SOLVED [CPANEL-30418] SSL for DNSOnly Server

[ImperialTrader]

How can I install SSL for my DNSOnly server?
I heard in other topic that it's not important to install for the DNSOnly. But I don't care about it's cost and just to be in a safe zone!

 

[cPanelLauren]

Hello,

The hostname SSL should automatically install on DNSOnly pending the hostname resolves. You can check this by going to WHM>>Service Configuration>>Manage Service SSL certificates (I believe that interface is present on DNS only as well, I don't have a server spun up with that on it right now and going off memory)

 

[ImperialTrader]

Hello,
The hostname SSL should automatically install on DNSOnly pending the hostname resolves. You can check this by going to WHM>>Service Configuration>>Manage Service SSL certificates (I believe that interface is present on DNS only as well, I don't have a server spun up with that on it right now and going off memory)

I see many certificates are listed here at this page (WHM>>Service Configuration>>Manage Service SSL certificates) but all of them aren't working
Check the attached screenshot

It's mentioned at the cPanel Docs: (cPanel, L.L.C. does not offer free cPanel-signed hostname certificates for cPanel DNSOnly servers.)

cPanel DNSOnly - Version 84 Documentation - cPanel Documentation

documentation.cpanel.net

Check the attached screenshot

Are you sure that hostname SSL should automatically install on DNSOnly servers?
Which folder in the server is holding the SSL certificates for all the domains? (I need to clear/remove old certificates)

 

[cPanelLauren]

Actually, that's been updated on v84 by CPANEL-4727 in relation to the Feature Request here: https://jira.cpanel.net/browse/CPANEL-4727

It looks like this is still referenced in all the old documentation but it is not present in the new documentation:

cPanel DNSOnly | cPanel & WHM Documentation

The cPanel DNSOnly™ software allows you to run a dedicated physical nameserver.

docs.cpanel.net

Manage Service SSL Certificates | cPanel & WHM Documentation

This interface allows you to manage certificates for your server's services.

docs.cpanel.net

The certificates you're showing me are all Self-Signed - if you run the following what is the output:

/usr/local/cpanel/bin/checkallsslcerts

You can view this in our changelogs here: Change Logs - Change Logs - cPanel Documentation as well:

• Fixed case CPANEL-4727: Improve support for SSL hostname certificates on DNSONLY.

 

[ImperialTrader]

Actually, that's been updated on v84 by CPANEL-4727 in relation to the Feature Request here: https://jira.cpanel.net/browse/CPANEL-4727

It looks like this is still referenced in all the old documentation but it is not present in the new documentation:

cPanel DNSOnly | cPanel & WHM Documentation

The cPanel DNSOnly™ software allows you to run a dedicated physical nameserver.

docs.cpanel.net

Manage Service SSL Certificates | cPanel & WHM Documentation

This interface allows you to manage certificates for your server's services.

docs.cpanel.net

The certificates you're showing me are all Self-Signed - if you run the following what is the output:

/usr/local/cpanel/bin/checkallsslcerts

You can view this in our changelogs here: Change Logs - Change Logs - cPanel Documentation as well:

• Fixed case CPANEL-4727: Improve support for SSL hostname certificates on DNSONLY.

Ok fine, I read the new documentation..

This is the output for this command (/usr/local/cpanel/bin/checkallsslcerts) .. check the attached screenshot.

There are many unvalid ssl certificates are found when I press on (Browse Certificates) button, I need to remove all of them and allow the cPanel to generate a new one (self-signed).
How can I remove all these certificates? Or which folder is holding the SSL certificates?

 

[cPanelLauren]

The errors your received there are a result of port 80 being blocked. I believe we might have talked about this the other day and I told you, you wouldn't need it open, but in this instance (one I didn't think about) if the CNAME (DNS DCV) can't complete then the fallback is the HTTP request which must be completed over port 80.

Checking, the DNS record for your hostname there is indeed no CNAME record present.

