The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED AutoSSL Will Not Replace This Certificate

Discussion in 'Security' started by linux4me2, Nov 11, 2016.

Tags:
  1. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    148
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I'm running WHM 60 build 17, and I have Auto SSL enabled for several accounts, including some that have valid, private CA certs installed. In Manage AutoSSL -> Options, I have "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates" checked.

    The account without a private CA cert is working fine, and the log shows that "all websites" on that account have valid SSL certificates. The log says nothing about the "mail" subdomain on that account.

    The accounts that have valid, private CA certs are all showing messages like this in the logs:
    I'm confused. Does that mean that when the private SSL cert expires, AutoSSL won't replace it even though I have that option enabled, or is AutoSSL just not attempting to replace that certificate because it's valid and the "mail" domain is a red herring?
     
    sneader likes this.
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,278
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You shouldn't see that warning message once the private certificate expires and is replaced with a certificate generated by the AutoSSL feature. AutoSSL will automatically generate a certificate for the mail subdomain at that time.

    Thank you.
     
    linux4me2 likes this.
  3. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    148
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Thanks, Michael. I get it. The message would be much more clear if it were to say:
     
    sneader likes this.
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,278
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It may actually work better with the current message, because it's an accurate description of why AutoSSL did not replace the certificate during that specific AutoSSL check. If it were to include a statement such as "AutoSSL will not replace this certificate until X days before it expires", then it's potentially incorrect information in the event an administrator disables "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates".

    Thank you.
     
    linux4me2 likes this.
  5. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    148
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I didn't think of it that way. Either one will work now that I know what's going to happen. :)
     
  6. martin MHC

    martin MHC Active Member

    Joined:
    Sep 14, 2016
    Messages:
    29
    Likes Received:
    6
    Trophy Points:
    3
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    I have the same issue with a certificate that will expire in 6 days, will AutoSSL be happy to generate a replacement certificate so that there is no gap between the previous and new certificates coming into effect?
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,278
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Yes, but if this is a non-AutoSSL certificate, then it's only replaced if you enable "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates." under the "Options" tab in "WHM >> Manage AutoSSL". It should actually replace it on the next AutoSSL run after enabling this option because six days is within the window where expiring certificates are replaced:

    AutoSSL will attempt to renew certificates that cPanel, Inc. provides when they expire within 15 days.
    AutoSSL will attempt to renew certificates that Let's Encrypt provides when they expire within 29 days.


    Thank you.
     
  8. martin MHC

    martin MHC Active Member

    Joined:
    Sep 14, 2016
    Messages:
    29
    Likes Received:
    6
    Trophy Points:
    3
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi Michael,
    I should have clarified, that I do have the "Allow Auto-SSL to replace invalid or expiring non-AutoSSL certificates." option checked. I have raised a support ticket as to why this certificate/domain does not seem to be refreshing the AutoSSL ticket.
     
  9. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,145
    Likes Received:
    32
    Trophy Points:
    178
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Add me to the list of folks confused by this.

    I have "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates." checked.

    I have a user enabled for AutoSSL. They have an existing SSL certificate from RapidSSL for one of their domains, that expires in a couple weeks. They do NOT have an SSL certificate for another parked domain. It would be nice that both domains have SSL.

    So... why is cPanel giving my this confusing and conflicting error message:

    " 11:23:22 PM This website’s SSL certificate lacks the following domains: example.net, www.example.net, mail.example.net, mail.example.org. However, AutoSSL will not replace this certificate, because the certificate does not appear to come from an installed AutoSSL provider."

    Keep in mind, I have "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates." checked. So, who cares if the certificate does not appear to come from an AutoSSL provider? By checking the box, I've given cPanel permission to replace it. Right?

    - Scott
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,278
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @sneader,

    Currently, the AutoSSL logs will show a message like this, even when the "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates" option is enabled:

    This is confusing, as AutoSSL will in-fact eventually replace the certificate if "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates" is enabled. Internal case CPANEL-10103 will address this by improving the message to note that AutoSSL will replace the certificate once it's in the 3-day expiry window.

    The case is already included in the cPanel version 62 development branch (Edge build tier), and I'll update this thread again once it's published to a cPanel 60 build.

    Thank you.
     
    sneader likes this.
  11. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,145
    Likes Received:
    32
    Trophy Points:
    178
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    cPanelMichael likes this.
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,278
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    To update, CPANEL-10103 was included with cPanel version 60.0.31:

    Fixed case CPANEL-10103: Update AutoSSL message when a cert will be replaced in the 3 days window.

    Thank you.
     
Loading...

Share This Page