domain.com: AutoSSL reduced SSL coverage

[mickael]

Hello

For about 4 days during the last automatic update, I receive around 10 emails each day with this error that I never received before:

domain.com: AutoSSL reduced SSL coverage 


AutoSSL has successfully renewed the Domain Validated (DV) SSL certificate for “domain.com”. The new certificate lacks the following domain that the previous certificate secured:

⛔ domain.com (checked on 24 mai 2020 at 00:09:24 UTC)

There is no recorded error on the system for “domain.com”. This might mean that this domain failed DCV (Domain Control Validation) when the system requested the new certificate, but the domain has since passed DCV.

If this domain does not need valid SSL, then you do not need to take any further action. However, if you want AutoSSL to secure this domain, you must resolve the above problem.

How to solve?

I use Lets encrypt

Mick

 

[eagle1maledetto]

Same problem here, and we use AutoSSL/Comodo certs.

Started 2 days ago. At every renew we get some warnings about some subdomains not fully covered.

We use PDNS as DNS server.

 

[mickael]

Yes the same thing:

• only subdomains
• I just looked at the first emails, it's from May 21st
  
• No intervention or any modification coming from myself on the server, the errors were created automatically. Looks like the subdomains work well and have been renewed anyway
  
  

 

[eagle1maledetto]

Hi,

same! Only subdomains, only from the 21 of May. No invertention or modification either.

 

[SamuelM]

Hello @mickael and @eagle1maledetto

Thank you for contacting cPanel!

I am sorry to hear you are both receiving error messages associated with AutoSSL. It's difficult to troubleshoot this type of issue without access to your server and without knowing the exact domain name affected. You are welcome to submit a ticket using the link in my signature so that we can review the issue closer.

In the meantime, I would like to let you know that you can review the full AutoSSL log in the following path:

/var/cpanel/logs/autossl/$date/txt

The log file might help you understand the exact problem that was encountered. Often, this error message is related to issues with DNS resolution.

Please let us know if you have any questions.

 

[mickael]

I did not receive an email notification today.

Maybe the cause is:
- Yesterday I checked the box "Accepted the general conditions of Lets encrypt"
- And also I created a (new) subdomain and I validated the SSL for this domain

And today no notification email, to see for the following days

 

[mickael]

today (06/06/2020) I received 84 e-mails (all sub domains or not) for the error of "AutoSSL reduced SSL coverage".
Will it last a long time?
Is it just emails or is there a serious problem?

 

[Uni-Liam]

Our servers are having a similar issue and I think it's linked to the Let's Encrypt plugin for cPanel being out of date and as a result, Let's Encrypt is not issuing certificates to requests coming from the out of date plugins.

I've checked the changelog for the latest release of cPanel and haven't seen any changes being made to the Let's Encrypt plugin or AutoSSL, so I assume it hasn't been fixed yet. Hopefully someone at cPanel can have a look and see what's up with it.

You can check to see if this is likely your issue as well by going to the "Manage AutoSSL" section in WHM, then copying the api url for the Provider Account ID. If it mentions that it is "malformed" and the status is "405" then it's most likely the plugin version.

 

[rhm.geerts]

Sorry to bump this thread but having the same problem, lots of emails I did not have before about this.
However, in my case it's not subdomains.

Maybe the cause is:
- Yesterday I checked the box "Accepted the general conditions of Lets encrypt"

I've done this today, hope it helps, but I think not.

I've just doen the curl command:

 curl -kvv domain.com

and you see this:

* About to connect() to domain.com port 80 (#0)
*   Trying 148.251.xxx.xxx...
* Connected to domain.com (148.251.xxx.xxx) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: domain.com
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Sat, 20 Jun 2020 13:09:56 GMT
< Server: Apache
< Location: http://www.domain.com/
< Content-Length: 233
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.domain.com/">here</a>.</p>
</body></html>
* Connection #0 to host domain.com left intact

We do have a .htaccess in place in the public_html which first redirects from non-www to www and then from http to https. Never gave issues before.

Somewhere else on the forum I read one could enable this setting according to @cPanelMichael (in 2018):

Do you have the Use a Global DCV Passthrough instead of .htaccess modification (requires EA4) option enabled under the Domains tab in WHM >> Tweak Settings?

However, there is no such setting anymore in the current cP version under Tweak settings.

So I checked the Autossl logs from within cPanel and June 19th everything for this domain looked green and fine.
Seems done again this night and now it shows 1 warning like this:

WARN Certificate expiry: 7/19/20, 12:59 AM UTC (28.96 days from now)

Now I hope my clicking the "accept conditions" checkbox will fix this, but I doubt it. This is what the email to me says.

There is no recorded error on the system for “href="Website Domains Names & Hosting | Domain.com">www.domain.com”. This might mean that this domain failed DCV (Domain Control Validation) when the system requested the new certificate, but the domain has since passed DCV.

Same content for mail.domain.com, domain.eu and mail.domain.eu was in this mail.

So why these errors and warning emails from the attempt last night, while yesterday night everthing went green and no email about issues?

P.s. I masked my domain name and part of the ip.

 

[rhm.geerts]

Accepting conditions did not do the trick for me.
Today I got another 27 mails with this issue.

Edit: several domains don't exist anymore of these 27, several do. So I checked the domain above (amongst others) and the domain with the issue described above does come good through ssl checks. As do others.
New license issues June 20th valid until septemer so I don't understand why these issue mails are send when no problem is existing,
Various ssl checkers show everything is ok.

 

[klypnick]

There is no recorded error on the system for “<<domain>>”. This might mean that this domain failed DCV (Domain Control Validation) when the system requested the new certificate, but the domain has since passed DCV.

Also getting tons of these emails, started after a recent WHM update I think.

It's causing concern, because it looks like there's an issue but the error is that there was an error but it's gone away and everything is fine now?

 

[go4]

Our servers are having a similar issue and I think it's linked to the Let's Encrypt plugin for cPanel being out of date and as a result, Let's Encrypt is not issuing certificates to requests coming from the out of date plugins.

I've checked the changelog for the latest release of cPanel and haven't seen any changes being made to the Let's Encrypt plugin or AutoSSL, so I assume it hasn't been fixed yet. Hopefully someone at cPanel can have a look and see what's up with it.

You can check to see if this is likely your issue as well by going to the "Manage AutoSSL" section in WHM, then copying the api url for the Provider Account ID. If it mentions that it is "malformed" and the status is "405" then it's most likely the plugin version.

I've been having the same issue and getting this status also.

cPanel team: my understanding is there's an Let's Encrypt plugin update needed - can you confirm and give any ETA on update?

 

[Andy_Helgolander]

I've just had the email for the first time today. I'm posting to keep the topic live.
This seems to have been going on for a long time, and I wonder why it has only hit me now. Maybe my web host, Panthur, has only now upgraded something.
I'll monitor the situation.

 

[eugenevdm.host]

We use Let's Encrypt and started having this problem of notifications getting more and more. Behind the scenes all SSL kept on working, it's just the amount notifications increased tremendously.

Then I went back to the manual and found this warning of interest:

"Let’s Encrypt imposes significant rate and domain limits. You should review the rate limits before you select this provider. For more information, read our Guide to SSL documentation."
https://docs.cpanel.net/knowledge-base/third-party/the-lets-encrypt-plugin/86/

The fact of the matter is if you have quite a few domains, and if you are using Let's Encrypt, you might be running into this problem. So the problem could well be Let's Encrypt and have nothing to do with WHM at all. Presumably there is a log file where Let's Encrypt signifies that's it reached rate limits? For us we simply turned off SSL warnings as SSL is not impeded.