autossl - The cPanel Store returned an error (X::TemporarilyUnavailable)

[morrow95]

Started receiving these notification emails yesterday and would like to figure out what the issue is and take care of it. If I look at 'Manage AutoSSL' in WHM the logs look fine so I am guessing this message is related to hostname services cert? There isn't a whole lot of information being given here other than 'cpanel' so I have to assume it is related to the hostname since things appears fine for the domains according to the 'Manage AutoSSL' logs. I am NOT using the cloud service.

Ideas, things to check, etc? Being SSL related I'd like to take care of this as soon as possible as it will likely affect services on the server if a cert expires.

---------

Subject: [hostname.example.com] 1 service generated warnings while checking SSL certificates.

The following cPanel service generated warnings from the checkallsslcerts script.

cpanel

The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID d92cxd) The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request “POST ssl/certificate/whm-license/90-day”: We were unable to process your request. Please try again later.

This notice is the result of a request from “/usr/local/cpanel/bin/checkallsslcerts”.

The system generated this notice on Tuesday, April 12, 2022 at 9:02:08 AM UTC.

“cPanel service SSL certificate warnings” notifications are currently configured to have an importance of “Medium”. You can change the importance or disable this type of notification in WHM’s Contact Manager at: https://hostname.example.com:2087/scripts2/editcontact?event=SSL::CheckAllCertsWarnings

 

[cPRex]

Hey there! There's a few threads about this already, but the short story is there are rate limits from our SSL provider causing this. There's nothing wrong with the server that you need to fix, and it will check for the SSL again and get it installed.

Similar issue here, although I don't think this user's was with the hostname: Failed to acquire a signed certificate from the cPanel Store

 

[morrow95]

Hey there! There's a few threads about this already, but the short story is there are rate limits from our SSL provider causing this. There's nothing wrong with the server that you need to fix, and it will check for the SSL again and get it installed.

Similar issue here, although I don't think this user's was with the hostname: Failed to acquire a signed certificate from the cPanel Store

Thanks for the info. I'll keep an eye on it. It is a little worrisome this happens as each day that passes is one less day to renew the cert. If any cert expires, in my situation, it would certainly break things and prevent use.

 

[cPRex]

If it gets too close for comfort, feel free to submit a ticket to our team and we can take a look!

 

[morrow95]

Four days in a row now with the same error. How long does it usually take to correct itself due to the rate limiting with the provider?

 

[cPRex]

I'm not sure it will - the issues with Sectigo have been happening off and on since January. If it gets too close to the renewal date, submit a ticket so our team can check it out directly.

 

[Steini Petur]

Trust me this is just going to be forever with Sectigo, I had this in January and just go with Lets Encrypt here The Let's Encrypt Plugin | cPanel & WHM Documentation I just ran into another issue with Sectigo

Keeping this short and sweet, Lets encrypt over cPanel Sectigo ALL DAY

Hey guys, As a server administrator, you really want to be dealing with the real issues not an SSL installation issue. You also don't want your support team to be dealing with this on a regular basis, here is where it is 1:29:33 PM Processing “xxx”’s local DCV results … 1:29:33 PM Analyzing...

forums.cpanel.net

And in January I posted also and then it was just "sorry Sectigo is on thefridge..."

Just swap to Lets Encrypt and avoid all this hassle.. they are far more stable, I am usually super calm but now I'm just frustrated..

 

[Steini Petur]

Here I responded to one other

SOLVED - The cPanel Store returned an error (X::TemporarilyUnavailable)

On service cert renewal last night on 2 machines: The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID yhjh8r) The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request “POST...

forums.cpanel.net

and here is reply to another

Checkallsslcerts error

Hi, same problem here! The SSL for the services expired 11/27/2021 and since then no new certificate installed. I get the following error: The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID b9xuxw) The cPanel Store returned an error...

forums.cpanel.net

This is just annoying to deal with on a regular basis with your clients..

 

[jhawkins003]

Just to add to the conversation - we're being impacted as well. Would love to see vendor options extended for obtaining hostname certificates.

 

[cPRex]

Would love to see vendor options extended for obtaining hostname certificates.

Me too! It's definitely something that's on the table.

 

[Spirogg]

you need to add these IP's to your firewall.

Question
What IP addresses do Sectigo DCV requests originate from?



Answer
Sectigo's DCV request origin IPs are these:

178.255.81.12
178.255.81.13
91.199.212.132
199.66.201.132


To ensure that Sectigo DCV requests for AutoSSL reach your server, you must whitelist these IP addresses for port 53 (TCP & UDP) and port 80 (TCP).

https://support.cpanel.net/hc/en-us/articles/360053968633-What-IP-addresses-do-Sectigo-DCV-requests-originate-from-?_ga=2.14035959.1946357548.1650182953-851246032.1649808802

Also another issue was if you have Force Https redirect [ON] in cpanel for that domain. under home > domain >domain
this would cause issues as well. is what I was told from support staff.





So if your still having issues with getting certs - you can try to turn off force https redirect and see if the domains get updated.

I did both add IP's and turn [OFF] force https redirect

then I started the process again /usr/local/cpanel/bin/checkallsslcerts to get certs and it updated all domains.

Kind Regards,
Spiro

 

[swbrains]

Can't get new SSL cert for two new accounts tonight. First I simply got the "Sectigo can't accept requests..." message. Now I'm getting this message indicating the same but with an error 500 code and some HTML tags associated with it:

12:39:12 AM ERROR AutoSSL failed to request an SSL certificate for “[xxxxxxxx]” because of an error: (XID up4tzv) The response to the HTTP (Hypertext Transfer Protocol) “POST” request from “https://store.cpanel.net/json-api/ssl/certificate/free” indicated an error (500, Internal Server Error): <!DOCTYPE HTML PUBLIC "-//IETF/…
12:39:14 AM The “cPanel (powered by Sectigo)” provider cannot currently accept incoming requests. The system will try again later.

Lets Encrypt is much more reliable when issuing/renewing certs, but even with an increase from them, I still hit the limits so they're not really a viable alternative for me.

 

[Spirogg]

Can't get new SSL cert for two new accounts tonight. First I simply got the "Sectigo can't accept requests..." message. Now I'm getting this message indicating the same but with an error 500 code and some HTML tags associated with it:

12:39:12 AM ERROR AutoSSL failed to request an SSL certificate for “[xxxxxxxx]” because of an error: (XID up4tzv) The response to the HTTP (Hypertext Transfer Protocol) “POST” request from “https://store.cpanel.net/json-api/ssl/certificate/free” indicated an error (500, Internal Server Error): <!DOCTYPE HTML PUBLIC "-//IETF/…
12:39:14 AM The “cPanel (powered by Sectigo)” provider cannot currently accept incoming requests. The system will try again later.

Lets Encrypt is much more reliable when issuing/renewing certs, but even with an increase from them, I still hit the limits so they're not really a viable alternative for me.

Have you tried to whitelist these IP’s in your firewall and also Cphulk if you have it on


Sectigo's DCV request origin IPs are these:

178.255.81.12
178.255.81.13
91.199.212.132
199.66.201.132


To ensure that Sectigo DCV requests for AutoSSL reach your server, you must whitelist these IP addresses for port 53 (TCP & UDP) and port 80 (TCP).

Then try this
/usr/local/cpanel/bin/checkallsslcerts

Or try running AutoSSL for the 2 new accounts

https://support.cpanel.net/hc/en-us/articles/360052084113-Why-are-my-AutoSSL-certificates-stuck-in-the-pending-queue-

 

[swbrains]

Have you tried to whitelist these IP’s in your firewall and also Cphulk if you have it on....

Yes, thanks, I did whitelist them (cpHulk is currently off) but the firewall/lfd is active and I added those IPs to the firewall allow lists.

 

[swbrains]

Oddly, in my case, the AutoSSL log shows that the cert was requested for several subdomains (myaccount.example,com, mail.myaccount.example.com, m.myaccount.example.com, etc,...). The log indicates:

ERROR AutoSSL failed to request an SSL certificate for “myaccount.example.com” because of an error: (XID knbh2x) The response to the HTTP (Hypertext Transfer Protocol) “POST” request from “https://store.cpanel.net/json-api/ssl/certificate/free” indicated an error (500, Internal Server Error): <!DOCTYPE HTML PUBLIC "-//IETF/…

But then two minutes later, the log shows:

Polling for “sectigo”’s new certificate for “m.myaccount.example.com” (order item ID “1617251703”) …
The certificate is available.
Installing “m.myaccount.example.com”’s new certificate …
8:43:17 AM SUCCESS Success!

And nothing is in the pending queue.

But when I try to access the site, I get the following message from my browser:

NET::ERR_CERT_COMMON_NAME_INVALID
Subject: *.default.example.com
Issuer: R3
Expires on: Jul 20, 2022
Current date: Apr 21, 2022

Which is the certificate installed on "default.example.com" which is the account listed as the "primary" account in Manage SSL Hosts in WHM.

So Sectigo somehow either generates a bogus certificate, or the server is installing the wrong certificate on the site. Since the AutoSSL log doesn't show the Sectigo issued a cert containing the base subdomain "myaccount.example.com" that was requested and only produced one for "m.myaccount.example.com", it seems the cert that got installed was not including all the requested subject names, and perhaps the server sees that and tries to use the one from the "primary" account?

When I go to Manage SSL Hosts and find this account in the list, it shows that the cert is only issued for "m.myaccount.example.com" and "www.m.myaccount.example.com". It doesn't contain the base domain of "myaccount.example.com" or any of the other usual subdomains like cpanel., webmail., etc, that I see for all other accounts.

This issue is now consistent for all my new accounts using AutoSSL with Sectigo in the past day.

 

[cPRex]

@swbrains - if that behavior is consistent, I think we'd like to see that directly if you could make a ticket.