In Progress CPANEL-38875 - /var/cpanel/ssl/domain_tls/%domain% not being created

sparek-3

Well-Known Member
Aug 10, 2002
2,042
230
368
cPanel Access Level
Root Administrator
What would cause /var/cpanel/ssl/domain_tls/%domain% from not being created and populated correctly when installing a certificate for a domain using WHM API1 installssl?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,028
313
cPanel Access Level
Root Administrator
Hey hey! That's an interesting question, and sounds like it could be related to our recent issues here:

https://support.cpanel.net/hc/en-us/articles/4409996290071

We've seen problems with the permissions, but I'm not aware of the area just not being created at all. Is it possible the domain is experiencing a quota issue?
 

sparek-3

Well-Known Member
Aug 10, 2002
2,042
230
368
cPanel Access Level
Root Administrator
The account is under quota.

I actually use a script to make the installssl API call - and in the script I have it temporarily remove the quota before the call and then set the quota back to it's correct value after the call.

I can't find the function that actually creates the /var/cpanel/ssl/domain_tls/%domain% directory and the certificate files to try and trace why it's not creating the directory and files for this particular domain.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,042
230
368
cPanel Access Level
Root Administrator
The support article is a bit unclear - at least to me.

/var/cpanel/ssl/domain_tls should be 711, correct?

The article is meaning that directories under /var/cpanel/ssl/domain_tls should be 755, correct?

At least the way I'm reading it:

This is caused by the permissions of /var/cpanel/ssl/domain_tls/ being set to 644, but they need to be set to 755 to function properly.

To me this is saying the directory /var/cpanel/ssl/domain_tls is being set to 644, but reading through the article on how to find such directories, it's actually referring to the directories under /var/cpanel/ssl/domain_tls which should have a 755 permission.



In my particular case /var/cpanel/ssl/domain_tls/%domain% isn't even being created... so permissions aren't really an issue.

I did find a few directories under /var/cpanel/ssl/domain_tls that were 644 and I have changed them to 755. For gits and shiggles I removed the certificate for %domain% and reinstalled it, but /var/cpanel/ssl/domain_tls/%domain% still wasn't created.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,028
313
cPanel Access Level
Root Administrator
Right, we've just run into some odd permissions issues with the latest Let's Encrypt SSL problem so I thought it was interesting you also had an issue with those directories at the same time. They should all be 755.

I haven't seen a situation where they just don't get created at all as that is definitely odd.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,042
230
368
cPanel Access Level
Root Administrator
Did you make changes to the sslinstall feature?

I'm also not able to install a certificate from a user's cPanel even if I have sslinstall enabled in the feature set - I get the error You do not have the feature “sslinstall”.

I don't know what all was changed recently, maybe all of those changes need be pulled back because it looks like some changes were made that weren't thoroughly tested.

Worth mentioning as well, I'm using cPanel 94. I know cPanel sometimes likes to forget that they have a TLS version and just develops for whatever version they are developing at that particular time. So it's possible that changes were made to sslinstall but no thoughts were given to how these changes mesh with cPanel 94.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,028
313
cPanel Access Level
Root Administrator
I'm not aware of any SSL changes recently. The autofixers published recently would not change the install process.

I did create a v94 test system on CentOS 7 and I'm not experiencing issues with the frontend/paper_lantern/ssl/install.html interface in cPanel when trying to install a certificate. Do you get any additional errors in the main cPanel log when trying this work? (/usr/local/cpanel/logs/error_log)
 

sparek-3

Well-Known Member
Aug 10, 2002
2,042
230
368
cPanel Access Level
Root Administrator
I think this has graduated to a major issue.

Checking domains that have recently had a new certificate issued - there's nothing in /var/cpanel/ssl/domain_tls

This means there's no SNI configuration for them for Dovecot or Exim

I can't help but wonder if this isn't related to You do not have the feature “sslinstall” error that is being generated when trying to install a certificate from the cPanel user.

Even though I'm install certificates with WHM API1 - I'm guessing some wires got crossed and sslinstall for WHM API1 got crossed with sslinstall for whatever cPanel restriced level is used.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,028
313
cPanel Access Level
Root Administrator
I confirmed this behavior from the cPanel and WHM interfaces on both v94 and v98, and created this support article about the issue:

https://support.cpanel.net/hc/en-us/articles/4410111044631

Unfortunately, I do not have a workaround available at this time. Thanks so much for pointing this out, and our developers will be looking at this soon.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,042
230
368
cPanel Access Level
Root Administrator
I think I've figured it out ... don't have a solution... but I think I've figured it out.

For starters and to clear up some confusion. SSL installs work - WHM and cPanel. The reason I was getting sslinstall feature error was because I did not have the Tweak Setting setting for users to install their own certificate.

The issue has to do with the way I am issuing Let's Encrypt certificates.

I'm not using cPanel's AutoSSL for any of this. I wrote my own system to automatically issue Let's Encrypt certifictes using acme.sh (GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol) before cPanel released their AutoSSL. I liked my system better, so I kept it.

