Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED AutoSSL sends notification for expired domains after cPanel v70 update

Discussion in 'Security' started by kabatak, May 17, 2018.

  1. kabatak

    kabatak Well-Known Member

    Joined:
    Jun 10, 2009
    Messages:
    111
    Likes Received:
    3
    Trophy Points:
    68
    We have several Cpanel accounts with expired domains in our server that is not yet deleted. They are dormant for several months now with no issue with AutoSSL.

    After Cpanel v70 update, AutoSSL suddenly sends email notifications with subject "AutoSSL certificate expiry..." with body along the lines of "The “cPanel” AutoSSL provider could not renew the SSL certificate..." for these expired domains.

    My issue is, why AutoSSL suddenly sends renewal-failure notice for these expired domains and simply did not skip it like it used to?

    Aside from expired domains, we noticed some non-expired domains also did not auto renew the AutoSSL, even after re-running AutoSSL from WHM.

    Is there a new setting somewhere in WHM that could be related to this?
     
  2. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    155
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    We can confirm this as well.
    Our customer has a few hundred domains and most of them are excluded from AutoSSL. They're using SSL certificates from a third party.
    Some of the subdomains, however, doesn't have SSL enabled, and it seems like the customer is receiving notifications for these. The SSL status for all of the domains that they customer was notified about is: "The installed certificate does not cover this domain. The certificate will not renew via AutoSSL because it was not issued via AutoSSL."
     
  3. Stefaans

    Stefaans Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    456
    Likes Received:
    3
    Trophy Points:
    318
    Location:
    Vancouver, Canada
    Same thing here. After the WHM update, there were hundreds of emails about expiring certificates while we have the AutoSSL featured disabled.

    This reminds me of WHM/cPanel of 15 years ago when every update meant new bugs :(
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,750
    Likes Received:
    1,886
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello Everyone,

    We do have a couple of open cases related to the delivery of AutoSSL expiry notifications in cPanel & WHM version 70, however I'll need some more information to verify if those cases are in-fact related to the issues brought up on this thread. Could anyone facing an issue with these notifications run the below commands on an affected system and post the output?

    Code:
    cat /usr/local/cpanel/version
    whmapi1 get_autossl_metadata
    whmapi1 get_tweaksetting key=notify_expiring_certificates
    Additionally, please provide an example of the specific notification that was sent upon the update to cPanel & WHM 70, and if the issue relates to notifications sent to individual cPanel users, please include the output of the following command for an account that falsely received a notification:

    Code:
    cat /home/username/.cpanel/contactinfo
    Replace references to real domain names in the output with examples (e.g. domain.tld instead of the real domain).

    As far as the existing cases, CPANEL-19808 is open to ensure AutoSSL stops sending notifications about expired certificates seven days after the expiry. Case CPANEL-20411 is open to address an issue where notification contact preferences for cPanel users weren't synced correctly if /home/$user/.cpanel/contactinfo contained empty or missing values.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Stefaans

    Stefaans Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    456
    Likes Received:
    3
    Trophy Points:
    318
    Location:
    Vancouver, Canada
    Thank you for looking into the issue @cPanelMicheal.

    Here is the information requested:

    Code:
    cat /usr/local/cpanel/version
    11.70.0.42
    Code:
    whmapi1 get_autossl_metadata
    ---
    data:
      payload:
        clobber_externally_signed: 0
        notify_autossl_expiry: 0
        notify_autossl_expiry_coverage: 0
        notify_autossl_renewal: 0
        notify_autossl_renewal_coverage: 0
        notify_autossl_renewal_coverage_reduced: 0
        notify_autossl_renewal_uncovered_domains: 0
    metadata:
      command: get_autossl_metadata
      reason: OK
      result: 1
      version: 1
    Code:
    whmapi1 get_tweaksetting key=notify_expiring_certificates
    ---
    data:
      tweaksetting:
        key: notify_expiring_certificates
        value: 0
    metadata:
      command: get_tweaksetting
      reason: OK
      result: 1
      version: 1
    Example of email sent (note how this relates to a certificate that expired a long time ago):
    Code:
    clientdomain.com: The AutoSSL certificate expires on Feb 10, 2017 at 12:00:00 AM UTC. At the time of this notice, the certificate expired 460 days, 4 hours, 17 minutes, and 13 seconds ago.
    
    AutoSSL did not renew the certificate for "clientdomain.com". You must take action to keep this site secure.
    The "cPanel" AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems:
    ⛔ mail.clientdomain.com (checked on May 16, 2018 at 7:42:41 PM UTC)
    The system queried for a temporary file at "http://mail.clientdomain.com/.well-known/pki-validation/2D73E65206DC6C4B0DFC194DDF23F866.txt", but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain "mail.clientdomain.com" resolved to an IP address "1.2.3.4" that does not exist on this server.
    ⛔ cpanel.clientdomain.com (checked on May 16, 2018 at 7:42:41 PM UTC)
    The system queried for a temporary file at "http://cpanel.clientdomain.com/.well-known/pki-validation/36D5DC3BB2E3F8E38B5C8825AACD0CD0.txt", but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain "cpanel.clientdomain.com" resolved to an IP address "1.2.3.4" that does not exist on this server.
    ⛔ webmail.clientdomain.com (checked on May 16, 2018 at 7:42:41 PM UTC)
    The system queried for a temporary file at "http://webmail.clientdomain.com/.well-known/pki-validation/8446BAEBA73E6B87EF79D81B17381E58.txt", but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain "webmail.clientdomain.com" resolved to an IP address "1.2.3.4" that does not exist on this server.
    ⛔ clientdomain.com (checked on May 16, 2018 at 7:42:41 PM UTC)
    The system queried for a temporary file at "http://clientdomain.com/.well-known/pki-validation/B8414D3216CD47FCA577200820117A54.txt", but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain "clientdomain.com" resolved to an IP address "1.2.3.4" that does not exist on this server.
    ⛔ webdisk.clientdomain.com (checked on May 16, 2018 at 7:42:41 PM UTC)
    "webdisk.clientdomain.com" does not resolve to any IPv4 addresses on the internet.
    ⛔ autodiscover.clientdomain.com (checked on May 16, 2018 at 7:42:41 PM UTC)
    "autodiscover.clientdomain.com" does not resolve to any IPv4 addresses on the internet.
    ⛔ www.clientdomain.com (checked on May 16, 2018 at 7:42:41 PM UTC)
    The system queried for a temporary file at "http://www.clientdomain.com/.well-known/pki-validation/AC88F3DDE0DD43CEF0A947AC9213B748.txt", but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain "www.clientdomain.com" resolved to an IP address "1.2.3.4" that does not exist on this server.
    For the most current status, navigate to the "SSL/TLS Status" interface. You can also exclude domains from future renewal attempts, which would cease future notifications.
    The following domains lost SSL coverage when the certificate expired:
    mail.clientdomain.com
    clientdomain.com
    www.clientdomain.com
    The certificate that is installed on this website contains the following properties:
    Expiration:
    
    Friday, February 10, 2017 at 12:00:00 AM UTC
    
    Domain Names:
    
    clientdomain.com
    mail.clientdomain.com
    www.clientdomain.com
    Subject:
    
    commonName 
    clientdomain.com
    Issuer:
    
    countryName 
    US
    stateOrProvinceName 
    TX
    localityName 
    Houston
    organizationName 
    cPanel, Inc.
    commonName 
    cPanel, Inc. Certification Authority
    To upgrade to an EV or OV certificate, navigate to the "SSL/TLS Wizard" interface.
    The system generated this notice on Wednesday, May 16, 2018 at 7:42:46 PM UTC.
    
    You can disable the "AutoSSL cannot request a certificate because all of the website's domains have failed DCV (Domain Control Validation)." type of notification through the cPanel interface: https://hostname:2083/?goto_app=ContactInfo_Change
    Do not reply to this automated message.
    And finally:
    Code:
    cat /home/username/.cpanel/contactinfo
    ---
    "email": 'user@somedomain.com'
    "ip": '1.2.3.4'
    "notify_account_authn_link": 1
    "notify_account_authn_link_notification_disabled": 1
    "notify_account_login": 0
    "notify_account_login_for_known_netblock": 0
    "notify_account_login_notification_disabled": 1
    "notify_contact_address_change": 1
    "notify_contact_address_change_notification_disabled": 1
    "notify_disk_limit": 1
    "notify_email_quota_limit": 1
    "notify_password_change": 1
    "notify_password_change_notification_disabled": 1
    "origin": 'cpanel'
    "pushbullet_access_token": ''
    "second_email": ''
    I can confirm that the AutoSSL feature has been disabled for many months; we choose to use the FleetSSL cPanel plugin instead.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 Stefaans, May 18, 2018
    Last edited by a moderator: May 18, 2018
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,750
    Likes Received:
    1,886
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Stefaans,

    This doesn't look to relate to any of the existing cases that are open. Do you mind opening a support ticket using the link in my signature so we can take a closer look at your system to see what happened? You can post the ticket number here and we will link this thread to the ticket.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Stefaans

    Stefaans Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    456
    Likes Received:
    3
    Trophy Points:
    318
    Location:
    Vancouver, Canada
    I have been digging further and found that the problem does not originate on our server. I now feel embarrassed for complaining!

    Looking at the Exim main_log, I can see that the erroneous messages did not come from our servers but from servers that belong to other hosting providers. The affected domains were all transferred to our servers in recent months by resellers of ours, and seemingly are still set up on the previous hosting providers' servers. I suspect that said hosting providers are using the AutoSSL feature and tjat they did upgrade their cPanel/WHM to ver 70 (or maybe not) and that did trigger the flood of notifications.

    My report is thus a false alarm. I apologise for unnecessarily fuelling the fire.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,750
    Likes Received:
    1,886
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi @Stefaans,

    Not a problem! I'm glad you were able to determine the source of the emails. If anyone else is facing this issue, please provide the information requested in my earlier post to this thread.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    155
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    Hi @cPanelMichael

    Code:
    [root@pro5 ~]# cat /usr/local/cpanel/version
    11.70.0.43
    
    Code:
    [root@pro5 ~]# whmapi1 get_autossl_metadata
    ---
    data:
      payload:
        clobber_externally_signed: 0
        notify_autossl_expiry: 1
        notify_autossl_expiry_coverage: 1
        notify_autossl_renewal: 0
        notify_autossl_renewal_coverage: 1
        notify_autossl_renewal_coverage_reduced: 1
        notify_autossl_renewal_uncovered_domains: 1
    metadata:
      command: get_autossl_metadata
      reason: OK
      result: 1
      version: 1
    
    Code:
    [root@pro5 ~]# whmapi1 get_tweaksetting key=notify_expiring_certificates
    ---
    data:
      tweaksetting:
        key: notify_expiring_certificates
        value: 1
    metadata:
      command: get_tweaksetting
      reason: OK
      result: 1
      version: 1
    
    We're only have this issue reported by a single user, but my guess is that most users don't care.
    One of the emails starts like this:
    Code:
    sub.domain.tld: The AutoSSL certificate expires on Apr 10, 2018 at 12:16:04
    PM UTC. At the time of this notice, the certificate expired 41 days, 13 hours, 35 minutes, and 42
    seconds ago.
    
    As @Stefaans reported, this is long overdue (and these emails are in fact sent from our own servers - just checked). The domain has even been excluded from AutoSSL.

