In Progress [CPANEL-33077] Letsencrypt transition to ISRG’s Root (Important!!!!!)

goodmove

Well-Known Member
May 12, 2003
643
4
168
Ok I guess I shall wait. In the meantime, for thoroughly pissed off customers, I'm UNinstalling their SSL via their cPanel interface and then having AutoSSL reprovision it (which seems to do the trick).
Are you having them reprovisioned with LE or Sectigo in autoSSL?
 

jorbox

Member
Sep 30, 2021
8
0
1
jordan
cPanel Access Level
Root Administrator
I think I will not sleep today,

Thanks cloudlinux even your own servers are expired !


--2021-10-01 01:56:41-- https://repo.cloudlinux.com/cloudlinux/sources/cln/cldeploy
Resolving repo.cloudlinux.com (repo.cloudlinux.com)... 23.111.175.211, 2604:4500:6:203f::5
Connecting to repo.cloudlinux.com (repo.cloudlinux.com)|23.111.175.211|:443... connected.
ERROR: cannot verify repo.cloudlinux.com's certificate, issued by ‘/C=US/O=Let's Encrypt/CN=R3’:
Issued certificate has expired.
To connect to repo.cloudlinux.com insecurely, use `--no-check-certificate'.
 

SupraMario

Active Member
Mar 28, 2006
36
6
158
My own experience - didnt go sectigo.

However WHM -> Install SSL Certificate and then choosing the account/domain you want to 'reinstall' , make sure you choose a previous letsencrypt thats valid. Select it.
Then delete/emtpy the CA box at the bottom so it will retireve the latest , click 'install' and it will update the SSL for the domain.

Doing this seems to have positive results for my case scenarios. Only users on apple devices (macOS / ios) are having problems it seems but after doing this, they're working and conencting without issues once again.

Some mac mail users did have to 'right click' and 'take account online' again to get it operational.

Obviously this is not a good solution for those of you with thousands of accounts, however I found this helpful to triage my larger clients to get them back online asap.
 

SupraMario

Active Member
Mar 28, 2006
36
6
158
Should be noted - accounts with letsencrypt wildcard cannot be fixed with the above method that cpanel suggests. You will get an error.

The domain “*.XXXX.com.au” is not managed on this server. You must specify an IP address to install SSL for “*.XXXX.com.au” or set up this domain on a new account, or create it as parked domain, a subdomain, or an addon domain of an existing account, and try again.
 

jorbox

Member
Sep 30, 2021
8
0
1
jordan
cPanel Access Level
Root Administrator
Should be noted - accounts with letsencrypt wildcard cannot be fixed with the above method that cpanel suggests. You will get an error.

The domain “*.XXXX.com.au” is not managed on this server. You must specify an IP address to install SSL for “*.XXXX.com.au” or set up this domain on a new account, or create it as parked domain, a subdomain, or an addon domain of an existing account, and try again.
This will happend if your domain is over cloudflare

just select the ip from the menu below
 

tui

Well-Known Member
Jun 15, 2007
145
40
78
Mexico
cPanel Access Level
Root Administrator
Was there something cPanel could have done before to avoid this?
Yes, they had more than a year to check this and make a proper update in time....
So glad to have the new f***ing themes though. Glad that's where our ever-increasing money is going.
Exactly... the increased prices definitely does not reflect the updates and work that cPanel has been made in the past two years, pure joke and makeup, there are so many interesting, useful and needed things on the feature requests FOR YEARS and they remain in discussions and ignored...but themes
 

tui

Well-Known Member
Jun 15, 2007
145
40
78
Mexico
cPanel Access Level
Root Administrator
Update - at this point we've removed the recommendation to switch to Sectigo as that just seems to be causing more issues. I'll keep this thread updated with details as I get them.
Interesting and useful update, now everything is fixed with this update... :rolleyes: it was obvious that switch to another provider was going to cause more issues... :rolleyes::rolleyes::rolleyes: where is the common sense and the "experience" cPanel have?

This update just as the latest two years cPanel relases is a joke... we need a fix and real updates ASAP, this problem is very very annoying and every minute that passes is more desperate...
 

Steve Truman

Registered
Nov 28, 2016
1
0
1
Australia
cPanel Access Level
Root Administrator
Hello - just adding that we are also experiencing the same issue - have searched everywhere and besides switching to the cPanel, Inc. issued Certificate there does not seem to be a resolution to the issue - which is a little unbelievable as the problem is the new Lets Encrypt intermediate certificate is not installed on cPanel replacing the old expired R3 certificate.

