autossl - The cPanel Store returned an error (X::TemporarilyUnavailable)

morrow95

Well-Known Member
Oct 8, 2006
170
9
168
Started receiving these notification emails yesterday and would like to figure out what the issue is and take care of it. If I look at 'Manage AutoSSL' in WHM the logs look fine so I am guessing this message is related to hostname services cert? There isn't a whole lot of information being given here other than 'cpanel' so I have to assume it is related to the hostname since things appears fine for the domains according to the 'Manage AutoSSL' logs. I am NOT using the cloud service.

Ideas, things to check, etc? Being SSL related I'd like to take care of this as soon as possible as it will likely affect services on the server if a cert expires.

---------

Subject: [hostname.example.com] ⚠ 1 service generated warnings while checking SSL certificates.

The following cPanel service generated warnings from the checkallsslcerts script.

⚠ cpanel

The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID d92cxd) The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request “POST ssl/certificate/whm-license/90-day”: We were unable to process your request. Please try again later.

This notice is the result of a request from “/usr/local/cpanel/bin/checkallsslcerts”.

The system generated this notice on Tuesday, April 12, 2022 at 9:02:08 AM UTC.

“cPanel service SSL certificate warnings” notifications are currently configured to have an importance of “Medium”. You can change the importance or disable this type of notification in WHM’s Contact Manager at: https://hostname.example.com:2087/scripts2/editcontact?event=SSL::CheckAllCertsWarnings
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,361
1,632
363
cPanel Access Level
Root Administrator
Hey there! There's a few threads about this already, but the short story is there are rate limits from our SSL provider causing this. There's nothing wrong with the server that you need to fix, and it will check for the SSL again and get it installed.

Similar issue here, although I don't think this user's was with the hostname: Failed to acquire a signed certificate from the cPanel Store
 

morrow95

Well-Known Member
Oct 8, 2006
170
9
168
Hey there! There's a few threads about this already, but the short story is there are rate limits from our SSL provider causing this. There's nothing wrong with the server that you need to fix, and it will check for the SSL again and get it installed.

Similar issue here, although I don't think this user's was with the hostname: Failed to acquire a signed certificate from the cPanel Store
Thanks for the info. I'll keep an eye on it. It is a little worrisome this happens as each day that passes is one less day to renew the cert. If any cert expires, in my situation, it would certainly break things and prevent use.
 

morrow95

Well-Known Member
Oct 8, 2006
170
9
168
Four days in a row now with the same error. How long does it usually take to correct itself due to the rate limiting with the provider?
 

Steini Petur

Well-Known Member
Apr 24, 2016
96
21
58
Iceland
cPanel Access Level
Root Administrator
Trust me this is just going to be forever with Sectigo, I had this in January and just go with Lets Encrypt here The Let's Encrypt Plugin | cPanel & WHM Documentation I just ran into another issue with Sectigo


And in January I posted also and then it was just "sorry Sectigo is on thefridge..."

Just swap to Lets Encrypt and avoid all this hassle.. they are far more stable, I am usually super calm but now I'm just frustrated..
 

Steini Petur

Well-Known Member
Apr 24, 2016
96
21
58
Iceland
cPanel Access Level
Root Administrator
Here I responded to one other


and here is reply to another


This is just annoying to deal with on a regular basis with your clients..
 

jhawkins003

Well-Known Member
Jun 24, 2014
46
15
58
cPanel Access Level
Root Administrator
Just to add to the conversation - we're being impacted as well. Would love to see vendor options extended for obtaining hostname certificates.
 

Spirogg

Well-Known Member
Feb 21, 2018
698
153
43
chicago
cPanel Access Level
Root Administrator
you need to add these IP's to your firewall.

Question
What IP addresses do Sectigo DCV requests originate from?



Answer
Sectigo's DCV request origin IPs are these:

178.255.81.12
178.255.81.13
91.199.212.132
199.66.201.132


To ensure that Sectigo DCV requests for AutoSSL reach your server, you must whitelist these IP addresses for port 53 (TCP & UDP) and port 80 (TCP).





Also another issue was if you have Force Https redirect [ON] in cpanel for that domain. under home > domain >domain
this would cause issues as well. is what I was told from support staff.


Screenshot 2022-04-20 032706.jpg


So if your still having issues with getting certs - you can try to turn off force https redirect and see if the domains get updated.

I did both add IP's and turn [OFF] force https redirect

then I started the process again /usr/local/cpanel/bin/checkallsslcerts to get certs and it updated all domains.