    As you can see, all notifications from AutoSSL has been disabled for the user reporting the issue:
    Code:
    [root@pro5 ~]# cat /home/<user>/.cpanel/contactinfo
    ---
    "email": 'user@mail.tld'
    "ip": '<masked>'
    "notify_account_authn_link": 1
    "notify_account_authn_link_notification_disabled": 1
    "notify_account_login": 0
    "notify_account_login_for_known_netblock": 0
    "notify_account_login_notification_disabled": 0
    "notify_autossl_expiry": 0
    "notify_autossl_expiry_coverage": 0
    "notify_autossl_renewal_coverage": 0
    "notify_autossl_renewal_coverage_reduced": 0
    "notify_autossl_renewal_uncovered_domains": 0
    "notify_bandwidth_limit": 1
    "notify_contact_address_change": 1
    "notify_contact_address_change_notification_disabled": 1
    "notify_disk_limit": 1
    "notify_email_quota_limit": 1
    "notify_password_change": 1
    "notify_password_change_notification_disabled": 1
    "notify_ssl_expiry": 1
    "notify_twofactorauth_change": 1
    "notify_twofactorauth_change_notification_disabled": 1
    "origin": 'cpanel'
    "pushbullet_access_token": ''
    "second_email": ''
    I guess this is related to case CPANEL-20411?
     
  10. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,750
    Likes Received:
    1,886
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi @DennisMidjord,

    Thank you for providing the the additional details. Can you also run the below command and let us know the output?

    Code:
    grep notify /var/cpanel/users/username
    Replace username with the cPanel user that received the AutoSSL notification.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    155
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    Sure:
    Code:
    [root@pro5 ~]# grep notify /var/cpanel/users/<username>
    notify_account_authn_link=1
    notify_account_authn_link_notification_disabled=1
    notify_account_login=0
    notify_account_login_for_known_netblock=0
    notify_account_login_notification_disabled=0
    notify_autossl_expiry=0
    notify_autossl_expiry_coverage=0
    notify_autossl_renewal=
    notify_autossl_renewal_coverage=0
    notify_autossl_renewal_coverage_reduced=0
    notify_autossl_renewal_uncovered_domains=0
    notify_bandwidth_limit=1
    notify_contact_address_change=1
    notify_contact_address_change_notification_disabled=1
    notify_disk_limit=1
    notify_email_quota_limit=1
    notify_password_change=1
    notify_password_change_notification_disabled=1
    notify_ssl_expiry=1
    notify_twofactorauth_change=1
    notify_twofactorauth_change_notification_disabled=1
    I see that the value for AutoSSL renewal is missing. Is that the problem?
     
  12. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,750
    Likes Received:
    1,886
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @DennisMidjord,

    That's correct, and it explains why the notification was sent. You should be able to solve the issue disabling that notification type and clicking Save in cPanel >> Contact Manager for the account.

    Internal cases CPANEL-20411 and CPANEL-20412 will address the overall issue of this occurring. I'll update this thread again once these cases are published.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,750
    Likes Received:
    1,886
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    cPanel & WHM version 70.0.44 is now published to the CURRENT release tier and includes the following cases:

    Fixed case CPANEL-19808: AutoSSL runs will no longer continue notifying beyond seven days post-expiry.
    Fixed case CPANEL-20411: Cpuser notification preferences now are populated if empty.
    Fixed case CPANEL-20412: Make contactinfo->cpuser sync not clobber existing cpuser setting.

    I'll update this thread again once this build is published to the RELEASE tier.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,750
    Likes Received:
    1,886
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    cPanel & WHM Version 70.0.44 is now published to the RELEASE tier.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    155
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    Shouldn't the following be populated as well? notify_autossl_renewal=
    I've just checked, and it looks like that for all users.
     
  16. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,750
    Likes Received:
    1,886
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @DennisMidjord,

    The notify_autossl_renewal entry is only populated in /var/cpanel/users/$username when it's synced from /home/username/.cpanel/contactinfo.

    Could you open a support ticket so we can take a closer look at an affected system and see why that entry isn't populated in the .contactinfo files for the users on your system? You can post the ticket number here and I'll link this thread to the ticket.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice