SOLVED [COBRA-13435] AutoSSL not renewing domain certificate when some hosts fail DCV

[celiac101]

I was able to resolve the problem for now by moving to LetsEncrypt as our AutoSSL provider.
Instructions:
Step 1 :
Install Lets Encrypt cpanel plugin
Run the following command in ssh : /usr/local/cpanel/scripts/install_lets_encrypt_autossl_provider

Step 2:
In WHM -> Manage AutoSSL -> Providers tab -> Select Lets Encrypt and click save.

Step 3:
Run AutoSSL For All Users (Alternatively you may just do it for the domain where ssl did not renew)

Thank you for this! I have no idea why suddenly my AutoSSL stopped working, but this fix worked.

I have only one question related to the authority of LetsEncrypt vs cPanel. Do you think that using a LetsEncrypt certificate for my subdomains vs. a cPanel certificate would impart anything negative to google or other search engines? I know this may seem like a silly question, but I've heard that the quality of your SSL certificate issuer is important, but then again, this could all be just marketing BS.

 

[cPRex]

The SSLs issued by both providers are the same type of domain-validated certificate, so I don't see why there would be a difference. cPanel certificates are provided by Sectigo.

 

[Mise]

Have the same problem here. I have received a complaint and It forces to enter inside WHM to renew it manually and restart Apache & php-fm.

Yesterday 22 the certificate of the domain (here domain1.com) was expired.

And this the log from today 23 before my manual renew:

 02:08:03 Analyzing “domain1”’s domains …
 02:08:03 Analyzing “domain1.com” (website) …
 02:08:03 ERROR TLS Status: Defective
 ERROR Certificate expiry: 22/6/22 0:00 UTC (1,01 days ago)
 ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
 02:08:03 Attempting to ensure the existence of necessary CAA records …
 02:08:03 No CAA records were created.
 02:08:03 Verifying 8 domains’ management status …
 Verifying “cPanel (powered by Sectigo)”’s authorization on 8 domains via DNS CAA records …
 02:08:03 “cpanel.domain1.com” is managed.
 “mail.domain1.com” is managed.
 “cpcontacts.domain1.com” is managed.
 “webmail.domain1.com” is managed.
 “cpcalendars.domain1.com” is managed.
 CA authorized: “domain1.com”
 CA authorized: “www.domain1.com”
 CA authorized: “mail.domain1.com”
 CA authorized: “cpanel.domain1.com”
 CA authorized: “webdisk.domain1.com”
 CA authorized: “webmail.domain1.com”
 CA authorized: “cpcontacts.domain1.com”
 CA authorized: “cpcalendars.domain1.com”
 “cPanel (powered by Sectigo)” is authorized to issue certificates for 8 of this user’s 8 domains.
 “www.domain1.com” is managed.
 “webdisk.domain1.com” is managed.
 “domain1.com” is managed.
 All of this user’s 8 domains are managed.
 02:08:03 Performing HTTP DCV (Domain Control Validation) on 8 domains …
 02:08:03 Local HTTP DCV OK: domain1.com
 Local HTTP DCV OK: www.domain1.com
 Local HTTP DCV OK: mail.domain1.com
 Local HTTP DCV OK: cpanel.domain1.com
 Local HTTP DCV OK: webdisk.domain1.com
 Local HTTP DCV OK: webmail.domain1.com
 Local HTTP DCV OK: cpcontacts.domain1.com
 Local HTTP DCV OK: cpcalendars.domain1.com
 02:08:03 No local DNS DCV is necessary.

The tabs config:

Providers:
AutoSSL providers: (x) cPanel (powered by Sectigo)

Options:
(x) Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates.

Manage users:
(x) Reset function list configuration

-------

it seems the certificates are not renewed at the scheduled day of expiration

 

[cPRex]

The original COBRA-13435 case was resolved in all versions of 102, so I wouldn't expect this to be happening on any supported version of cPanel at this point. I also wouldn't expect PHP-FPM to be involved at all in the AutoSSL process.

The only error I'm seeing from your log is that the SSL has expired, but I don't see anywhere showing the actual problem with the renewal not working. Are there any additional logs that show why AutoSSL failed?

 

[celiac101]

The solution is that you need to add a CAA text record to your DNS zone for that domain. The record should look like this, and it allows the SSL issuer to modify your DNS zone:

domain1.com.

14400

CAA

Flags: 0 Tag: issue Value: sectigo.com

 

[Mise]

The only error I'm seeing from your log is that the SSL has expired, but I don't see anywhere showing the actual problem with the renewal not working. Are there any additional logs that show why AutoSSL failed?

no errors inside /usr/local/cpanel/logs . Just it seems day 22 was finished and the certificate was not renewed.

Are there more logs to look?


I will wait for the next domain to be renewed to see what happens.

The solution is that you need to add a CAA text record to your DNS zone for that domain. The record should look like this, and it allows the SSL issuer to modify your DNS zone:

thank you. I save your message in case this is repeated in the future.