DNSOnly SSL certs renewal problem

Wallu

Well-Known Member
Jan 13, 2020
53
12
8
Finland
cPanel Access Level
Root Administrator
So, because of the new (pain in the ass) changes to SSL cert renewal process, how am I supposed to renew (won't auto-renew) certs now?

Domains:
ns2.somedomain.com
cpanel.ns2.somedomain.com
cpcalendars.ns2.somedomain.com
cpcontacts.ns2.somedomain.com
mail.ns2.somedomain.com
webmail.ns2.somedomain.com
whm.ns2.somedomain.com
www.ns2.somedomain.com

Because the "system" created all those not necessary sub-domains, the certs renewal chain breaks. Only one that actually resolves from the above list, is the first one. Others are not needed on a DNSOnly.

What to do now? There is no auto-ssl config (Manage SSL Hosts) on DNSOnly, where you could EXCLUDE others, like there is on a WHM.

- Wallu

EDIT: I think this applies to WHM too. Just checked my WHM, and there are some sub-domains on the WHM cert itself, which do not resolve. For example: whm.whm06.mydomain.com and www.whm06.mydomain.com. Why would I even have these, when my WHM / host is whm06.mydomain.com?
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,499
1,971
363
cPanel Access Level
Root Administrator
Hey there! The DNSOnly machine wouldn't create any DNS zones by itself, as those would all get synced from a webserver system in a normal cluster configuration.

These domains can be disabled globally on the webserver in WHM:


so if you don't need them that is likely the best way to take care of that.
 

horizon2021

Active Member
Jan 31, 2021
41
3
8
USA
cPanel Access Level
Root Administrator
I noticed when trying to renew the hostname cert for a whm/cpanel server two days ago that even with service and proxy subdomains disabled (I don't use them and don't want them - I want all access to come over the specific firewalled port for each service) that it was trying to do dcv for those subdomains during the checkallsslcerts process, all of which subdomains failed DCV obviously except for the server hostname itself. It did successfully renew the server hostname cert though from the cpanel store after many tries.
 

Wallu

Well-Known Member
Jan 13, 2020
53
12
8
Finland
cPanel Access Level
Root Administrator
Yet again I have to write here, about the same SSL crap. Now, I added all my DNSOnly subdomains and sub-subs to dns, and they renewed after day or so. BUT, my whm host is not renewing, and the deadline gets closer and closer.

I have added all whm host subs and sub-subs too, but still it won't renew, and I get notifications every night about Exim, cPanel and Dovecot certs expiring in less than 30 days. My cert expires Feb 23rd, so it's getting closer.

What the hell am I supposed to do here @cPRex ? All domains in the notification e-mail resolve, every one of them, so why is it not renewing?

- Wallu
 

Wallu

Well-Known Member
Jan 13, 2020
53
12
8
Finland
cPanel Access Level
Root Administrator
Riiight, I forgot about that already :)

Kinda don't wanna get 90 e-mails in 30 days saying my cert is ending,.. but then again, don't wanna turn it off either,.. dilemma.

Anyways, I'll wait, and hopefully it renews. Thanks @cPRex

- Wallu
 
  • Like
Reactions: cPRex

Wallu

Well-Known Member
Jan 13, 2020
53
12
8
Finland
cPanel Access Level
Root Administrator
So when is it supposed to renew @cPRex ?

Still getting this:

Code:
The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID nufg4x) The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request “POST ssl/certificate/whm-license/90-day”: We were unable to process your request. Please try again later.
..and the cert: Expires: Wednesday, February 23, 2022 at 11:59:59 PM UTC

Kinda cutting it close..