CPanel error being sent regularly " doesn’t match non-SSL vhost IP"

[ChampionHandle]

Hi,

Hope everyone is well. We're trying to keep up maintenance on our certs and we're getting this error daily. Not sure why. Hoping you all could lend a hand. Thank you!

/usr/local/cpanel/bin/process_ssl_pending_queue encountered an error: The system retrieved the <abbr title="Secure Sockets Layer">SSL</abbr> certificate for "example.com", but failed to install it because of an error: The certificate could not be installed on the domain "example.com". Given “ip” (42.10.10.5 our cpanel ip) doesn’t match non-SSL vhost IP (10.7.7.7).. The system will attempt to fetch the certificate and to install it again. at /usr/local/cpanel/Cpanel/SSL/PendingQueue/Run.pm line 181.

 

[andrew.n]

Are you using 1:1 NAT | cPanel & WHM Documentation here?

 

[hmaddy]

Check the dns & its correctly propagating to this ip or not.

 

[ChampionHandle]

anoopk350 andrew.n Thanks for the responses ! I'll check them out. Andrew, the document you sent says clearly "Do not run on production environments" What will this do as this is a production environment?

 

[andrew.n]

I suspect that 1:1 NAT is enabled on the server and that is causing the issues. If the server is not on a local network using NAT then make sure this is disabled:

you can do so by checking /var/cpanel/cpnat file. If it exist its enabled.

 

[cPanelLauren]

You shouldn't set up NAT routing on a production server, no but if it's already configured but the NAT routing isn't being recognized you can run 1:1 NAT | cPanel & WHM Documentation though if there is an issue with the configuration this script will not help.

 

[ChampionHandle]

Awesome andrew.n cPanelLauren that makes sense now I'll let you know how it goes. Thank you!

 

[ChampionHandle]

Hi @andrew.n @cPanelLauren , I removed the cpnat file and restarted services but we're still getting the error. I finally have full access to the server so what would be a good next step? Should I try to reinstall certs manually somehow?

I tried looking for the error message but can't seem to locate it in a log file. Thank you!

 

[ChampionHandle]

Hi, any one run into this issue? I haven't been able to locate much on this error and I already turned off NAT on the cpanel server.

" /usr/local/cpanel/bin/process_ssl_pending_queue encountered an error: The system retrieved the <abbr title="Secure Sockets Layer">SSL</abbr> certificate for "example.com", but failed to install it because of an error: The certificate could not be installed on the domain "example.com". Given “ip” (42.10.10.5 our cpanel ip) doesn’t match non-SSL vhost IP (10.7.7.7).. The system will attempt to fetch the certificate and to install it again. at /usr/local/cpanel/Cpanel/SSL/PendingQueue/Run.pm line 181. "

Thank you.

 

[andrew.n]

So if you go to List Accounts do you see the IP 10.7.7.7 in line with example.com or 42.10.10.5? Can you try to rebuild http config and see how it goes?

/scripts/rebuildhttpdconf

 

[ChampionHandle]

So if you go to List Accounts do you see the IP 10.7.7.7 in line with example.com or 42.10.10.5? Can you try to rebuild http config and see how it goes?

/scripts/rebuildhttpdconf

Hi Andrew, I looked for "list accounts" in WHM and can not find the link . Is this available somewhere in cpanel or WHM? Thank you!

 

[andrew.n]

Just look at the accounts with their IP address. What IP address do you see for the domain example.com?

 

[ChampionHandle]

Just look at the accounts with their IP address. What IP address do you see for the domain example.com?

Ok I see the info on the right hand side in cpanel.

Primary Domain (DV Certificate)
example.com

Shared IP Address: I see the expected public facing , direct IP address. I don't see the private address .

 

[andrew.n]

I see. I'm out of options here. Best would be to Submit a Ticket directly at cPanel so they can have a closer look.

 

[ChampionHandle]

So I kept at it and took the action of manually reinstalling the cert (good until 2021) via cpanel. I get the exact message we're getting via email.
I inherited this domains setup.

Could the cause of this be because the cert was created with reference to the 10.7.7.7 ip when it was NAT enabled?

Would the resolve be creating a new cert and installing that one?

 

[ChampionHandle]

I also got this: You don’t have a dedicated IP address. Browsers that were released before 2013 may not support SNI. Because of this, users may see false security warnings when they visit your SSL-secured websites.

 

[andrew.n]

No, probably this is not the reason. The best would be open a ticket at the link provided earlier so cPanel support could have a closer look at this issue with the login information provided.

 

[cPanelLauren]

Wait, I want to point out that if your server was NAT routed to begin with you should not remove the cpnat file. I was indicating that you should not create a NEW NAT configuration on a server that was not previously NAT routed.

What the issue is most likely here is a NAT misconfiguration but removing the cpnat file is not the solution. What is the output of the following: /scripts/build_cpnat

 

[ChampionHandle]

Wait, I want to point out that if your server was NAT routed to begin with you should not remove the cpnat file. I was indicating that you should not create a NEW NAT configuration on a server that was not previously NAT routed.

What the issue is most likely here is a NAT misconfiguration but removing the cpnat file is not the solution. What is the output of the following: /scripts/build_cpnat

Hi, So I ran the script and it just rebuilt the file the way it was before.

info [build_cpnat] 10.7.7.7 =>  42.10.10.5

info [build_cpnat] Updating /etc/wwwacct.conf primary IP (ADDR) from 42.10.10.5  to 10.7.7.7 . Local IPs, not public should be stored in most configuration files.

# cat cpnat

42.10.10.5  10.7.7.7

 

[andrew.n]

I was advising this because in multiple cases cPanel though it's on NAT and wrongly configured itself which led to issues later on.