The certs are present at: /var/cpanel/ssl/system/certs

I'd suggest if you do remove them, running the following immediately after:

/scripts/rebuilduserssldb
/scripts/rebuildinstalledssldb

 

[ImperialTrader]

The errors your received there are a result of port 80 being blocked. I believe we might have talked about this the other day and I told you, you wouldn't need it open, but in this instance (one I didn't think about) if the CNAME (DNS DCV) can't complete then the fallback is the HTTP request which must be completed over port 80.

Checking, the DNS record for your hostname there is indeed no CNAME record present.

The certs are present at: /var/cpanel/ssl/system/certs

I'd suggest if you do remove them, running the following immediately after:

/scripts/rebuilduserssldb
/scripts/rebuildinstalledssldb

After I removed all the certificates in (certs & keys) folders, I tried to empty (ssl.db - ssl.db.cache) files too because the certificates were still appearing in WHM
Then I used your commands (find the attached screenshot)

But now, I still don't have any SSL certificates

 

[cPanelLauren]

Right, you should not have tried to remove that database. It should have rebuilt it based on the output though.

As far as

But now, I still don't have any SSL certificates

Did you resolve the issue with port 80 or the CNAME record which is the reason why the certificate wasn't issued?

 

[ImperialTrader]

Right, you should not have tried to remove that database. It should have rebuilt it based on the output though.
As far as
Did you resolve the issue with port 80 or the CNAME record which is the reason why the certificate wasn't issued?

I have a backup from (ssl.db), I can restore it and run the script commands again if you want.
I didn't do anything yet with the port 80 or the CNAME.

Now I found that the SSL certificate has been issued automatically.
But when I tried to install it, it needs to restarts "cpsrvd" service, and unfortunately it always failing to restart it so I restarted the server (Check the attached screenshot).
After restarting the server, I see the certificate is not installed yet.

 

[ImperialTrader]

@cPanelLauren I have received also this email when I tried to install the SSL yesterday.

 

[cPanelLauren]

@ImperialTrader


Is it attempting to install a self-signed certificate? If all the preflight checks are failing then I don't see how you were able to obtain a valid SSL?

What is output in the cPanel error log in regard to the cPsrvd restart issue?

 

[ImperialTrader]

@ImperialTrader

Is it attempting to install a self-signed certificate? If all the preflight checks are failing then I don't see how you were able to obtain a valid SSL?

What is output in the cPanel error log in regard to the cPsrvd restart issue?

Yes, it was attempting to install a self-signed certificate.
How can I find the cPanel error log?

I can purchase a sentigo/commodo SSL and use it in the DNS server if there is an issue with the self-signed certificate..!

 

[cPanelLauren]

cPanel error log should be located at /usr/local/cpanel/logs/error_log

I can purchase a sentigo/commodo SSL and use it in the DNS server if there is an issue with the self-signed certificate..!

You certainly can, if that's what you'd like to do. DCV checks would still need to be done as well as cPsrvd would still need to be started though so you'd run into the same issue you are experiencing with the Free Signed Sectigo certificate the system is attempting to provision.

 

[ImperialTrader]

cPanel error log should be located at /usr/local/cpanel/logs/error_log

You certainly can, if that's what you'd like to do. DCV checks would still need to be done as well as cPsrvd would still need to be started though so you'd run into the same issue you are experiencing with the Free Signed Sectigo certificate the system is attempting to provision.

Ok, I understand you.
Kindly find the attached screenshot for the cPanel error when I try to install the certificate

 

[cPanelLauren]

That last line shows cpsrvd running. What is the output of the following:

/scripts/restartsrv_cpsrvd --status

 

[ImperialTrader]

That last line shows cpsrvd running. What is the output of the following:

/scripts/restartsrv_cpsrvd --status

check the screenshot

 

[ImperialTrader]

That last line shows cpsrvd running.

I tried to install the certificate again, here is the error log

 

[cPanelLauren]

Where are you going to install the certificate? Are you attempting to install it for apache?

 

[ImperialTrader]

Where are you going to install the certificate? Are you attempting to install it for apache?

This one

 

[ImperialTrader]

@cPanelLauren any update?