SOLVED cPanel certificates self-signed?

ItsMattSon

Well-Known Member
Sep 5, 2016
182
38
103
Perth
cPanel Access Level
Root Administrator
Hi cPanel/all,

Are cPanel certificates self-signed?

My cPanel license is valid, my hostname is an FQDN (though I can't get to my server by hostname for some reason...), all looks okay? Secureserver.net is GoDaddy's of course.

Can anyone tell me why I see this? The cPanel Documentation implies that the cPanel cert is not self-signed?


IMAGE:
selfsigned.png

I did search for related threads and some came close but they didn't mention their certs were self-signed by cPanel.
 

ItsMattSon

Well-Known Member
Sep 5, 2016
182
38
103
Perth
cPanel Access Level
Root Administrator
Hi SysSachin,

I have an EV SSL for the domain that I want to host on my VPS, but not sure that will help me here.

The way I understood it from the documentation was that as long as you have a valid FQDN and valid cPanel license, my VPS Services should get issued cPanel-signed SSL certificates? They don't appear to be signed correctly, or maybe they're not the cPanel issued certs?

Manage Service SSL Certificates - Documentation - cPanel Documentation
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
The way I understood it from the documentation was that as long as you have a valid FQDN and valid cPanel license, my VPS Services should get issued cPanel-signed SSL certificates? They don't appear to be signed correctly, or maybe they're not the cPanel issued certs?
Hello,

I recommend consulting with your hosting provider to determine if cPanel-signed hostname certificates are enabled for their VPS accounts. If so, it's possible this relates to the automatically generated hostname. Are you able to configure your hostname with a domain name that you control, as opposed to the one utilized by your hosting provider? For example, if you own domain.com, try setting the hostname to "server1.domain.com" and then running "/usr/local/cpanel/bin/checkallsslcerts" to see if the signed certificates are then generated.

Thank you.
 

ItsMattSon

Well-Known Member
Sep 5, 2016
182
38
103
Perth
cPanel Access Level
Root Administrator
Thanks Michael - I'll check with my VPS host to determine if cPanel-signed hostname certificates are enabled for their VPS accounts :)

Tried what you said but I obviously have a misconfiguration somewhere. Not sure where though.. Would this error below be at the Namecheap Registrar-end or the VPS WHM-end?

srvresolve.png
 

ItsMattSon

Well-Known Member
Sep 5, 2016
182
38
103
Perth
cPanel Access Level
Root Administrator
Hi Michael,

Disregard the query above - It was a misconfiguration at the NameCheap end.

Additionally, here's the resolution. It told me exactly what you said so you were right again haha.

denied.png
 

ItsMattSon

Well-Known Member
Sep 5, 2016
182
38
103
Perth
cPanel Access Level
Root Administrator
I spoke with one of the staff in the GoDaddy server chat and they said that free cPanel hostname certs are allowed, so the error in my previous post confounds me.

Is there any more info from a cPanel point of view how to troubleshoot this further?

GoDaddy additionally advised that the free cPanel services certs are "self-signed", but I thought they weren't supposed to be? Could this be confirmed? Thanks
 

NixTree

Well-Known Member
Aug 19, 2010
413
5
143
Gods Own Country
cPanel Access Level
Root Administrator
Twitter

ItsMattSon

Well-Known Member
Sep 5, 2016
182
38
103
Perth
cPanel Access Level
Root Administrator
Hi NixTree,

I read your document. Thanks

Any chance you'd know though why my services are getting self-signed certificates instead of the free cPanel ones I think I should be getting?
 

NixTree

Well-Known Member
Aug 19, 2010
413
5
143
Gods Own Country
cPanel Access Level
Root Administrator
Twitter
What is the cpanel version you are having at the moment ? If it is not the latest, then upgrade to the latest. Then you can try reset the cert and then see if that is showing proper certificate.
 

ItsMattSon

Well-Known Member
Sep 5, 2016
182
38
103
Perth
cPanel Access Level
Root Administrator
Hi NixTree,

I'm afraid that my WHM/cPanel version is WHM 58.0 (build 28) which I believe is current, so I'm not sure that's why.

I've got a fully qualified domain name as my hostname (srv.domain.com), but as per my first post in this thread it seems I'm not getting a proper signed certificate, it's a self-signed one and no matter how many times I click 'reset' it doesn't change that.

The error I get when i run /usr/local/cpanel/bin/checkallsslcerts is that "The cPanel Store returned an error (X::PermissionDenied) in response to the request POST ssl/certificate/whm-license: free hostname certs are not allowed by this partner".

