SOLVED AutoSSL still not renewed after expiring

[tdldrg]

I enabled AutoSSL by cPanel and it gave a ssl for 8/30-11/29 which worked fine but then it expired and until to this date still not renewed. I checked the log everyday all I see is same message yet it hasn't renewed it...

10:59:41 AM The website “domain.com”, owned by “xxxx”, has a faulty SSL certificate (OPENSSL_VERIFY:0:10:CERT_HAS_EXPIRED NOT_ALL_DOMAINS ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate.
10:59:41 AM The system will attempt to renew SSL certificates for the following websites:

Wasn't it suppose to renew 10days earlier but it seems it doesn't renew even after expiring and still attemping only..

How to force it to renew it right away? And why it seems it doesn't renew the expired ssl?

 

[cPanelMichael]

Hello,

Could you let us know which version of cPanel is installed on this system? You can check via the following command:

cat /usr/local/cpanel/version

Also, could you let us know the rest of the output? For instance, are there any DCV (Domain Control Validation) error messages?

Thank you.

 

[tdldrg]

It doesn't have any error that goes orange like some. Here's the new one today from 'all users' log. Til now it is still not renewed itself after expiring and same goes for some few domains that have expired already. Seems like stuck on attempt to renew SSL...

11:03:02 PM Checking websites for “xxxxx” …
11:03:02 PM The website “xxxxxx.co.uk”, owned by “xxxxx”, has a faulty SSL certificate (OPENSSL_VERIFY:0:10:CERT_HAS_EXPIRED NOT_ALL_DOMAINS ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate.
11:03:06 PM The system will attempt to renew SSL certificates for the following websites:
11:03:06 PM xxxxx.co.uk (xxxxxxxx.com xxxxxxxxx.co.uk www.xxxxxxx.com www.xxxxxxx.co.uk mail.xxxxxxxcom mail.xxxxxx.co.uk)
11:03:06 PM The system has completed the AutoSSL check for “xxxxx”.

 

[cPanelMichael]

Hello,

Are you sure the previous SSL certificates were installed with the AutoSSL feature? If not, you'd need to enable the following option under the "Options" tab in "WHM >> Manage AutoSSL":

Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates.

Here's the option's description:

This option will allow AutoSSL to replace certificates that the AutoSSL system did not issue. When you enable this option, AutoSSL will install certificates that replace users’ CA-issued certificates if they are invalid or about to expire.

Unless you fully understand this option, do not select it, because the system could unexpectedly replace an expiring or invalid EV or OV certificate with a DV certificate.

Note you can use the following command to manually run the AutoSSL check for an individual account if you don't want to wait for the automatic nightly run:

/usr/local/cpanel/bin/autossl_check --user $username

Thank you.

 

[tdldrg]

Yes I'm quite sure it's AutoSSL installed the expired one. Only certificates issued from AutoSSL covers for a few months as mentioned it was 8/30/2016 - 11/29/2016. Could wish 6 months or a year perhaps.

I didn't enable the "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates." as we also have other non-AutoSSL issued certificates using EV and other SSL installed.

I've also tried that manually checking the account via WHM AutoSSL manage user or command you suggest but just the same.

4:07:43 PM This system has AutoSSL set to use “cPanel (powered by Comodo)”.
4:07:43 PM Checking websites for “xxxx …
4:07:43 PM The website “xxxx.co.uk”, owned by “xxxx”, has a faulty SSL certificate (OPENSSL_VERIFY:0:10:CERT_HAS_EXPIRED NOT_ALL_DOMAINS ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate.
4:07:43 PM The system will attempt to renew SSL certificates for the following websites:
4:07:43 PM xxxx.co.uk (xxxxx.com xxxxx.co.uk www.xxxxx.com www.xxxxxx.co.uk mail.xxxxx.com mail.xxxxx.co.uk)
4:07:43 PM The system has completed the AutoSSL check for “xxxx”.
4:07:43 PM The system has finished checking 1 user.

 

[cPanelMichael]

Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[tdldrg]

I've opened a ticket Support Request ID is: 8047329

 

[cPanelMichael]

Hello,

To update, it looks like the renewal failed because Comodo was blocked from accessing the website due to rules in the account's .htaccess file, and thus domain validation failed. Regarding the certificate renewal schedule, this is noted on the Manage AutoSSL document:

Each AutoSSL provider may wait for a specific amount of time to replace an AutoSSL-provided certificate before it expires. For example:

• AutoSSL will attempt to renew certificates that cPanel, Inc. provides when they expire within 15 days.
• AutoSSL will attempt to renew certificates that Let's Encrypt provides when they expire within 29 days.
• Due to rate limits, AutoSSL prioritizes new certificates over the renewal of existing certificates.

Let us know if you have any additional questions.

Thank you.