SOLVED AutoSSL renews the same cert even if still valid

cumanzor

Member
Jul 14, 2017
9
1
3
Costa Rica
cPanel Access Level
Root Administrator
Good day, Running WHM v66.0.23

I have a strange situation with AutoSSL with either Comodo or LetEncrypt provider, let me describe the scenario:

I have one account with multiple Addon Domains (more than 80 domains) and each one with their own SSL provided by AutoSSL automatically, everything is ok with that. Like a few weeks ago before the v66 upgrade, I noticed that some SSL certs for just 5 addon domains were renewed every day.

Here is a portion of the AUTOSSL log

- Removed, Please Don't Post Actual Domain Names or IPs -

As you can read, AutoSSL knows that cert is still valid, but attempts to add aditional domains that were already excluded by internal configuration.

Does anyone have an idea of where I should start looking for the cause?

Thanks in advance.
 
Last edited by a moderator:

cumanzor

Member
Jul 14, 2017
9
1
3
Costa Rica
cPanel Access Level
Root Administrator
Adding log, with proper censored sections

Code:
 2:55:09 PM WARN The certificate for the website “CENSOREDFQDN.com” will not contain the domains “mail.CENSOREDFQDN.com”, “CENSOREDFQDN.com”, “cpanel.CENSOREDFQDN.com”, “webdisk.giorgiosjoyeria.com”, “webmail.CENSOREDFQDN.com”, and “www.CENSOREDFQDN.com” because the current configuration excludes these domains. at /usr/local/cpanel/Cpanel/SSL/Auto/Report.pm line 134.


 2:55:09 PM The website “CENSOREDFQDN.com”, owned by “CENSORED”, has a valid SSL certificate, but additional SSL coverage may be possible for the domains “CENSOREDFQDN.com”, “mail.CENSOREDFQDN.com”, “www.CENSOREDFQDN.com”, “webdisk.CENSOREDFQDN.com”, “webmail.CENSOREDFQDN.com”, “cpanel.CENSOREDFQDN.com”, and “autodiscover.CENSOREDFQDN.com”. The system will attempt to replace this certificate with one that includes these additional domains.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Hello,

The log entries you see are to be expected when you exclude a specific domain name from the AutoSSL feature. The AutoSSL feature automatically checks to see if it should issue new certificates for several conditions (e.g. a certificate is expiring, a new subdomain is added). For instance, if you decided to remove an exclusion in the future, the automatic check would ensure the previously excluded domain name is added to the certificate. You can safely ignore those warning messages. That said, internal case CPANEL-15523 is open to see if there's a better way to handle this condition, or if there's a better way to explain what's happening in the AutoSSL logs. I'll monitor this case and update this thread with the outcome.

Thank you.
 

cumanzor

Member
Jul 14, 2017
9
1
3
Costa Rica
cPanel Access Level
Root Administrator
Hello,

it should issue new certificates for several conditions (e.g. a certificate is expiring, a new subdomain is added).

Thank you.
Yup, that's the expected behavior. I think my problem is the incredible amount of addon domains in the account, probably it's preventing AutoSSL to keep tight control over those 5 domains cert and renew them every day over and over.

By the way, if I click the "Check user" to manually trigger the AutoSSL, those domains SSL certs are renewed again even if they were just installed, so I can repro the same problem either manually or automatically.
 

cumanzor

Member
Jul 14, 2017
9
1
3
Costa Rica
cPanel Access Level
Root Administrator

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Yes, those subdomains were excluded intentionally, by my hand. (This sounds powerful when you read it, lol)

Should I include all subdomains (without exceptions) and try again, just to verify if the issue persists?
Hello,

You could, but I don't actually see any issues. The messages you see in the AutoSSL logs don't indicate any problems. Is the SSL certificate not working as expected?

Thank you.
 

cumanzor

Member
Jul 14, 2017
9
1
3
Costa Rica
cPanel Access Level
Root Administrator
s. Is the SSL certificate not working as expected?
It works as expected, but the problem is that everyday the same ssl cert is renewed for no reason. So far Let'encrypt stops working due ratelimit because of asking for the same domain cert over and over. Comodo SSL seems to don't care, but I got a lot of valid and functional SSL certs for the same domains.

I know, the whole scenario sounds incredible but it happens... so far this "interesting behavior" is my greatest puzzle at my office
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Hello,

Could you open a support ticket using the link in my signature so we can take a closer look?

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
It works as expected, but the problem is that everyday the same ssl cert is renewed for no reason. So far Let'encrypt stops working due ratelimit because of asking for the same domain cert over and over. Comodo SSL seems to don't care, but I got a lot of valid and functional SSL certs for the same domains.
To update, this is fixed in cPanel version 68 as part of internal case CPANEL-16864:

Fixed case CPANEL-16864: AutoSSL: avoid performing DCV checks for excluded domains.

Thank you.