Cpanel Server SSL Reporting as Invalid for all email clients overnight

[SupraMario]

Hi,

Similar behaviour happened with the letsencrypt issues on 1st October, and now overnight, I've woken up Sat 30 Oct (UTC+1000) and email clients / customers are reporting the exact same behaviour as what happened on the 1st of October with the SSL's reporting invalid as the cpanel host ssl is being reported on the email server connections.

SSL Cert for the cpanel server -
Expires: Sunday, 19 December 2021 at 9:59:59 am Australian Eastern Standard Time

As of writing this, I hit the 'upgrade to 10.0.0' that came out with a bit of a hailmary that it will repair this.

 

[SupraMario]

Can confirm upgrade didn't resolve anything, again its identical behaviour to the letsencrypt root certificate issue from 1st October.

Reviewing previous thread, found the command that was provided last time - executed it again
-
/scripts/autorepair update_lets_encrypt_cabundles
-

This picked up a small handful of domains -again- (not sure why these werent done last time) and updated, however domains experiencing this issue said 'the system made no changes'

-
Checking 'xxxx.com.au' vhost... Updating cabundle for 'xxxx.com.au'....This certificate was already installed on this host. The system updated the Certificate Authority bundle for the current SSL installation..
-

 

[SupraMario]

So it definitely seems a leftover item from the root certificate issue, upon execution of the above command and getting that response/result seems to have rectified the domains in question.

What I dont understand is why did this take 30 days to reappear ?
Why weren't those domains fixed up as per reports from cpanel that standard update routines would resolve/fix up any CA issues.?

I assume the original manual execution of that command I performed back then failed for some due to volume queries/requests to letsencrypt - grabbing at straws here but not sure why say 2/3 of the domains were updated but not the full list.

 

[cPanelAnthony]

Hello! Would it be possible for you to open a ticket using the link in my signature? It would be easiest if we could review the AutoSSL logs and investigate why some domains weren't getting covered. Let me know the incident ID if you do open one Thanks!