According to GoDaddy, they are allowed, so would this be a PHP function that's disabled or maybe firewall or something else? I'm at a loss here, as I'm not sure where to look - whether it's even my VPS or the host node's issue too.

Any guidance would be appreciated.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
The error I get when i run /usr/local/cpanel/bin/checkallsslcerts is that "The cPanel Store returned an error (X::PermissionDenied) in response to the request POST ssl/certificate/whm-license: free hostname certs are not allowed by this partner".

According to GoDaddy, they are allowed, so would this be a PHP function that's disabled or maybe firewall or something else? I'm at a loss here, as I'm not sure where to look - whether it's even my VPS or the host node's issue too.
Hello,

You will not receive the cPanel-signed certificates when encountering that message. Please reach out to your provider again and paste the following message:

"The cPanel Store returned an error (X::PermissionDenied) in response to the request POST ssl/certificate/whm-license: free hostname certs are not allowed by this partner".
Let them know this indicates that hostname certificates are disabled by the license provider.

Thank you.
 

ItsMattSon

Well-Known Member
Sep 5, 2016
182
38
103
Perth
cPanel Access Level
Root Administrator
Let them know this indicates that hostname certificates are disabled by the license provider.

Thank you.
Hi Michael,

Spent 40 minutes on the phone with GoDaddy server folks and they advised that the certificates "should" be allowed so they're not sure why I'd be seeing that.

They actually told me to come back to cPanel and ask the question of how they can confirm hostname certificates and free cPanel certificates *are* allowed and whether there is a setting to disable them that they could look into.

Do you think you could help me with that?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
They actually told me to come back to cPanel and ask the question of how they can confirm hostname certificates and free cPanel certificates *are* allowed and whether there is a setting to disable them that they could look into.

Do you think you could help me with that?
Hello,

This setting is configured in cPanel's Manage2 interface with the "Update Company Information" option:

"Manage 2 Dashboard >> Company >> Update Company Information"

Thank you.
 

ItsMattSon

Well-Known Member
Sep 5, 2016
182
38
103
Perth
cPanel Access Level
Root Administrator
Thanks Michael!

Using your post above I found the exact steps I'll need to give them on this Manage2 KB: How to Disable the cPanel Store as an SSL Certificate Provider in WHM

I'm not sure if they'll be able to help me but at least I'll be able to confirm whether it has been blocked or not. I'll call them today and ask if they can investigate for me, then I'll update this thread with the outcome :)
 

ItsMattSon

Well-Known Member
Sep 5, 2016
182
38
103
Perth
cPanel Access Level
Root Administrator
Hi cPanelMichael,

I called GoDaddy and after a short 20 minute call the support staff advised that he checked with all the departments he could that they do not allow free cPanel hostname certificates. They didn't confirm that the "Block servers with your company ID from getting free hostname certificates from the cPanel Store" checkbox in Manage2 was actually 'checked' because I'm not sure anyone in any of those departments knew how to get into it but I guess that answer will have to suffice.

If anyone else reads this thread after trying to get free cPanel certs for services and are hosted with GoDaddy - Good luck. Looks like I'll have to buy my own certificate and sort that myself.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello @ItsMattSon,

Thank you for updating us with the outcome. One alternative to consider is to create a subdomain under an existing account (e.g. cpanel.yourdomain.com) and then utilize the AutoSSL feature to generate a free cPanel-signed certificate for that subdomain. Once it's generated and issued, you could then install it for your services via "WHM Home >> Service Configuration >> Manage Service SSL Certificates". Keep in mind you may need to create an empty "/var/cpanel/ssl/disable_auto_hostname_certificate" file to avoid the automatic replacement of the certificate during updates:

Code:
touch /var/cpanel/ssl/disable_auto_hostname_certificate
Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello,

Do you have any firewall rules blocking access to store.cpanel.net over port 443 on this system?

Thank you.
 

ItsMattSon

Well-Known Member
Sep 5, 2016
182
38
103
Perth
cPanel Access Level
Root Administrator
Hello,

Do you have any firewall rules blocking access to store.cpanel.net over port 443 on this system?

Thank you.
Hi @cPanelMichael,

Looks like you were right. It works now!

ConfigServer Firewall had 443 in TCP inbound but not TCP outbound. Suspect it needs 443 TCP outbound open?

If that's the case, would you expect the How to Configure Your Firewall for cPanel Services needs to be updated with a tick in the TCP outbound space for 443? (as I followed this in the first place to ensure 443 was only in TCP inbound).