CPanel error being sent regularly " doesn’t match non-SSL vhost IP"

Operating System & Version
CENTOS 7.7 xen hvm
cPanel & WHM Version
86.0 (build 17)
Jul 31, 2020
13
5
3
Boston
cPanel Access Level
Website Owner
Hi,

Hope everyone is well. We're trying to keep up maintenance on our certs and we're getting this error daily. Not sure why. Hoping you all could lend a hand. Thank you!

/usr/local/cpanel/bin/process_ssl_pending_queue encountered an error: The system retrieved the <abbr title="Secure Sockets Layer">SSL</abbr> certificate for "example.com", but failed to install it because of an error: The certificate could not be installed on the domain "example.com". Given “ip” (42.10.10.5 our cpanel ip) doesn’t match non-SSL vhost IP (10.7.7.7).. The system will attempt to fetch the certificate and to install it again. at /usr/local/cpanel/Cpanel/SSL/PendingQueue/Run.pm line 181.
 

andrew.n

Well-Known Member
Jun 9, 2020
519
138
43
EU
cPanel Access Level
Root Administrator
I suspect that 1:1 NAT is enabled on the server and that is causing the issues. If the server is not on a local network using NAT then make sure this is disabled:

you can do so by checking /var/cpanel/cpnat file. If it exist its enabled.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,261
313
Houston
You shouldn't set up NAT routing on a production server, no but if it's already configured but the NAT routing isn't being recognized you can run 1:1 NAT | cPanel & WHM Documentation though if there is an issue with the configuration this script will not help.
 
Jul 31, 2020
13
5
3
Boston
cPanel Access Level
Website Owner
Hi @andrew.n @cPanelLauren , I removed the cpnat file and restarted services but we're still getting the error. I finally have full access to the server so what would be a good next step? Should I try to reinstall certs manually somehow?

I tried looking for the error message but can't seem to locate it in a log file. Thank you!
 
Jul 31, 2020
13
5
3
Boston
cPanel Access Level
Website Owner
Hi, any one run into this issue? I haven't been able to locate much on this error and I already turned off NAT on the cpanel server.

" /usr/local/cpanel/bin/process_ssl_pending_queue encountered an error: The system retrieved the <abbr title="Secure Sockets Layer">SSL</abbr> certificate for "example.com", but failed to install it because of an error: The certificate could not be installed on the domain "example.com". Given “ip” (42.10.10.5 our cpanel ip) doesn’t match non-SSL vhost IP (10.7.7.7).. The system will attempt to fetch the certificate and to install it again. at /usr/local/cpanel/Cpanel/SSL/PendingQueue/Run.pm line 181. "

Thank you.
 

andrew.n

Well-Known Member
Jun 9, 2020
519
138
43
EU
cPanel Access Level
Root Administrator
So if you go to List Accounts do you see the IP 10.7.7.7 in line with example.com or 42.10.10.5? Can you try to rebuild http config and see how it goes?

/scripts/rebuildhttpdconf
 
Jul 31, 2020
13
5
3
Boston
cPanel Access Level
Website Owner
So if you go to List Accounts do you see the IP 10.7.7.7 in line with example.com or 42.10.10.5? Can you try to rebuild http config and see how it goes?

/scripts/rebuildhttpdconf
Hi Andrew, I looked for "list accounts" in WHM and can not find the link . Is this available somewhere in cpanel or WHM? Thank you!
 

andrew.n

Well-Known Member
Jun 9, 2020
519
138
43
EU
cPanel Access Level
Root Administrator
Just look at the accounts with their IP address. What IP address do you see for the domain example.com?
 
Jul 31, 2020
13
5
3
Boston
cPanel Access Level
Website Owner
Just look at the accounts with their IP address. What IP address do you see for the domain example.com?
Ok I see the info on the right hand side in cpanel.

Primary Domain (DV Certificate)
example.com

Shared IP Address: I see the expected public facing , direct IP address. I don't see the private address .
 
Jul 31, 2020
13
5
3
Boston
cPanel Access Level
Website Owner
So I kept at it and took the action of manually reinstalling the cert (good until 2021) via cpanel. I get the exact message we're getting via email.
I inherited this domains setup.

Could the cause of this be because the cert was created with reference to the 10.7.7.7 ip when it was NAT enabled?

Would the resolve be creating a new cert and installing that one?
 
Jul 31, 2020
13
5
3
Boston
cPanel Access Level
Website Owner
I also got this: You don’t have a dedicated IP address. Browsers that were released before 2013 may not support SNI. Because of this, users may see false security warnings when they visit your SSL-secured websites.
 

andrew.n

Well-Known Member
Jun 9, 2020
519
138
43
EU
cPanel Access Level
Root Administrator
No, probably this is not the reason. The best would be open a ticket at the link provided earlier so cPanel support could have a closer look at this issue with the login information provided.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,261
313
Houston
Wait, I want to point out that if your server was NAT routed to begin with you should not remove the cpnat file. I was indicating that you should not create a NEW NAT configuration on a server that was not previously NAT routed.

What the issue is most likely here is a NAT misconfiguration but removing the cpnat file is not the solution. What is the output of the following: /scripts/build_cpnat
 
Jul 31, 2020
13
5
3
Boston
cPanel Access Level
Website Owner
Wait, I want to point out that if your server was NAT routed to begin with you should not remove the cpnat file. I was indicating that you should not create a NEW NAT configuration on a server that was not previously NAT routed.

What the issue is most likely here is a NAT misconfiguration but removing the cpnat file is not the solution. What is the output of the following: /scripts/build_cpnat

Hi, So I ran the script and it just rebuilt the file the way it was before.


Code:
info [build_cpnat] 10.7.7.7 =>  42.10.10.5

info [build_cpnat] Updating /etc/wwwacct.conf primary IP (ADDR) from 42.10.10.5  to 10.7.7.7 . Local IPs, not public should be stored in most configuration files.

# cat cpnat

42.10.10.5  10.7.7.7
 

andrew.n

Well-Known Member
Jun 9, 2020
519
138
43
EU
cPanel Access Level
Root Administrator
I was advising this because in multiple cases cPanel though it's on NAT and wrongly configured itself which led to issues later on.