In Progress [CPANEL-33077] Letsencrypt transition to ISRG’s Root (Important!!!!!)

spmfox117

Registered
Sep 30, 2021
2
0
1
USA
cPanel Access Level
Root Administrator
I've worked around this by using the cPanel provider and re-running autossl. After a few minutes the new certificates are ordered from cPanel and it works.

However I'm not happy about this, I wanted to use LetsEncrypt on purpose. I feel this issue got basically ignored because cPanel has its own provider. Especially just days after the yearly price increase we all have come to expect.
 

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,287
65
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
Also here. CENTOS 7.9 kvm - v98.0.8
I'm recommending customers to move out imap/pop3/smtp from SSL to non-secure connections. Ugly solution. But it's a workaround.
 

tui

Well-Known Member
Jun 15, 2007
110
19
68
Mexico
cPanel Access Level
Root Administrator
Any update on this? cPanel just send us a email for a new price increase for useless updates but a lot of bugs and problems with every update, now we have a outage for this problem something that cpanel had to have foreseen, issues and problems like this are things that cpanel should bring in updates and not useless updates, i dont know why should i paid more for something that cpanel is not working and is not in focus, cpanel has been breaking down these last two years, its a shame
 
  • Like
Reactions: brt

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,028
313
cPanel Access Level
Root Administrator
At this time, the official workaround is to reinstall the Let's Encrypt certificates without the CA bundle included, and that will force the system to download and install the updated root certificate.

We've also posted an update to our guide here with additional details about how this gets handled in various operating systems: DST Root CA X3 Expiration and Let's Encrypt
 
  • Like
Reactions: eva2000

clook

Well-Known Member
PartnerNOC
Jun 9, 2002
62
1
308
Preston, UK
At this time, the official workaround is to reinstall the Let's Encrypt certificates without the CA bundle included, and that will force the system to download and install the updated root certificate.

We've also posted an update to our guide here with additional details about how this gets handled in various operating systems: DST Root CA X3 Expiration and Let's Encrypt
Unless I misunderstand what you're saying, this doesn't help here. We have systems where the up to date packages are applied (as per your guide), valid AutoSSL certificates are in place as viewed in CPanel etc., but SNI on dovecot, for instance, doesn't work (users are always served the incorrect cpanel issued cert matching the server hostname, rather than the Lets Encrypt issued certificate). This breaks *all* clients, even ones that support the new LE chain, because they're not getting the LE cert at all now.
 

tui

Well-Known Member
Jun 15, 2007
110
19
68
Mexico
cPanel Access Level
Root Administrator
At this time, the official workaround is to reinstall the Let's Encrypt certificates without the CA bundle included, and that will force the system to download and install the updated root certificate.

We've also posted an update to our guide here with additional details about how this gets handled in various operating systems: DST Root CA X3 Expiration and Let's Encrypt
Workaround is not working... im on centos 7 i have the latest ca-certificates-2021.2.50-72.el7_9.noarch, and i still having the issues
 

dandadude

Well-Known Member
Apr 14, 2011
51
1
58
Workaround not working for me either.

rpm -q ca-certificates
ca-certificates-2021.2.50-72.el7_9.noarch

yum -y update ca-certificates
No packages marked for update

Should we remove the package and install again?


CLOUDLINUX 7.9
cPanel v98.0.8
 

Hostseo Limited

Registered
Sep 30, 2021
1
0
1
Bedfordshire, UK
cPanel Access Level
DataCenter Provider
We also update ca-certificate to latest version, ca-certificates-2021.2.50-72.el7_9.noarch. AutoSSL showing this log for any domains:


Certificate expiry: 12/29/21, 4:26 PM UTC (89.96 days from now)
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (1:10:CERT_HAS_EXPIRED).
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (2:10:CERT_HAS_EXPIRED).
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (3:10:CERT_HAS_EXPIRED).
 

dandadude

Well-Known Member
Apr 14, 2011
51
1
58
Wonder if "rpm -e --nodeps ca-certificates-2021.2.50-72.el7_9.noarch" and reinstalling would help, but it has so many dependencies that I would rather wait for an official solution :)
 

mtindor

Well-Known Member
Sep 14, 2004
1,417
82
178
inside a catfish
cPanel Access Level
Root Administrator
On CloudLinux 6 ELS I was given a link (by CloudLinux) for updated OpenSSL packages. I'm not sure that I'm privy to share the link because I don't know if I'm a "guinea pig"