I don't know if you're familiar with acme.sh or not, but when you run it, it will automatically generate a CSR and request a certificate from Let's Encrypt (or any number of CA's) and the results will be a directory with the files:

ca.cer
fullchain.cer
%domain%.cer
%domain%.conf
%domain%.csr
%domain%.conf
%domain%.key


Then with a WHM API1 call to installssl you can install the certificate with the parameters domain=%domain% crt=%domain%.cer key=%domain%.key cab=ca.cer

(To be clear - you have to get the contents of %domain%.cer, %domain%.key, and ca.cer and urlencode those to be passed to each parameter)

Because the ca.cer is always retrieved correctly when a certificate is issued, you always have the latest and most up to date CA bundle.

The problem is - acme.sh is retrieving a ca.cer with two chains.

One is the;
Issuer: ISRG Root X1
Server Name: R3


The other is:
Issuer: DST Root CA X3
Server Name: ISRG Root X1


For whatever reason, if DST Root CA X3 is detected in the cab bundle passed to installssl, then the certificate does not get properly installed - /var/cpanel/ssl/domain_tls/%domain% does not get created and is not properly populated, so that means no Dovecot or Exim for that certificate.

Now... for whatever reason, Apache is allowed to handle this just fine. /var/cpanel/ssl/apache_tls/%domain%/combined will get filled with all of it:

KEY
CERT
ISRG Root X1
DST Root CA X3


If I create a file with just the ISRG Root X1 CA bundle and pass the contents of that file to cab in the installssl API call - everything works as it should. As a short term solution, I can make this work. But I don't like it long term because if the certificates are ever signed with a different CA Bundle - if I don't update the file that's passed to cab, then the certificates I install won't work. This was always the great thing about using the ca.cer that's given from acme.sh.

So this leads to two resolutions, either:

acme.sh is wrong to include the DST Root CA X3 CA Bundle in the ca.cer file that it retrieves.

OR

cPanel is blacklisting the DST Root CA X3 CA Bundle, partially, and not allowing it to be used in the creation of /var/cpanel/ssl/domain_tls/%domain%

I kind of lean towards this being a cPanel issue. Because I would tend to trust what Let's Encrypt is sending is correct, since it's their system. Also the fact that cPanel allows the DST Root CA X3 CA Bundle in /var/cpanel/ssl/apache_tls/%domain%/combined but somehow balks at it being present when creating the directory /var/cpanel/ssl/domain_tls/%domain% and the resulting files. And with the fact that cPanel recently messed around with the Let's Encrypt CA bundles being installed. I think something cPanel did to "fix" this is a bit dodgy.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,028
313
cPanel Access Level
Root Administrator
Have you been following along with the thread here?


One of our fixes was specifically to chop the CA bundle to allow the install to happen, although we're currently working on a more permanent solution.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,042
230
368
cPanel Access Level
Root Administrator
I saw that thread. I haven't read all the way through it.

I figured that cPanel was having the same issue that I would have if I implemented my fix. Instead of getting the CA Bundle from Let's Encrypt to install a certificate, cPanel just always assumed it'd be the same old CA Bundle. Then when Let's Encrypt started signing their certificating with a different bundle, cPanel was still installing the old CA Bundle with the certificates.

But for whatever reason... it seems that cPanel's solution was that if it detects the DST Root CA X3 certificate it just poops out part of the way on installing the certificate (head scratcher as to why Apache is fine, but all of the services attached to /var/cpanel/ssl/domain_tls/%domain% is not).

As long as the correct certificate signing cert is the first one in the CA Bundle then the certificate should be fine... I mean... Apache pretty much proves this.

Maybe Let's Encrypt really shouldn't be including DST Root CA X3 in their CA bundle - it's not needed. But they are... for some reason?

Try it and see.

Issue a Let's Encrypt certificate for a domain name, but don't install it just yet.

Note the two CA Bundles being referenced here.

ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----


DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----


Make sure /var/cpanel/ssl/domain_tls/%domain% doesn't already exist - although I don't think it updates even if it does exist.

When you go to install the certificate - provide the key, certificate, and for the CA Bundle use:

-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----


The certificate will install fine for Apache. But no /var/cpanel/ssl/domain_tls/%domain% will exist.

Remove the certificate and reinstall using just the ISRG Root X1 CA Bundle... everything will work as it should.
 
  • Like
Reactions: cPRex

sparek-3

Well-Known Member
Aug 10, 2002
2,042
230
368
cPanel Access Level
Root Administrator
I'm not sure what "problem" required a "fix" to installssl such that /var/cpanel/ssl/domain_tls/%domain% would not be populated if DST Root CA X3 was found in the CA bundle.

But that "fix" sure did a bang up job! Hours of headache and customers screaming. So bravo cPanel, Bravo!

I'll deploy my own fix, can't wait around for cPanel to figure out what all they broke and "fix" it again.