SOLVED AutoSSL: The certificate is not available. (processing)

[JustAGuyUsingWHM]

Hi.

How long should it take for a cPanel(Comodo) certificate to automatically update and receive the new certificate? Should I be concerned the certificate is not being issued in a 'timely' fashion.

The process seems to have kick started today correctly, and all the validation checks appear to have passed, but the certificate hasn't been issued.

Some sample output below, the domain\account names have been anonymized:

Log 1 - Shows automatic attempt to get certificate (appears to be polling every hour for the last ~12 hours):

11:10:01 AM The queue contains a request for a certificate for changedaccountname website example.com” (order item ID “565703513”). The system last polled for this certificate at Feb 4, 2019, 10:10:02 AM UTC. The next poll will be no earlier than Feb 4, 2019, 10:10:02 AM UTC.
 11:15:02 AM Polling for changedaccountname new certificate for example.com” (order item ID “565703513”) …
 11:15:03 AM The certificate is not available. (processing)
 Setting up for Comodo’s DCV (Domain Control Validation) for this certificate request …
 11:20:01 AM The queue contains a request for a certificate for changedaccountname website example.com” (order item ID “565703513”). The system last polled for this certificate at Feb 4, 2019, 11:15:02 AM UTC. The next poll will be no earlier than Feb 4, 2019, 11:15:02 AM UTC.

Logs 2: Results of Check "changedaccountname" to try and encouragea certificate fetch.

11:44:48 AM Analyzing “example.com” …
 11:44:48 AM User-excluded domains: 7 (mail.example.com, webmail.example.com, cpanel.example.com, whm.example.com, webdisk.example.com, mail.example.net, www.mail.example.com)
 TLS Status: Ready for Renewal
 WARN Certificate expiry: 2/14/19, 12:00 AM UTC (9.51 days from now)
 11:44:48 AM Performing DCV (Domain Control Validation) …
 11:44:48 AM Local HTTP DCV OK: example.com
 Local HTTP DCV OK: example.net
 Local HTTP DCV OK: www.example.com (via example.com)
 Local HTTP DCV OK: www.example.net (via example.net)
 11:44:48 AM Analyzing “example.com”’s DCV results …
 11:44:48 AM AutoSSL will request a new certificate.
 11:44:48 AM The system will attempt to renew the SSL certificate for the website (example.com: example.com www.example.com example.net www.example.net).
 11:44:49 AM No CAA record added because there is no CAA record from another provider in the DNS for example.net.
 No CAA record added because there is no CAA record from another provider in the DNS for example.com.
 The provider “cPanel (powered by Comodo)”’s AutoSSL queue already contains a certificate request for “changedaccountname”’s website “example.com”. The request’s start time is Feb 4, 2019, 12:58:02 AM UTC, and its last poll time is Feb 4, 2019, 11:15:02 AM UTC.
 11:44:49 AM The system has completed the AutoSSL check for “changedaccountname”.

Thanks.

 

[cPanelMichael]

Hello @JustAGuyUsingWHM,

Here's a section from the Manage AutoSSL document that answers this question:

While the cPanel AutoSSL provider generally only requires a short amount of time to complete the installation process, certain factors may cause longer wait times. Under some conditions, certificates may require up to 48 hours to process.

Can you confirm if the certificate is still processing at this time?

Thank you.

 

[JustAGuyUsingWHM]

Hi cPanelMichael.

Yeah it's still waiting...


