SOLVED [CPANEL-39321] Service SSL Certificates expire in 11 days, but not auto renewing

Operating System & Version
CentOS v7.9.2009
cPanel & WHM Version
v100.0.3

verdon

Well-Known Member
Nov 1, 2003
922
14
168
Northern Ontario, Canada
cPanel Access Level
Root Administrator
If you could! Update me with the ticket once you do so.
Hi @cPanelAnthony,

I thought I replied, but I don’t see it now. I must have forgotten to post it. In any case, I did open a ticket #94392864 and received a very quick reply from Thomas. He pointed me to an article about the situation, which I had read. I had mistakenly thought this had been resolved in 100.0.5 but apparently not. So, I now have instruction to force it if I don’t want to wait until the 3 day auto renewal. Seeing how that would be Christmas Day, I'll probably force it ahead of time. Thanks again.
 
  • Like
Reactions: cPanelAnthony

cPanelAnthony

Administrator
Staff member
Oct 18, 2021
1,051
106
118
Houston, TX
cPanel Access Level
Root Administrator
Running on 100.0.5 and ever since, some of my customers domains certfs are not renewing. PLEASE HELP.
Can you open a ticket using the link in my signature so we can investigate the SSL issues? If you cannot, your web hosting provider should be able to open one on your behalf.
 

bethimc

Member
Nov 29, 2016
14
3
53
Saratoga Springs, NY
cPanel Access Level
Root Administrator
What do you exactly mean by version 100? Bug was introduced in version 100, and it was still not fixed in 100.0.5.

What is exact version with a fix and when it will be in release?
Just confirmed as well. 100.5 did not autorenew service certs. Account certs are renewing, but with lots of errors. I am excluding a lot of cpanel-generated subdomains from the renewals.

Manually running /usr/local/cpanel/bin/checkallsslcerts, per the support article posted above, did renew my service certificates.

Off to check my other servers....
 

kingsburyweb

Registered
Aug 13, 2021
3
0
1
Massachusetts
cPanel Access Level
Root Administrator
I'm also running cPanel v100.0.5 and have this issue as well. Last year, I never ran into this problem and everyone's domains certs were automatically renewed. Now I get daily notifications of "Potential reduced AutoSSL coverage" with the following information:

AutoSSL would normally renew this certificate now, but 6 of the website’s secured domains just failed DCV. To provide you with more time to resolve these problems, AutoSSL will defer the renewal until Jan 18, 2022 at 12:00:00 AM UTC. After that time, AutoSSL will request a replacement certificate that excludes any domains that fail DCV. At the time of this notice, the certificate will expire in 3 days, 4 hours, 1 minute, and 15 seconds

For domains not pointed to our name-servers, however the root and www records are pointed to the server IP, we noticed these warnings as of recently.. webmail. cpcontacts. cpanel. mail. etc.. might not be pointed to our web server in lets say GoDaddy DNS, but the email does validate that the main domain name and www records are. Something is going on here...? Occasionally we are gettin calls from customers that their website is showing a certificate warning?! Again, this has never happened before so a recently cPanel release must have caused these issues.
 

keithl

Active Member
Jan 14, 2010
25
0
51
cPanel Access Level
DataCenter Provider
Pleased to say the work around - cPanel - worked for me and got my service certificates updated.

Worth noting, as much as it shouldn't matter if the certificate isn't renewed until three days before the expiration, in reality it does. Had a call from a customer this afternoon (which is why I became aware of this) because on his Mac it was giving him an error due to the certificate being close to expiring, and it seems in Apple land that makes it dodgy, so without him expressly choosing the "it's OK, I trust this" style option it wouldn't let him collect his email.

AutoSSL would normally renew this certificate now, but 6 of the website’s secured domains just failed DCV. To provide you with more time to resolve these problems, AutoSSL will defer the renewal until Jan 18, 2022 at 12:00:00 AM UTC. After that time, AutoSSL will request a replacement certificate that excludes any domains that fail DCV. At the time of this notice, the certificate will expire in 3 days, 4 hours, 1 minute, and 15 seconds
Noticed the same thing over the last couple of months. The work around is to go into the relevant site's cPanel and open the "SSL/TLS Status" app. Within that you can see the status of autossl for each host name, and select to exclude any from being included in AutoSSL that don't actually exist. If you don't see that app, you need to ensure the "SSL Host Installer" feature is enabled for that account, and no as far as I can find there's no way to bulk make the change or do it from within WHM annoyingly.