Pending Publication [CPANEL-30418] SSL for DNSOnly Server

ImperialTrader

Well-Known Member
Aug 31, 2014
144
16
18
Egypt
cPanel Access Level
Root Administrator
How can I install SSL for my DNSOnly server?
I heard in other topic that it's not important to install for the DNSOnly. But I don't care about it's cost and just to be in a safe zone!
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,366
799
263
Houston
Hello,

The hostname SSL should automatically install on DNSOnly pending the hostname resolves. You can check this by going to WHM>>Service Configuration>>Manage Service SSL certificates (I believe that interface is present on DNS only as well, I don't have a server spun up with that on it right now and going off memory)
 

ImperialTrader

Well-Known Member
Aug 31, 2014
144
16
18
Egypt
cPanel Access Level
Root Administrator
Hello,
The hostname SSL should automatically install on DNSOnly pending the hostname resolves. You can check this by going to WHM>>Service Configuration>>Manage Service SSL certificates (I believe that interface is present on DNS only as well, I don't have a server spun up with that on it right now and going off memory)
I see many certificates are listed here at this page (WHM>>Service Configuration>>Manage Service SSL certificates) but all of them aren't working
Check the attached screenshot

It's mentioned at the cPanel Docs: (cPanel, L.L.C. does not offer free cPanel-signed hostname certificates for cPanel DNSOnly servers.)
Check the attached screenshot

Are you sure that hostname SSL should automatically install on DNSOnly servers?
Which folder in the server is holding the SSL certificates for all the domains? (I need to clear/remove old certificates)
 

Attachments

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,366
799
263
Houston
Actually, that's been updated on v84 by CPANEL-4727 in relation to the Feature Request here: https://jira.cpanel.net/browse/CPANEL-4727

It looks like this is still referenced in all the old documentation but it is not present in the new documentation:

The certificates you're showing me are all Self-Signed - if you run the following what is the output:

/usr/local/cpanel/bin/checkallsslcerts

You can view this in our changelogs here: Change Logs - Change Logs - cPanel Documentation as well:

  • Fixed case CPANEL-4727: Improve support for SSL hostname certificates on DNSONLY.
 

ImperialTrader

Well-Known Member
Aug 31, 2014
144
16
18
Egypt
cPanel Access Level
Root Administrator
Actually, that's been updated on v84 by CPANEL-4727 in relation to the Feature Request here: https://jira.cpanel.net/browse/CPANEL-4727

It looks like this is still referenced in all the old documentation but it is not present in the new documentation:

The certificates you're showing me are all Self-Signed - if you run the following what is the output:

/usr/local/cpanel/bin/checkallsslcerts

You can view this in our changelogs here: Change Logs - Change Logs - cPanel Documentation as well:

  • Fixed case CPANEL-4727: Improve support for SSL hostname certificates on DNSONLY.
Ok fine, I read the new documentation..

This is the output for this command (/usr/local/cpanel/bin/checkallsslcerts) .. check the attached screenshot.

There are many unvalid ssl certificates are found when I press on (Browse Certificates) button, I need to remove all of them and allow the cPanel to generate a new one (self-signed).
How can I remove all these certificates? Or which folder is holding the SSL certificates?
 

Attachments

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,366
799
263
Houston
The errors your received there are a result of port 80 being blocked. I believe we might have talked about this the other day and I told you, you wouldn't need it open, but in this instance (one I didn't think about) if the CNAME (DNS DCV) can't complete then the fallback is the HTTP request which must be completed over port 80.

Checking, the DNS record for your hostname there is indeed no CNAME record present.

The certs are present at: /var/cpanel/ssl/system/certs

I'd suggest if you do remove them, running the following immediately after:

/scripts/rebuilduserssldb
/scripts/rebuildinstalledssldb
 

ImperialTrader

Well-Known Member
Aug 31, 2014
144
16
18
Egypt
cPanel Access Level
Root Administrator
The errors your received there are a result of port 80 being blocked. I believe we might have talked about this the other day and I told you, you wouldn't need it open, but in this instance (one I didn't think about) if the CNAME (DNS DCV) can't complete then the fallback is the HTTP request which must be completed over port 80.

Checking, the DNS record for your hostname there is indeed no CNAME record present.

The certs are present at: /var/cpanel/ssl/system/certs

I'd suggest if you do remove them, running the following immediately after:

/scripts/rebuilduserssldb
/scripts/rebuildinstalledssldb
After I removed all the certificates in (certs & keys) folders, I tried to empty (ssl.db - ssl.db.cache) files too because the certificates were still appearing in WHM
Then I used your commands (find the attached screenshot)

But now, I still don't have any SSL certificates
 

Attachments

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,366
799
263
Houston
Right, you should not have tried to remove that database. It should have rebuilt it based on the output though.

As far as
But now, I still don't have any SSL certificates
Did you resolve the issue with port 80 or the CNAME record which is the reason why the certificate wasn't issued?
 

ImperialTrader

Well-Known Member
Aug 31, 2014
144
16
18
Egypt
cPanel Access Level
Root Administrator
Right, you should not have tried to remove that database. It should have rebuilt it based on the output though.
As far as
Did you resolve the issue with port 80 or the CNAME record which is the reason why the certificate wasn't issued?
I have a backup from (ssl.db), I can restore it and run the script commands again if you want.
I didn't do anything yet with the port 80 or the CNAME.

Now I found that the SSL certificate has been issued automatically.
But when I tried to install it, it needs to restarts "cpsrvd" service, and unfortunately it always failing to restart it so I restarted the server (Check the attached screenshot).
After restarting the server, I see the certificate is not installed yet.
 

Attachments

ImperialTrader

Well-Known Member
Aug 31, 2014
144
16
18
Egypt
cPanel Access Level
Root Administrator
@ImperialTrader

Is it attempting to install a self-signed certificate? If all the preflight checks are failing then I don't see how you were able to obtain a valid SSL?

What is output in the cPanel error log in regard to the cPsrvd restart issue?
Yes, it was attempting to install a self-signed certificate.
How can I find the cPanel error log?

I can purchase a sentigo/commodo SSL and use it in the DNS server if there is an issue with the self-signed certificate..!
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,366
799
263
Houston
cPanel error log should be located at /usr/local/cpanel/logs/error_log


I can purchase a sentigo/commodo SSL and use it in the DNS server if there is an issue with the self-signed certificate..!
You certainly can, if that's what you'd like to do. DCV checks would still need to be done as well as cPsrvd would still need to be started though so you'd run into the same issue you are experiencing with the Free Signed Sectigo certificate the system is attempting to provision.
 

ImperialTrader

Well-Known Member
Aug 31, 2014
144
16
18
Egypt
cPanel Access Level
Root Administrator
cPanel error log should be located at /usr/local/cpanel/logs/error_log

You certainly can, if that's what you'd like to do. DCV checks would still need to be done as well as cPsrvd would still need to be started though so you'd run into the same issue you are experiencing with the Free Signed Sectigo certificate the system is attempting to provision.
Ok, I understand you.
Kindly find the attached screenshot for the cPanel error when I try to install the certificate
 

Attachments