 58.

    Here's some information from the Manage AutoSSL document regarding the replacement of third-party certificates:

    Yes, AutoSSL issues signed certificates that browsers will trust.

    I believe the "certwatch" cron job you are referring to stems from the crypto-utils package in CentOS. It's not something that cPanel installs or configures, so you could manually remove that cron job.

    Thank you.
     
  9. SteveK

    SteveK Member

    Joined:
    Apr 21, 2016
    Messages:
    18
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Canada
    cPanel Access Level:
    DataCenter Provider
    Ah that is what I was looking for then. Thanks. Actually I think it was Cloudlinux that did it.
     
    cPanelMichael likes this.
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,659
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm happy to see your questions have been answered. Let us know if we can be of any further assistance.

    Thanks!
     
    SteveK likes this.
Loading...

Share This Page