Autossl won't update certs

jndawson

Well-Known Member
Aug 27, 2014
303
32
78
Western US
cPanel Access Level
DataCenter Provider
We discovered a domain that had expired autossl comodo certs installed, but they didn't update when expired a couple of weeks ago. There's nothing in the pending queue, even after trying to run autossl on the account. We tried via both the whm and cpanel interfaces, but keep getting the same error, even after completely removing all related certs from the domain. Error message:

Code:
Checking websites for “userdomain” …
11:29:56 AM Analyzing “dev.userdomain.tld” …
11:29:56 AM ERROR TLS Status: Defective
ERROR Defect: NO_SSL: No SSL certificate is installed.
11:29:56 AM Analyzing “newsite.userdomain.tld” …
11:29:56 AM ERROR TLS Status: Defective
ERROR Defect: NO_SSL: No SSL certificate is installed.
11:29:56 AM Analyzing “userdomain.tld” …
11:29:56 AM User-excluded domain: 1 (autodiscover.userdomain.tld)
ERROR TLS Status: Defective
ERROR Defect: NO_SSL: No SSL certificate is installed.
We also noted year-old certs in the /var/cpanel/ssl/installed/certs directory that we removedbut had no effect on the results.
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,755
311
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
Normally when we see this, the first thing to check is that here is nothing in the .htaccess of the site preventing the verification of the cert.
This is the directory where it puts a validation file:
public_html/.well-known/pki-validation/

You could try creating a txt file there and see if you can access it in a browser:
"domain.com/.well-known/pki-validation/test.txt"

Sometimes items in there prevent the verification server from seeing the validation file that gets placed there.

Also do you see any errors when running this in SSH:
/usr/local/cpanel/bin/autossl_check_cpstore_queue --force

Also you should make sure that the domain is correctly pointed to your server. I would verify the DNS and Nameservers for that domain are correct.
 

jndawson

Well-Known Member
Aug 27, 2014
303
32
78
Western US
cPanel Access Level
DataCenter Provider
Normally when we see this, the first thing to check is that here is nothing in the .htaccess of the site preventing the verification of the cert.
Checked; nope, nothing changed as far as we can tell. Tried removing .htaccess and running autossl already; same errors.

This is the directory where it puts a validation file:
public_html/.well-known/pki-validation/
Since we deleted all of the expired certs, there is nothing in any of the pki-validation directories, which we confirmed after running autossl and getting the errors.

You could try creating a txt file there and see if you can access it in a browser:
"domain.com/.well-known/pki-validation/test.txt"

Sometimes items in there prevent the verification server from seeing the validation file that gets placed there.
Displays nicely; Site's been working fine for years, so didn't expect any issues.

Also do you see any errors when running this in SSH:
/usr/local/cpanel/bin/autossl_check_cpstore_queue --force
Nope. One of the first things we checked.

Also you should make sure that the domain is correctly pointed to your server. I would verify the DNS and Nameservers for that domain are correct.
Site's been working for years, this is an auto-renewal of autossl that didn't work, and then manual renewal, which also isn't working.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,266
313
Houston
Hi @jndawson

Thanks for noting the Ticket ID I took a look at it and it appears that the issue was found to be a combination of things. First a redirect on the affected domain was keeping the DCV from completing (Comodo does not follow redirects) and second it seems the DNS zone file was missing for the account. Once those two items were reconciled the DCV check was able to complete as expected.

Thanks!