In Progress AutoSSL renewal problem

[Mr.Novo]

I'm having problems since yesterday on one of my servers for SSL renewals. Is there something wrong or is it me ?

I've checked cPanel Store - Cart and verified that server can connect yet SSL logs throws a warning

12:13:08 PM WARN (XID sv523x) The response to the HTTP (Hypertext Transfer Protocol) “GET” request from “https://store.cpanel.net/json-api/ssl/certificate/free/orderid” indicated an error (500, Internal Server Error):

And after this warning:

 12:15:01 PM Polling for “user”’s new certificate for “domain” (order item ID “orderid”) …
12:15:05 PM The certificate is not available. (processing)

 

[Look]

i've been having same errors since 11hours ago.

running this command
/usr/local/cpanel/bin/autossl_check --user $username

gives
---
The provider “cPanel (powered by Sectigo)”’s AutoSSL queue already contains a certificate request for “username”’s website “example.com”. The request’s start time is Jan 23, 2022, 4:35:01 PM UTC.

 

[Mr.Novo]

I've different servers. Some of them works some of them not. I don't understand.

There was an emergency on my end so i bought an external certificate and fixed my problem. Today I checked again if subdomain SSLs are generated automaticly and they were.

 

[matt1206]

Seeing the same. Multiple servers, no common point with regards to server providers.

Manually running the autossl check now has renewed 3 domains on one server that expired this morning. These have previously been renewing automatically for the last 2 years since the server was installed.

 

[matt1206]

Example logs:

3:28:14 AM Processing “attbot”’s local DCV results …
3:28:14 AM Analyzing “attbot.org”’s DCV results …
3:28:14 AM AutoSSL will request a new certificate.
3:28:14 AM The system will attempt to renew the SSL certificate for (attbot.org: attbot.org www.attbot.org mail.attbot.org).
3:28:17 AM The “cPanel (powered by Sectigo)” provider cannot currently accept incoming requests. The system will try again later.
The system has completed “attbot”’s AutoSSL check.
3:28:17 AM Processing “lahjalstuttu”’s local DCV results …

 

[bellwood]

3:28:17 AM The “cPanel (powered by Sectigo)” provider cannot currently accept incoming requests. The system will try again later.

Been seeing more and more of this error line lately, seems like Sectigo cannot keep up or is facing a lot of sporadic down time.

 

[cPRex]

Been seeing more and more of this error line lately, seems like Sectigo cannot keep up or is facing a lot of sporadic down time.

That's exactly correct - Sectigo is experiencing some issues at the moment and those have also been mentioned in this thread:

"The “cPanel (powered by Sectigo)” provider cannot currently accept incoming requests."

Apparently this was an issue a couple of years ago, anyone know why it might be happening again? Thanks. -Michael

forums.cpanel.net

I'm waiting to hear back from them and I'll post an update once I do.

 

[Look]

update.
it was resolved.
The pending SSL request was cleared and request again the SSL. And it worked!~

 

[matt1206]

Any update? This is pretty poor TBH, as it's causing outages for multiple sites as their SSL certs are expiring due to them not issuing new certificates.

 

[Mr.Novo]

I've faced similar problem with another server today. It took about 30 minutes to issue SSL but it seems working now. What i did to fix it ? Nothing.

 

[matt1206]

I've faced similar problem with another server today. It took about 30 minutes to issue SSL but it seems working now. What i did to fix it ? Nothing.

I've tried manually renewing expired certificates, and I get the same response each time about them not accepting requests currently. I've had to swap over to LetsEncrypt as some of the sites have been down for 24 hours now with expired certificates.

 

[matt1206]

It's also at the point where my hostname certificate is going to expire tomorrow on one of the servers, and that's not being processed either:

[WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID xm95xd) The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request “POST ssl/certificate/whm-license/90-day”: We were unable to process your request. Please try again later.

 

[Mr.Novo]

Did swapping to LetsEncrypt helped for expired domains ?

 

[cPRex]

Moving to Let's Encrypt would replace expired certificates if there are no other complications.

I'm still seeing the rate limiting happening but I haven't heard back from Sectigo yet.

 

[cEMa]

Figured I'd share my experience in hope it helps others.. On a server with around 600 domains, I was quite affected by the recent certificate issue.

I was able to bypass the issue and get valid certs for the affected domains by switching to Let's Encrypt. (must be done as root)

1. Log in to the server as the root user.
2. Run the following command: /usr/local/cpanel/scripts/install_lets_encrypt_autossl_provider
3. Log in to WHM and navigate to the Manage AutoSSL interface (WHM >> Home >> SSL/TLS >> Manage AutoSSL).
4. In the Providers tab, select the Let’s Encrypt™ option. The interface will display the Terms of Service section.
5. Review Let’s Encrypt’s terms of service. If you agree, select the I agree to these terms of service option.
6. Click Save.

Ref: The Let's Encrypt Plugin | cPanel & WHM Documentation

 

[cEMa]

Been seeing more and more of this error line lately, seems like Sectigo cannot keep up or is facing a lot of sporadic down time.

I share the same sentiment and concerns. I'm contemplating staying with Let's Encrypt due to all the issues I've been having using the default provider.

 

[cPRex]

There's nothing wrong with staying with Let's Encrypt permanently. For most users they won't notice an issue, although Let's Encrypt does have slightly lower limits that can cause issues for users that have a large number of domains or vhosts. More details on that can be found here:

Guide to SSL | cPanel & WHM Documentation

SSL/TLS (Secure Sockets Layer/Transport Layer Security) encrypts information between a visitor’s browser and a server.

docs.cpanel.net

 

[internetfab]

@cPRex : Would it be possible to add an AutoSSL provider as a backup provider if a run fails due to rate limit issues? Perhaps a feature request that can be handled rather quickly?

Right now we can switch autossl provider with whmapi1, run for one user and then switch back again but having it done automatically would be a nice feature.

 

[cPRex]

@internetfab - there was a request submitted just this week for that behavior:

AutoSSL fail-over

Apparently it's possible that your provider is too busy to provide certificates for a long time and expiring certificates on your hosted websites. I sugge

features.cpanel.net

I've added my vote to that just now and I'm letting our team know about it as well.

 

[internetfab]

@internetfab - there was a request submitted just this week for that behavior:

AutoSSL fail-over

Apparently it's possible that your provider is too busy to provide certificates for a long time and expiring certificates on your hosted websites. I sugge

features.cpanel.net

I've added my vote to that just now and I'm letting our team know about it as well.

Cheers - added my vote to it as well

I might have a workaround for us atm, because we were using another script for LE before AutoSSL was in the picture and they have a way to let it run in a fashion like autossl, so I might let them compete.