In Progress [CPANEL-33077] Letsencrypt transition to ISRG’s Root (Important!!!!!)

Mehrdad Tari

Member
Nov 11, 2015
12
2
53
ایران
cPanel Access Level
Root Administrator
we have same issue
all of our hosting site over 2,000 site cert expired (Lets Encrypt)
i removed lets encrypt script and re-installed it and new letsencrypt version is installed.
but we have an error:
MASTER DCV: A rate limit prevents DCV.

This is while the letsencrypt says that it has removed the rate limit.



Please tell me, What to do

thanks
 

HostLABTR

Registered
Dec 29, 2018
2
0
1
Bursa, Turkey
cPanel Access Level
DataCenter Provider
Hello there,

We think this is the right place to report this bug. The Autofixer you have published does not work correctly on servers older than v94. The output is as follows;

Code:
[[email protected] ~]# /scripts/autorepair update_lets_encrypt_cabundles2
Requesting script ... info [autorepair] Successfully verified signature for cpanel (key types: release).
Done
Auto Repair is running......Auto Repair is done.
Since Autofixer does not work correctly, requests are constantly sent to Let's Encrypt APIs and cause us to hang on rate limits. Can you start a case on this?

Thanks.
 

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,287
64
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
While the command is safe to run, we're still looking into *how* those permissions become corrupt in the first place for some users.
I run the command in dozens of servers and only 1/10 had the issue and were fixed. Maybe it happened due to some bug in previous versions.
 

hartdesign

Registered
Mar 27, 2020
2
0
1
Auckland
cPanel Access Level
Root Administrator
our server is 100% up to date, we've run /scripts/autorepair update_lets_encrypt_cabundles2 and we're not seeing any progress. Around 50% of our clients are without ssl certificates :/ this Monday when they all realise their sites are effective offline, this is going to be a nightmare.
 
  • Wow
Reactions: eva2000

vacancy

Well-Known Member
Sep 20, 2012
474
165
93
Turkey
cPanel Access Level
Root Administrator
/scripts/autorepair update_lets_encrypt_cabundles2 command unfortunately did not repair all certificates.

To repair corrupted certificates, it is necessary to whm > install certificate > autofill one by one. I was able to fix the broken certificates this way, but it is very challenging to do this for thousands of domains one by one.

If it is a new certificate, we still cannot receive it, we are constantly seeing the error 429, at least we are waiting for an urgent solution for mass correction of existing certificates. Instead of license price with a raise, produce a quick solution to this issue.
 

HostLABTR

Registered
Dec 29, 2018
2
0
1
Bursa, Turkey
cPanel Access Level
DataCenter Provider
@Elephantino - that's correct - it will update automatically.

@HostLABTR - versions of cPanel older than the LTS version of 94.0.16 are not supported, so I would not expect the autofixer to work in those cases.
However, this is a problem, causing the servers involved to constantly send requests to Let's Encrypt and get stuck at rate limits. Let's Encrypt detects traffic as an attack.

We don't expect you to add a new feature, it's just that it shouldn't be that difficult to make the released fix compatible with previous versions.
 
Last edited:

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,287
64
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
  • Like
Reactions: eva2000

sajithgsm

Active Member
Jun 9, 2020
42
9
83
Sri Lanka
cPanel Access Level
Root Administrator
  • Like
Reactions: eva2000

vacancy

Well-Known Member
Sep 20, 2012
474
165
93
Turkey
cPanel Access Level
Root Administrator
Today Cloudlinux provided a solution for this.

For CloudLinux OS 7 (and CentOS 7):
yum clean all
yum update ca-certificates

Try anyone and confirm its working or not please
This solution is not related to site certificates, it provides a solution to the problem of accessing cloudlinux rpm repositories.
 

DHarry

Member
Nov 9, 2016
14
1
3
Kansas City, Missouri
cPanel Access Level
Root Administrator
I've ran the autofixer and I think I'm confused as to what it's supposed to "fix".

Our issue is that our certificate chain looks like this:
Code:
   i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
We're also getting the verification error, "unable to get local issuer certificate".

Was the autofixer supposed to resolve this issue? Or, is there something else I need to attempt? Or, is this the exact issue still being researched?

Tomorrow is going to be hell for me if I cannot provide any updates.
 

ciao70

Well-Known Member
Nov 3, 2006
102
18
168
Hello,

This morning our site certificate was updated and the cross signature with DST Root is gone. Now all devices older than Android 7.1.1 get error

Did it happen to anyone else too?

I am really confused with all these problems
 

MindServer

Well-Known Member
Mar 18, 2020
230
31
28
Spain
cPanel Access Level
Root Administrator
Hello,

This morning our site certificate was updated and the cross signature with DST Root is gone. Now all devices older than Android 7.1.1 get error

Did it happen to anyone else too?

I am really confused with all these problems
Yes, I have the same problem, old Android versions cannot load the websites with SSL.

Have a nice day.
 

ciao70

Well-Known Member
Nov 3, 2006
102
18
168
Yes, I have the same problem, old Android versions cannot load the websites with SSL.

Have a nice day.
We fixed it by manually re-entering the third DST Root chain and disabled autossl for the time being

I had to download the cross signed ca cert and manually add it to combined cert used by apache
 

[email protected]

Well-Known Member
Aug 3, 2016
63
5
58
Everywhere
cPanel Access Level
Root Administrator
We fixed it by manually re-entering the third DST Root chain and disabled autossl for the time being

I had to download the cross signed ca cert and manually add it to combined cert used by apache
Hello,
As I have the same issue with older devices than Android 7.1.1 get error is possible to describe how we can manage to solve this? As most of us will have the exact same problem.

If we reinstall the certificate after cPanel plugin updated (2 days before - cpanel-letsencrypt-v2-1.02-1.2.1) will correct this problem or we must do something else?

The LetsEncrypt says: Extending Android Device Compatibility for Let's Encrypt Certificates how we can make that happened? cPanel letsencrypt plugin (after the update) it's not possible to insert a certificate that does that?

If we change to Sectigo as autossl provider will fix that kind of problem? The certificate will support android devices older than 7.1.1? Is a workaround or not?

Any suggestion? Thanks in advance!
 
Last edited: