Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED Defect: OPENSSL_VERIFY

Discussion in 'Security' started by Steven Lukas, Oct 10, 2018.

Tags:
  1. Steven Lukas

    Steven Lukas Member

    Joined:
    Oct 10, 2018
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Hi.

    We've got several VPS servers, all with their own CPanel licenses. We rely on Letsencrypt AutoSSL to provide certificates for all our domains.
    On certain servers we've had other certificates, but the server in question does not, it has always run on the same system.

    Since today there is a problem renewing a certificate for one of our domains (and we are kinda scared it will happen to other domains too when they expire). I've tried googling the responses and messages, found a few threads on these forums, but to no avail. So I'm asking my question here, I hope it's the right place (if not, kindly forward me).

    When I manually check the domain in autossl, the response in the log is:

    Code:
     11:20:35 AM AutoSSL’s configured provider is “Let’s Encrypt™”.
     Checking websites for “example” …
     11:20:36 AM Analyzing “example.nl” …
     ERROR TLS Status: Defective
     ERROR Certificate expiry: 10/9/18, 1:54 AM UTC (1.31 days ago)
     ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
    Things I've checked / tried:
    - The "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates." option (even though it shouldn't matter in this scenario, since we never had any other certificates)
    - Checked for valid ipv4 / ipv6 addresses (again, this hasn't changed and it renewed in the past without problem)
    - Checked Google Safe Browsing (I heard the renewal can be blocked, if listed here, this is not the case)
    - Checked for permissions on the .well-known folder, all is owned by the domain-user called "z2"
    - "/usr/local/cpanel/bin/autossl_check_cpstore_queue --force" gives no response at all

    I'm at a loss. It seems to me the fault isn't with the server configuration, but rather that our server is blocked for some reason. Is there a way to check that? We have several servers and I'd prefer to be able to see such things myself in the future.

    Any suggestions what to do next?
    Many thanks in advance!
     
    #1 Steven Lukas, Oct 10, 2018
    Last edited by a moderator: Oct 10, 2018
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,472
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Steven Lukas


    Is that all that's added to the logs? this is referencing the expired/expiring certificate rather than the current DCV check. Since you're using Let's Encrypt checking the cpstore queue will be fruitless as we don't maintain any control over those certificates. Is the certificate that is currently installed (expired) a Let's Encrypt certificate or was it issued by another provider?

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Steven Lukas

    Steven Lukas Member

    Joined:
    Oct 10, 2018
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Yes, I already explained, this was always managed by Letsencrypt, never had any other certificates (I started my thread with that), so it now suddenly failing is a strange problem. We set this server up about 2 years ago and has been running on letsencrypt without problem.

    I did forget the final rows, just posted the relevant bit, the last bit says it completed (is there a place I can find more logs?)
    Under the performing dcv there is a warning about an unrelated extra domain.
    Code:
     10:47:03 AM Performing DCV (Domain Control Validation) …
     10:47:03 AM The system has completed the AutoSSL check for “example”.
    
    Attached screenshot of the current (expired) certificate
     

    Attached Files:

  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,472
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Steven Lukas


    That Log output does not indicate the DCV check failed, in fact, it looks like it was successful. Why you don't have a certificate issued is up to Let's Encrypt though we have no control over their issuance of certificates. If you have no objections I'd like to see if you can switch the provider to Comodo run the check to see if the certificate is issued or present in the pending queue.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Steven Lukas

    Steven Lukas Member

    Joined:
    Oct 10, 2018
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    I tried switching to Comodo, and recheck the domain, this is the log:

    Code:
     3:27:07 PM AutoSSL’s configured provider is “cPanel (powered by Comodo)”.
     This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
     Checking websites for “example” …
      3:27:07 PM Analyzing “example.nl” …
     ERROR TLS Status: Defective
     ERROR Certificate expiry: 10/9/18, 1:54 AM UTC (2.48 days ago)
     ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
     3:27:07 PM Performing DCV (Domain Control Validation) …
     Local HTTP DCV OK: example.nl
     3:27:07 PM The system has completed the AutoSSL check for “example”.
    

    I ommitted a few warnings for unrelated subdomains, but one caught my eye that might be causing these problems

    Code:
     WARN Failed to modify vps1.exampleserver.nl at /usr/local/cpanel/Cpanel/SSL/DCV/DNS.pm line 250.
     11:56:00 AM WARN Not a HASH reference at /usr/local/cpanel/Cpanel/SSL/DCV/DNS.pm line 291.
    For some reason it wants to do the DCV for the server's main uqdn (vps1.exampleserver.nl), but this domain should not have anything to do with it. Any idea if that could be causing problems? And if so, where I should look to correct this?
    I can find the domain when I get on cPanel under Aliases, but I can't remove it there, it gives me an error about having insufficient rights, thats because it belongs to whm and root. I got no idea how it got there under this account.
     
  6. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,472
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Code:
     3:27:07 PM Performing DCV (Domain Control Validation) …
     Local HTTP DCV OK: example.nl
     3:27:07 PM The system has completed the AutoSSL check for “example”.
    This portion seems to imply that the DCV check completed successfully - do you have a certificate in the pending queue in Manage AutoSSL?

    That could most certainly cause an issue and I'm actually wondering if the check isn't silently dying after this? Check for the domain at:

    Code:
    cd /var/cpanel/userdata/$user/ 
    then

    Code:
    ls -lah
    Check the specific domain files and the file named main

    and maybe (though not likely) at
    Code:
    /var/cpanel/users/$user
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Steven Lukas

    Steven Lukas Member

    Joined:
    Oct 10, 2018
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Hi, I wanted to let you know that I managed to get this fixed with your suggestions.
    I did a grep on the hostname (vps1.examplehost.nl) inside the /var/cpanel/users/exampleuser to see where it pops up.

    It was under parked_domains in main, under serveralias in exampledomain.nl_SSL and exampledomain.nl, it was also in the cache variations, but those disappeared after running updateuserdomains / updateuserdatacache.

    And now, finally, AutoSSL runs without fail, I'm really greatful!

    I just wanted to know, If you have any idea, how the hell did the hostname become a serveralias/parked domain for a random account domain? I found it listed under parked domains before in whm, but trying to remove it there, gave permission errors.
    Like I said before, this server was running for over 2 years (and haven't been touched since) and have been renewing its certificates without problem before. So this must happened without our involvement. Any idea if there's anything else I should be looking at?

    In any case, I'm really happy AutoSSL functions again.
     
  8. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,472
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Steven Lukas

    Some time ago there was an issue with the hostname becoming owned by a user and it's possible it could have still been affecting the server, this in turn with recent updates to the AutoSSL could have further caused an issue. It's hard to say without having access to the system as well as with the issue being resolved now.

    None the less I'm really happy to see that the issue is resolved and that AutoSSL is working as intended. Thank you very much for updating here that the suggestions I provided helped!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice