SOLVED [COBRA-13435] AutoSSL not renewing domain certificate when some hosts fail DCV

celiac101

Well-Known Member
Dec 19, 2012
113
4
68
cPanel Access Level
Website Owner
I was able to resolve the problem for now by moving to LetsEncrypt as our AutoSSL provider.
Instructions:
Step 1 :
Install Lets Encrypt cpanel plugin
Run the following command in ssh : /usr/local/cpanel/scripts/install_lets_encrypt_autossl_provider

Step 2:
In WHM -> Manage AutoSSL -> Providers tab -> Select Lets Encrypt and click save.

Step 3:
Run AutoSSL For All Users (Alternatively you may just do it for the domain where ssl did not renew)

Thank you for this! I have no idea why suddenly my AutoSSL stopped working, but this fix worked.

I have only one question related to the authority of LetsEncrypt vs cPanel. Do you think that using a LetsEncrypt certificate for my subdomains vs. a cPanel certificate would impart anything negative to google or other search engines? I know this may seem like a silly question, but I've heard that the quality of your SSL certificate issuer is important, but then again, this could all be just marketing BS.
 

Mise

Well-Known Member
May 15, 2011
80
4
58
Have the same problem here. I have received a complaint and It forces to enter inside WHM to renew it manually and restart Apache & php-fm.

Yesterday 22 the certificate of the domain (here domain1.com) was expired.

And this the log from today 23 before my manual renew:

Code:
 02:08:03 Analyzing “domain1”’s domains …
 02:08:03 Analyzing “domain1.com” (website) …
 02:08:03 ERROR TLS Status: Defective
 ERROR Certificate expiry: 22/6/22 0:00 UTC (1,01 days ago)
 ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
 02:08:03 Attempting to ensure the existence of necessary CAA records …
 02:08:03 No CAA records were created.
 02:08:03 Verifying 8 domains’ management status …
 Verifying “cPanel (powered by Sectigo)”’s authorization on 8 domains via DNS CAA records …
 02:08:03 “cpanel.domain1.com” is managed.
 “mail.domain1.com” is managed.
 “cpcontacts.domain1.com” is managed.
 “webmail.domain1.com” is managed.
 “cpcalendars.domain1.com” is managed.
 CA authorized: “domain1.com”
 CA authorized: “www.domain1.com”
 CA authorized: “mail.domain1.com”
 CA authorized: “cpanel.domain1.com”
 CA authorized: “webdisk.domain1.com”
 CA authorized: “webmail.domain1.com”
 CA authorized: “cpcontacts.domain1.com”
 CA authorized: “cpcalendars.domain1.com”
 “cPanel (powered by Sectigo)” is authorized to issue certificates for 8 of this user’s 8 domains.
 “www.domain1.com” is managed.
 “webdisk.domain1.com” is managed.
 “domain1.com” is managed.
 All of this user’s 8 domains are managed.
 02:08:03 Performing HTTP DCV (Domain Control Validation) on 8 domains …
 02:08:03 Local HTTP DCV OK: domain1.com
 Local HTTP DCV OK: www.domain1.com
 Local HTTP DCV OK: mail.domain1.com
 Local HTTP DCV OK: cpanel.domain1.com
 Local HTTP DCV OK: webdisk.domain1.com
 Local HTTP DCV OK: webmail.domain1.com
 Local HTTP DCV OK: cpcontacts.domain1.com
 Local HTTP DCV OK: cpcalendars.domain1.com
 02:08:03 No local DNS DCV is necessary.
The tabs config:

Providers:
AutoSSL providers: (x) cPanel (powered by Sectigo)

Options:
(x) Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates.

Manage users:
(x) Reset function list configuration

-------

it seems the certificates are not renewed at the scheduled day of expiration
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,360
1,628
363
cPanel Access Level
Root Administrator
The original COBRA-13435 case was resolved in all versions of 102, so I wouldn't expect this to be happening on any supported version of cPanel at this point. I also wouldn't expect PHP-FPM to be involved at all in the AutoSSL process.

The only error I'm seeing from your log is that the SSL has expired, but I don't see anywhere showing the actual problem with the renewal not working. Are there any additional logs that show why AutoSSL failed?
 
  • Like
Reactions: Mise

celiac101

Well-Known Member
Dec 19, 2012
113
4
68
cPanel Access Level
Website Owner
The solution is that you need to add a CAA text record to your DNS zone for that domain. The record should look like this, and it allows the SSL issuer to modify your DNS zone:


domain1.com.14400CAAFlags: 0
Tag: issue
Value: sectigo.com
 
  • Like
Reactions: Mise

Mise

Well-Known Member
May 15, 2011
80
4
58
The only error I'm seeing from your log is that the SSL has expired, but I don't see anywhere showing the actual problem with the renewal not working. Are there any additional logs that show why AutoSSL failed?
no errors inside /usr/local/cpanel/logs . Just it seems day 22 was finished and the certificate was not renewed.

Are there more logs to look?


I will wait for the next domain to be renewed to see what happens.


The solution is that you need to add a CAA text record to your DNS zone for that domain. The record should look like this, and it allows the SSL issuer to modify your DNS zone:
thank you. I save your message in case this is repeated in the future.