Sample of the most recent output:

7:35:02 PM The queue contains a request for a certificate for changedaccountname website “example.com” (order item ID “565703513”). The system last polled for this certificate at Feb 4, 2019, 6:50:02 PM UTC. The next poll will be no earlier than Feb 4, 2019, 6:50:02 PM UTC.
7:40:01 PM The queue contains a request for a certificate for changedaccountname website “example.com” (order item ID “565703513”). The system last polled for this certificate at Feb 4, 2019, 6:50:02 PM UTC. The next poll will be no earlier than Feb 4, 2019, 6:50:02 PM UTC.
7:45:02 PM The queue contains a request for a certificate for changedaccountname website “example.com” (order item ID “565703513”). The system last polled for this certificate at Feb 4, 2019, 6:50:02 PM UTC. The next poll will be no earlier than Feb 4, 2019, 6:50:02 PM UTC.
7:50:01 PM The queue contains a request for a certificate for changedaccountname website “example.com” (order item ID “565703513”). The system last polled for this certificate at Feb 4, 2019, 6:50:02 PM UTC. The next poll will be no earlier than Feb 4, 2019, 6:50:02 PM UTC.
7:55:01 PM Polling for changedaccountname new certificate for “example.com” (order item ID “565703513”) …
7:55:02 PM The certificate is not available. (processing)
Setting up for Comodo’s DCV (Domain Control Validation) for this certificate request …
8:00:01 PM The queue contains a request for a certificate for changedaccountname website “example.com” (order item ID “565703513”). The system last polled for this certificate at Feb 4, 2019, 7:55:02 PM UTC. The next poll will be no earlier than Feb 4, 2019, 7:55:02 PM UTC.
8:05:01 PM The queue contains a request for a certificate for changedaccountname website “example.com” (order item ID “565703513”). The system last polled for this certificate at Feb 4, 2019, 7:55:02 PM UTC. The next poll will be no earlier than Feb 4, 2019, 7:55:02 PM UTC.
8:10:01 PM The queue contains a request for a certificate for changedaccountname website “example.com” (order item ID “565703513”). The system last polled for this certificate at Feb 4, 2019, 7:55:02 PM UTC. The next poll will be no earlier than Feb 4, 2019, 7:55:02 PM UTC.
8:15:01 PM The queue contains a request for a certificate for changedaccountname website “example.com” (order item ID “565703513”). The system last polled for this certificate at Feb 4, 2019, 7:55:02 PM UTC. The next poll will be no earlier than Feb 4, 2019, 7:55:02 PM UTC.
8:20:02 PM The queue contains a request for a certificate for changedaccountname website “example.com” (order item ID “565703513”). The system last polled for this certificate at Feb 4, 2019, 7:55:02 PM UTC. The next poll will be no earlier than Feb 4, 2019, 7:55:02 PM UTC.
8:25:02 PM The queue contains a request for a certificate for changedaccountname website “example.com” (order item ID “565703513”). The system last polled for this certificate at Feb 4, 2019, 7:55:02 PM UTC. The next poll will be no earlier than Feb 4, 2019, 7:55:02 PM UTC.
8:30:01 PM The queue contains a request for a certificate for changedaccountname website “example.com” (order item ID “565703513”). The system last polled for this certificate at Feb 4, 2019, 7:55:02 PM UTC. The next poll will be no earlier than Feb 4, 2019, 7:55:02 PM UTC.
8:35:02 PM The queue contains a request for a certificate for changedaccountname website “example.com” (order item ID “565703513”). The system last polled for this certificate at Feb 4, 2019, 7:55:02 PM UTC. The next poll will be no earlier than Feb 4, 2019, 7:55:02 PM UTC.
8:40:01 PM The queue contains a request for a certificate for changedaccountname website “example.com” (order item ID “565703513”). The system last polled for this certificate at Feb 4, 2019, 7:55:02 PM UTC. The next poll will be no earlier than Feb 4, 2019, 7:55:02 PM UTC.
8:45:01 PM The queue contains a request for a certificate for changedaccountname website “example.com” (order item ID “565703513”). The system last polled for this certificate at Feb 4, 2019, 7:55:02 PM UTC. The next poll will be no earlier than Feb 4, 2019, 7:55:02 PM UTC.
8:50:02 PM The queue contains a request for a certificate for changedaccountname website “example.com” (order item ID “565703513”). The system last polled for this certificate at Feb 4, 2019, 7:55:02 PM UTC. The next poll will be no earlier than Feb 4, 2019, 7:55:02 PM UTC.
8:55:01 PM The queue contains a request for a certificate for changedaccountname website “example.com” (order item ID “565703513”). The system last polled for this certificate at Feb 4, 2019, 7:55:02 PM UTC. The next poll will be no earlier than Feb 4, 2019, 7:55:02 PM UTC.