Kind Regards,
Spiro
 

swbrains

Well-Known Member
Sep 13, 2006
264
37
178
Can't get new SSL cert for two new accounts tonight. First I simply got the "Sectigo can't accept requests..." message. Now I'm getting this message indicating the same but with an error 500 code and some HTML tags associated with it:

12:39:12 AM ERROR AutoSSL failed to request an SSL certificate for “[xxxxxxxx]” because of an error: (XID up4tzv) The response to the HTTP (Hypertext Transfer Protocol) “POST” request from “https://store.cpanel.net/json-api/ssl/certificate/free” indicated an error (500, Internal Server Error): <!DOCTYPE HTML PUBLIC "-//IETF/…
12:39:14 AM The “cPanel (powered by Sectigo)” provider cannot currently accept incoming requests. The system will try again later.

Lets Encrypt is much more reliable when issuing/renewing certs, but even with an increase from them, I still hit the limits so they're not really a viable alternative for me.
 

Spirogg

Well-Known Member
Feb 21, 2018
698
153
43
chicago
cPanel Access Level
Root Administrator
Can't get new SSL cert for two new accounts tonight. First I simply got the "Sectigo can't accept requests..." message. Now I'm getting this message indicating the same but with an error 500 code and some HTML tags associated with it:

12:39:12 AM ERROR AutoSSL failed to request an SSL certificate for “[xxxxxxxx]” because of an error: (XID up4tzv) The response to the HTTP (Hypertext Transfer Protocol) “POST” request from “https://store.cpanel.net/json-api/ssl/certificate/free” indicated an error (500, Internal Server Error): <!DOCTYPE HTML PUBLIC "-//IETF/…
12:39:14 AM The “cPanel (powered by Sectigo)” provider cannot currently accept incoming requests. The system will try again later.

Lets Encrypt is much more reliable when issuing/renewing certs, but even with an increase from them, I still hit the limits so they're not really a viable alternative for me.
Have you tried to whitelist these IP’s in your firewall and also Cphulk if you have it on


Sectigo's DCV request origin IPs are these:

178.255.81.12
178.255.81.13
91.199.212.132
199.66.201.132


To ensure that Sectigo DCV requests for AutoSSL reach your server, you must whitelist these IP addresses for port 53 (TCP & UDP) and port 80 (TCP).

Then try this
/usr/local/cpanel/bin/checkallsslcerts

Or try running AutoSSL for the 2 new accounts
 
Last edited:

swbrains

Well-Known Member
Sep 13, 2006
264
37
178
Have you tried to whitelist these IP’s in your firewall and also Cphulk if you have it on....
Yes, thanks, I did whitelist them (cpHulk is currently off) but the firewall/lfd is active and I added those IPs to the firewall allow lists.
 

swbrains

Well-Known Member
Sep 13, 2006
264
37
178
Oddly, in my case, the AutoSSL log shows that the cert was requested for several subdomains (myaccount.example,com, mail.myaccount.example.com, m.myaccount.example.com, etc,...). The log indicates:

ERROR AutoSSL failed to request an SSL certificate for “myaccount.example.com” because of an error: (XID knbh2x) The response to the HTTP (Hypertext Transfer Protocol) “POST” request from “https://store.cpanel.net/json-api/ssl/certificate/free” indicated an error (500, Internal Server Error): <!DOCTYPE HTML PUBLIC "-//IETF/…

But then two minutes later, the log shows:

Polling for “sectigo”’s new certificate for “m.myaccount.example.com” (order item ID “1617251703”) …
The certificate is available.
Installing “m.myaccount.example.com”’s new certificate …
8:43:17 AM SUCCESS Success!


And nothing is in the pending queue.

But when I try to access the site, I get the following message from my browser:

NET::ERR_CERT_COMMON_NAME_INVALID
Subject: *.default.example.com
Issuer: R3
Expires on: Jul 20, 2022
Current date: Apr 21, 2022


Which is the certificate installed on "default.example.com" which is the account listed as the "primary" account in Manage SSL Hosts in WHM.

So Sectigo somehow either generates a bogus certificate, or the server is installing the wrong certificate on the site. Since the AutoSSL log doesn't show the Sectigo issued a cert containing the base subdomain "myaccount.example.com" that was requested and only produced one for "m.myaccount.example.com", it seems the cert that got installed was not including all the requested subject names, and perhaps the server sees that and tries to use the one from the "primary" account?

When I go to Manage SSL Hosts and find this account in the list, it shows that the cert is only issued for "m.myaccount.example.com" and "www.m.myaccount.example.com". It doesn't contain the base domain of "myaccount.example.com" or any of the other usual subdomains like cpanel., webmail., etc, that I see for all other accounts.

This issue is now consistent for all my new accounts using AutoSSL with Sectigo in the past day.