Surely with 10's maybe 100's of thousands of cPanel uses affected this issue would be a top priority for resolution? It just does not seem to be that way, which is most disappointing.
 

klypnick

Registered
Jun 28, 2020
2
0
1
Brisbane, Australia
cPanel Access Level
DataCenter Provider
However WHM -> Install SSL Certificate and then choosing the account/domain you want to 'reinstall' , make sure you choose a previous letsencrypt thats valid. Select it.
Then delete/emtpy the CA box at the bottom so it will retireve the latest , click 'install' and it will update the SSL for the domain.
I've just tested this on one of our domains and it worked, many thanks :)
 

inveress

Member
Apr 8, 2014
7
0
51
cPanel Access Level
Root Administrator
Switching AutoSSL selection to cPanel/Sectigo and running a check on all users seems to be fixing it for me. Tried on two WHM servers and I'm no longer getting cert warnings from my email program for the accounts hosted there. But I don't have any wildcard certs or anything else other than 'standard' cPanel cert setups.
 

SupraMario

Active Member
Mar 28, 2006
36
6
158
@Rhuan there are fixes/workarounds available right now ^^ see my posts above, ive gotten all but my wildcard hosts back online now.
 

tui

Well-Known Member
Jun 15, 2007
145
40
78
Mexico
cPanel Access Level
Root Administrator
It is very frustrating and annoying be infront on the computer and hit f5 on this thread every 10 minutes because I cannot receive email updates about this thread because my email DOES NOT WORK and NOT FIND A USEFUL UPDATE AND/OR THE PATCH WITH EVERY SITE REFRESH

It is very frustrating and annoying not to be able to use my phone because I am receiving a certificate identity error alert every 10 seconds as soon as I unlock it because the mail DOES NOT WORK
 

Datacenter1

Member
Feb 11, 2006
9
4
153
Chicago
cPanel Access Level
DataCenter Provider
It is very frustrating and annoying be infront on the computer and hit f5 on this thread every 10 minutes because I cannot receive email updates about this thread because my email DOES NOT WORK and NOT FIND A USEFUL UPDATE AND/OR THE PATCH WITH EVERY SITE REFRESH

It is very frustrating and annoying not to be able to use my phone because I am receiving a certificate identity error alert every 10 seconds as soon as I unlock it because the mail DOES NOT WORK
Using you server's hostname instead of mail.example.com doesn't work for you?
 

tui

Well-Known Member
Jun 15, 2007
145
40
78
Mexico
cPanel Access Level
Root Administrator
Using you server's hostname instead of mail.example.com doesn't work for you?
Nope, i dont want to change my settings to use my hostname because if you change the incoming/outgoing server on email client it download everything again so you will end with thousands of duplicated emails and all emails are treated like new
 

mtindor

Well-Known Member
Sep 14, 2004
1,457
112
193
inside a catfish
cPanel Access Level
Root Administrator
I had logged into one of my customer's systems that has about 10 accounts, each running a Worppress Multisite setup with 25-75 domains on each account. For a particular email domain that was having issues, they were tied to a cert which was covering multiple domains. I didn't want to just UNinstall it and then hope to get AutoSSL to reinstall it without error / throttling.

so, I was playing around inside the actual cPanel interface, navigated to SSL/TLS, found the cert that had that domain on it and clicked on the option to Update Certificate. I clicked on that, then clicked Autofill by Domain, and noted that the new / proper CA bundle was in there already. I clicked on Install Certificate and it re-installed the cert and added all the email domains tied to that cert back into /var/cpanel/ssl/domain_tls and the incoming email SSL connections started working for those domains immediately. So I didn't even have to monkey around in WHM. Nice for this particular instance, where one hosting account has a bunch of certs, each with a bunch of domains on it.

Mike
 

Kyle Stevenson

Registered
Feb 4, 2016
1
0
51
Gold Coast
cPanel Access Level
Root Administrator
+1 to the above work-around steps.

We've trialed this with a couple of accounts and it seems to be working well so far.

Here's a simpler breakdown of the steps you can follow:

1. Log into cPanel
2. Go to "SSL/TLS Status"
3. Click the "View Certificate" link next to any of the domain/host lines in the table
4. Select any domain from the dropdown
5. Erase/wipe the Certificate Authority Bundle (CABUNDLE) text area
6. Click "Install Certificate"
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
13,249
2,085
363
cPanel Access Level
Root Administrator
Update - the first patch we had in place didn't properly resolve the issue. A second patch has been created and is currently being reviewed by our QA team.

I have already set up a plan for one of the technicians working the overnight shift to post updates to this thread so anyone watching this can be kept informed.

We completely understand this is a frustrating experience for everyone, and I plan to post a full post-mortem tomorrow if one of the overnight techs doesn't do that first.