Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

AutoSSL renews the same cert even if still valid

Discussion in 'Security' started by cumanzor, Sep 20, 2017.

Tags:
  1. cumanzor

    cumanzor Member

    Joined:
    Jul 14, 2017
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Costa Rica
    cPanel Access Level:
    Root Administrator
    Good day, Running WHM v66.0.23

    I have a strange situation with AutoSSL with either Comodo or LetEncrypt provider, let me describe the scenario:

    I have one account with multiple Addon Domains (more than 80 domains) and each one with their own SSL provided by AutoSSL automatically, everything is ok with that. Like a few weeks ago before the v66 upgrade, I noticed that some SSL certs for just 5 addon domains were renewed every day.

    Here is a portion of the AUTOSSL log

    - Removed, Please Don't Post Actual Domain Names or IPs -

    As you can read, AutoSSL knows that cert is still valid, but attempts to add aditional domains that were already excluded by internal configuration.

    Does anyone have an idea of where I should start looking for the cause?

    Thanks in advance.
     
    #1 cumanzor, Sep 20, 2017
    Last edited by a moderator: Sep 20, 2017
  2. cumanzor

    cumanzor Member

    Joined:
    Jul 14, 2017
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Costa Rica
    cPanel Access Level:
    Root Administrator
    Adding log, with proper censored sections

    Code:
     2:55:09 PM WARN The certificate for the website “CENSOREDFQDN.com” will not contain the domains “mail.CENSOREDFQDN.com”, “CENSOREDFQDN.com”, “cpanel.CENSOREDFQDN.com”, “webdisk.giorgiosjoyeria.com”, “webmail.CENSOREDFQDN.com”, and “www.CENSOREDFQDN.com” because the current configuration excludes these domains. at /usr/local/cpanel/Cpanel/SSL/Auto/Report.pm line 134.
    
    
     2:55:09 PM The website “CENSOREDFQDN.com”, owned by “CENSORED”, has a valid SSL certificate, but additional SSL coverage may be possible for the domains “CENSOREDFQDN.com”, “mail.CENSOREDFQDN.com”, “www.CENSOREDFQDN.com”, “webdisk.CENSOREDFQDN.com”, “webmail.CENSOREDFQDN.com”, “cpanel.CENSOREDFQDN.com”, and “autodiscover.CENSOREDFQDN.com”. The system will attempt to replace this certificate with one that includes these additional domains.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The log entries you see are to be expected when you exclude a specific domain name from the AutoSSL feature. The AutoSSL feature automatically checks to see if it should issue new certificates for several conditions (e.g. a certificate is expiring, a new subdomain is added). For instance, if you decided to remove an exclusion in the future, the automatic check would ensure the previously excluded domain name is added to the certificate. You can safely ignore those warning messages. That said, internal case CPANEL-15523 is open to see if there's a better way to handle this condition, or if there's a better way to explain what's happening in the AutoSSL logs. I'll monitor this case and update this thread with the outcome.

    Thank you.
     
  4. cumanzor

    cumanzor Member

    Joined:
    Jul 14, 2017
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Costa Rica
    cPanel Access Level:
    Root Administrator
    Yup, that's the expected behavior. I think my problem is the incredible amount of addon domains in the account, probably it's preventing AutoSSL to keep tight control over those 5 domains cert and renew them every day over and over.

    By the way, if I click the "Check user" to manually trigger the AutoSSL, those domains SSL certs are renewed again even if they were just installed, so I can repro the same problem either manually or automatically.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  6. cumanzor

    cumanzor Member

    Joined:
    Jul 14, 2017
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Costa Rica
    cPanel Access Level:
    Root Administrator
    Yes, those subdomains were excluded intentionally, by my hand. (This sounds powerful when you read it, lol)

    Should I include all subdomains (without exceptions) and try again, just to verify if the issue persists?
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You could, but I don't actually see any issues. The messages you see in the AutoSSL logs don't indicate any problems. Is the SSL certificate not working as expected?

    Thank you.
     
  8. cumanzor

    cumanzor Member

    Joined:
    Jul 14, 2017
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Costa Rica
    cPanel Access Level:
    Root Administrator
    It works as expected, but the problem is that everyday the same ssl cert is renewed for no reason. So far Let'encrypt stops working due ratelimit because of asking for the same domain cert over and over. Comodo SSL seems to don't care, but I got a lot of valid and functional SSL certs for the same domains.

    I know, the whole scenario sounds incredible but it happens... so far this "interesting behavior" is my greatest puzzle at my office
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you open a support ticket using the link in my signature so we can take a closer look?

    Thank you.
     
  10. cumanzor

    cumanzor Member

    Joined:
    Jul 14, 2017
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Costa Rica
    cPanel Access Level:
    Root Administrator
    Sure, but first let me retry the scenario without excluding subdomains, just in case
     
Loading...

Share This Page