Thanks for taking a look at this.​

 

[cPanelMichael]

Hi @JustAGuyUsingWHM,

Could you open a support ticket so we can take a closer look to see why the certificate was not issued? You can post the ticket number here and I'll link this thread to it.

Thank you.

 

[JustAGuyUsingWHM]

Hi @cPanelMichael.

Thanks again. The support ticket is 11373793.

 

[Nathan Lord]

Seem to be having a similar issue:
- The system is waiting on the AutoSSL provider to validate and issue the certificate (in the pending queue been like this for a day / usually is something thats fairly quick)

Below is the log.

Log for the AutoSSL run for “example”: Wednesday, February 6, 2019 10:18:40 AM GMT+0000 (cPanel (powered by Comodo))
10:18:40 AM AutoSSL’s configured provider is “cPanel (powered by Comodo)”.
This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
Checking examples for “example” …
10:18:40 AM Analyzing “example.com” …
10:18:40 AM User-excluded domains: 4 (mail.example.com, webmail.example.com, cpanel.example.com, webdisk.example.com)
ERROR TLS Status: Defective
ERROR Certificate expiry: 2/5/19, 12:00 AM UTC (1.43 days ago)
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
10:18:40 AM Performing DCV (Domain Control Validation) …
10:18:40 AM Local HTTP DCV OK: example.com
Local HTTP DCV OK: www.example.com (via example.com)
10:18:40 AM Analyzing “example.com”’s DCV results …
10:18:40 AM AutoSSL will request a new certificate.
10:18:40 AM The system will attempt to renew the SSL certificate for the example (example.com: example.com www.example.com).
10:18:41 AM No CAA record added because there is no CAA record from another provider in the DNS for example.com.
The provider “cPanel (powered by Comodo)”’s AutoSSL queue already contains a certificate request for “example”’s example “example.com”. The request’s start time is Feb 5, 2019, 11:52:37 AM UTC, and its last poll time is Feb 6, 2019, 10:11:03 AM UTC.
10:18:41 AM The system has completed the AutoSSL check for “example”.

 

[JustAGuyUsingWHM]

@Nathan Lord

Support have come back to me. Its a DNS DCV error on the 2nd of the domains. I translate DNS DCV as Domain Name Server Domain Control Validation.

It makes sense: when I originally tried to set-up the certificate with LetsEncrypt on AutoSSL it refused for the same reason - there's a malformed AAAA Ipv6 record on the 2nd domain. cPanel Comodo didn't check the AAAA record or fell back on plain old DCV (no DNS, just uploading a file to a directory and browsing to it) and worked; so I went with cPanel Comodo. It seems cPanel Comodo are now checking the AAAA record too.

You can check your domain using the LetsEncrypt tool at Let's Debug to see if you have a similar issue.

My solution is obviously to fix the AAAA record. Although it's worth noting that Support mentioned IPv6 isn't yet supported by AutoSSL.

Best of luck.

 

[cPanelMichael]

Hello,

To follow-up on this topic, CPANEL-25209 was published as part of cPanel & WHM version 76.0.20:

Fixed case CPANEL-25209: IPv6 Support for DCV.

Here's a summary of the change from one of our Technical Analysts:

IPv6 is now supported by AutoSSL, which means that AutoSSL will do DCV checks on IPv6 if a AAAA record exists, and then fail if the check using IPv6 fails. Fallback will go to DNS DCV instead of IPv4.

So, if IPv6 fails at AutoSSL, the requests won’t be sent to Comodo. This is the intention of the case. If AutoSSL is failing and a domain has a AAAA record, we should determine why it's failing (e.g. IPv6 routing isn't enabled, IPv6 isn't enabled on the account account, or the AAAA record points to a different server entirely).

Thank you.