I can say that after installing the update and restarting all services ( those showing need for restarting via /usr/bin/needs-restarting), at least some things work now

1. AutoSSL seems to run and proper process new certs (except that Lets Encrypt throttled my attempt to "Run AutoSSL for all users") so not all were updated.
2. www.customerdomain.com/cpanel and www.customerdomain.com/webmail now work without cert warnings
3. some previously expired website certs are now working

BUT, I have not been able to confirm that Exim/Dovecot are working (when people connect to mail.theirdomain.com over SSL)

Mike
 

mtindor

Well-Known Member
Sep 14, 2004
1,417
82
178
inside a catfish
cPanel Access Level
Root Administrator
On CloudLinux 6 ELS I was given a link (by CloudLinux) for updated OpenSSL packages. I'm not sure that I'm privy to share the link because I don't know if I'm a "guinea pig"

I can say that after installing the update and restarting all services ( those showing need for restarting via /usr/bin/needs-restarting), at least some things work now

1. AutoSSL seems to run and proper process new certs (except that Lets Encrypt throttled my attempt to "Run AutoSSL for all users") so not all were updated.
2. www.customerdomain.com/cpanel and www.customerdomain.com/webmail now work without cert warnings
3. some previously expired website certs are now working

BUT, I have not been able to confirm that Exim/Dovecot are working (when people connect to mail.theirdomain.com over SSL)

Mike
I can confirm that Dovecot / Exim are not using the certificates, even though they are valid . Im not sure how to force those services to start using the certs again. Because of that, I can't confirm that EVERYTHING is fixed. Anyone know how to force the email service (dovecot / exim) to use the customer-domain certs that are valid?

Mike
 

smurf

Well-Known Member
Jun 4, 2009
51
9
58
Just tried switching to cPanel powered by Sectigo and receive this error when running AutoSSL:

Code:
The “cPanel (powered by Sectigo)” provider cannot currently accept incoming requests. The system will try again later.
I'm guessing everyone else is trying the same switch and cPanel can't handle it?
 

mtindor

Well-Known Member
Sep 14, 2004
1,417
82
178
inside a catfish
cPanel Access Level
Root Administrator
Assuming all SSL certs are renewed / valid :

It would be great if somebody at cPanel would tell us how to rebuild all of the sni information so that Dovecot, Exim, and FTP make use of them.
 

tui

Well-Known Member
Jun 15, 2007
110
19
68
Mexico
cPanel Access Level
Root Administrator
This is what happen when cPanel try to focus on make money with price increases and ugly themes instead of important things, this thread was created in jun 2020 and cPanel just let it pass, now that this exploded they are over time trying to fix it or figure how to workaround this.. meanwhile thousands of users and servers are facing this and dealing with this and waiting for a cPanel fix or telling clients that they need to reconfigure their mails clients, thousands of clients dont even know how to put a mail account on their devices and they depend of support teams or tech guy... imagine that suddenly nobody in your company can access to their mail account and you have employees in other countries that depend of mails... how can you deal with 100 or 1000 devices to reconfigure them in a insecure way temporally because cpanel is not working and is playing with drawings, sand and useless updates since the last 2 years? now multiply this by all companies affected by this and in pandemic with home office... but cpanel still playing with themes and wants to raise prices for that 2 hours of work of ugly themes and bugs
 
Last edited:

Rhuan

Active Member
Nov 10, 2010
42
0
56
Brazil
cPanel Access Level
Root Administrator
This is what happen when cPanel try to focus on make money with price increases and ugly themes instead of important things, this thread was created in jun 2020 and cPanel just let it pass, now that this exploded they are over time trying to fix it or figure how to workaround this.. meanwhile thousands of users and servers are facing this and dealing with this and waiting for a cPanel fix or telling clients that they need to reconfigure their mails clients, thousands of clients dont even know how to put a mail account on their devices and they depend of support teams or tech guy... imagine that suddenly nobody in your company can access to their mail account and you have employees in other countries that depend of mails... how can you deal with 100 devices to reconfigure them? now multiply this by all companies affected by this and in pandemic with home office... but cpanel wants to raise prices and that is more important for them...
I agree with you, that's total disregard for customers and a lack of planning.