Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Confused about installing new certificate for hostname

Discussion in 'Security' started by Tearabite, Apr 12, 2018.

  1. Tearabite

    Tearabite Well-Known Member

    Joined:
    Nov 28, 2010
    Messages:
    76
    Likes Received:
    11
    Trophy Points:
    58
    Location:
    Southern California
    cPanel Access Level:
    Root Administrator
    I have been using a premium SSL certificate for cpanel/whm at hostname.domain.com:2087

    The premium certificate expired and I would like to start using the free AutoSSL with that i use for all my other domains (currently using cpanel as the provider).

    I have read through posts here and some of the documentation but i am confused about the exact steps I need to take to force/install a new AutoSSL Cpanel cert.

    Can someone post a link or steps to what, exactly needs to be done in this situation?

    TIA!
     
  2. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,116
    Likes Received:
    216
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Tearabite


    The free hostname SSL process is a bit different than the standard AutoSSL process but ultimately if your current certificate is expired you can get the hostname certificate by running the following via CLI:

    /usr/local/cpanel/bin/checkallsslcerts --verbose

    Though this process (pending you hadn't made any customizations) should be automatic.

    You can see the new certificate (or manage existing ones) by going to WHM>>Service Configuration>>Manage Service SSL Certificates

    Our documentation on this can be found here:
    Manage Service SSL Certificates - Version 68 Documentation - cPanel Documentation

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Tearabite

    Tearabite Well-Known Member

    Joined:
    Nov 28, 2010
    Messages:
    76
    Likes Received:
    11
    Trophy Points:
    58
    Location:
    Southern California
    cPanel Access Level:
    Root Administrator
    thank you!
    when running that command I see an error about pki-validation - the temp file cant be found.
    It looks like I have a DNS issue I need to work out. I will try again after i fix that.
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,116
    Likes Received:
    216
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Tearabite

    Let us know if you need assistance with the error as well!

    Thank you!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Tearabite

    Tearabite Well-Known Member

    Joined:
    Nov 28, 2010
    Messages:
    76
    Likes Received:
    11
    Trophy Points:
    58
    Location:
    Southern California
    cPanel Access Level:
    Root Administrator
    ok, this is turning a bit into a cluster... My configuration is a bit non-standard because some of this domain (www) is hosted on one server, and the hostname.cpanel/email/whm services are hosted on a different server.

    The problem now is that for hostname.domain.com running
    /usr/local/cpanel/bin/checkallsslcerts --verbose
    is generating the pki-validation/xxxxxxyyyyy.txt file in an unknown location - it seems that it is not being generated in the cpanel account/public_html account that (i thought) it should be.

    If i put a dummy file anywhere in the public_html folder of the cpanel account I thought was tied to hostname.domain.com and browse to http://hostname.domain.com i see no files..

    so now the question is: how do i find out where the pki-validation files are being created for hostname.domain.com and how do i make sure the DNS (or whatever?!) is pointing to that same location?
     
  6. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,116
    Likes Received:
    216
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Tearabite


    For the hostname SSL they should be created in /var/www/html/.well-known/pki-validation

    If you go there do you see the hash file?


    Thank you,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Tearabite

    Tearabite Well-Known Member

    Joined:
    Nov 28, 2010
    Messages:
    76
    Likes Received:
    11
    Trophy Points:
    58
    Location:
    Southern California
    cPanel Access Level:
    Root Administrator
  8. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,116
    Likes Received:
    216
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Can you tell me the exact error you get when you run /usr/local/cpanel/bin/checkallsslcerts --verbose
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Tearabite

    Tearabite Well-Known Member

    Joined:
    Nov 28, 2010
    Messages:
    76
    Likes Received:
    11
    Trophy Points:
    58
    Location:
    Southern California
    cPanel Access Level:
    Root Administrator
    This is the error:
    [WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID ra934h) The system queried for a temporary file at “http://hostname.domain.com/.well-known/pki-validation/3E7xyz1.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.

    I found the location where the pki-validation files are being created - it's in an account that has nothing to do with the hostname account.
    I also found that when trying to open http://hostname.domainname this "other" account's default page is opening.

    So it looks like a DNS issue with hostname.domainname.com ? but i'm not seeing how/where this is happening?
     
  10. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,116
    Likes Received:
    216
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello,

    They should definitely not be created in any other location besides /var/www/html/.well-known/pki-validation for the hostname.

    Can you run the following:

    grep -r hostname.domain.tld /var/cpanel/users/

    If the hostname is listed anywhere but in the system user this is an issue.

    Can you also ensure that the hostname resolves to that server properly:

    Code:
    dig a hostname.domain.tld
    Do you have any Apache includes on the server? You can see this at WHM>>Service Configuration>>Apache Configuration -> Include Editor
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Tearabite

    Tearabite Well-Known Member

    Joined:
    Nov 28, 2010
    Messages:
    76
    Likes Received:
    11
    Trophy Points:
    58
    Location:
    Southern California
    cPanel Access Level:
    Root Administrator
    I dont see any includes.
    Here is the output from the two commands above (grep was blank/no result):

    root@server [~]# grep -r hostname.domain.net /var/cpanel/users/
    root@server [~]# dig a hostname.domain.net
    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.5 <<>> a hostname.domain.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42265
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
    ;; QUESTION SECTION:

    ;hostname.domain.net. IN A
    ;; ANSWER SECTION:
    hostname.domain.net. 3600 IN A xx.yy.zz.75

    ;; AUTHORITY SECTION:

    domain.net. 86400 IN NS dns2.ourNShost.com.
    domain.net. 86400 IN NS dns1.ourNShost.com.

    ;; Query time: 52 msec
    ;; SERVER: xx.yy.206.2#53(xx.yy.206.2)
    ;; WHEN: Thu Apr 12 09:27:27 2018
    ;; MSG SIZE rcvd: 103


    I think i may have found (part of, at least) the issue:
    hostname.domain.net. 3600 IN A xx.yy.zz.75

    xx.yy.zz.75 is statically assigned to this "other" account where the files are being created; that IP should probably be reserved only for hostname.domain.net.
    I will be moving that 'other' account to the shared IP pool - will there be any other steps to make sure that hostname.domain.net is using xx.yy.zz.75 and all the files for it get written into the /var/www/html/.well-known/pki-validation dirs?
     
  12. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,116
    Likes Received:
    216
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    The hostname should use the primary IP of the server, it sounds like it's using an IP that's dedicated to another account. Changing the A record for the hostname or moving the account to the main/shared IP would most likely resolve the issue (based on what I know of the configuration from here)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Tearabite

    Tearabite Well-Known Member

    Joined:
    Nov 28, 2010
    Messages:
    76
    Likes Received:
    11
    Trophy Points:
    58
    Location:
    Southern California
    cPanel Access Level:
    Root Administrator
    right now the hostname AND this 'other' account are using the same IP.. i will be moving "other" to the shared IP address leaving only hostname.domain.net using that IP.
    Is there a specific setting somewhere to make this the "primary" IP ?
     
  14. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,116
    Likes Received:
    216
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice