Errors from cPanel Store API when requesting autossl certs

Nick Bagley

Registered
Nov 8, 2016
3
0
1
Boston
cPanel Access Level
Root Administrator
Whenever I try to provision SSL certs from AutoSSL I get back errors such as the following:

Code:
7:25:00 PM ERROR AutoSSL failed to request an SSL certificate for “propelflorist.thrivehivesite.com” because of an error: Cpanel::Exception::cPStoreError/(XID bw85ua) The cPanel Store returned an error (X::UnknownError) in response to the request “POST ssl/certificate/free”: Service Unvailable at /usr/local/cpanel/Cpanel/Exception/CORE.pm line 77. Cpanel::Exception::create("cPStoreError", HASH(0x41d2970)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 231 Cpanel::cPStore::__ANON__(Cpanel::Exception::HTTP::Server=HASH(0x45510c8)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 103 Try::Tiny::try(CODE(0x42a2238), Try::Tiny::Catch=REF(0x4295630)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 239 Cpanel::cPStore::_request(Cpanel::cPStore::LicenseAuthn=HASH(0x41ad780), "post", "ssl/certificate/free", "item_params", HASH(0x42a21c0)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 178 Cpanel::cPStore::post(Cpanel::cPStore::LicenseAuthn=HASH(0x41ad780), "ssl/certificate/free", "item_params", HASH(0x42a21c0)) called at /usr/local/cpanel/Cpanel/SSL/Auto/Provider/cPanel.pm line 169 Cpanel::SSL::Auto::Provider::cPanel::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80 eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71 Try::Tiny::try(CODE(0x3a8dcc8), Try::Tiny::Catch=REF(0x42a0cb0)) called at /usr/local/cpanel/Cpanel/SSL/Auto/Provider/cPanel.pm line 193 Cpanel::SSL::Auto::Provider::cPanel::renew_ssl_for_vhosts(Cpanel::SSL::Auto::Provider::cPanel=HASH(0x3780e80), "propelfl", "propelflorist.thrivehivesite.com", ARRAY(0x1925e68)) called at bin/autossl_check.pl line 259 bin::autossl_check::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80 eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71 Try::Tiny::try(CODE(0x3b6dd08), Try::Tiny::Catch=REF(0x3b6a5b0)) called at bin/autossl_check.pl line 266 bin::autossl_check::__ANON__() called at /usr/local/cpanel/Cpanel/PIDFile.pm line 101 Cpanel::PIDFile::do("Cpanel::PIDFile", "/var/cpanel/autossl_check.pid", CODE(0x3781288)) called at bin/autossl_check.pl line 287 bin::autossl_check::_run_maybe_captured("--all") called at bin/autossl_check.pl line 109 bin::autossl_check::__ANON__() called at /usr/local/cpanel/Cpanel/CaptureFH.pm line 50 Cpanel::CaptureFH::do_with_output_captured_to_path_if_non_tty("/usr/local/cpanel/logs/error_log", CODE(0x374dc48)) called at bin/autossl_check.pl line 110 bin::autossl_check::run("--all") called at bin/autossl_check.pl line 78

Any thoughts? I can upload the entire log file if needed.
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
Hello,

The AutoSSL feature requires outbound access to the store.cpanel.net server over port 443. Could you verify that no firewall rules are blocking outgoing traffic over port 443 to store.cpanel.net?

Thank you.
 

Jcats

Well-Known Member
PartnerNOC
May 25, 2011
806
156
168
New Jersey
cPanel Access Level
DataCenter Provider
I've got the same problem:

[[email protected] /]# /usr/local/cpanel/bin/checkallsslcerts
The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID 752jpd) The cPanel Store returned an error (X::UnknownError) in response to the request âGET ssl/certificate/whm-licenseâ
The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID ndwqsk) The cPanel Store returned an error (X::UnknownError) in response to the request âGET ssl/certificate/whm-licenseâ



^C
[[email protected] /]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
 

Jcats

Well-Known Member
PartnerNOC
May 25, 2011
806
156
168
New Jersey
cPanel Access Level
DataCenter Provider
I have another server doing the same exact thing, both are fresh installs
 

thee1xz

Member
Aug 8, 2016
5
1
3
Northpole
cPanel Access Level
DataCenter Provider
Same problem here, I've already opened a ticket with cPanel relative to this, no certificates are being issued and expired certificates aren't being process - exact same error as OP.
 

EneTar

Well-Known Member
Dec 19, 2015
156
12
18
Greece
cPanel Access Level
Root Administrator
Here is the log for those accounts

This log is from two days ago.
Code:
11:46:38 AM This system has AutoSSL set to use “cPanel (powered by Comodo)”.
11:46:38 AM Checking websites for accountusername …
11:46:38 AM The website “mydomain.com”, owned by accountusername, has a faulty SSL certificate (NOT_ALL_DOMAINS ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate.
11:46:39 AM The system will attempt to renew SSL certificates for the following websites:
11:46:39 AM mydomain.com (mydomain.com www.mydomain.com mail.mydomain.com)
11:46:39 AM The system has completed the AutoSSL check for accountusername.
11:46:39 AM The system has finished checking 1 user.
And here is the log for the second account from yesterday.
Code:
7:57:41 PM This system has AutoSSL set to use “cPanel (powered by Comodo)”.
7:57:41 PM Checking websites for “accountusername2” …
7:57:42 PM The website “ar.mydomain2.com”, owned by “accountusername2”, has a faulty SSL certificate (ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate.
7:57:42 PM The website “fa.mydomain2.com”, owned by “accountusername2”, has a faulty SSL certificate (ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate.
7:57:42 PM The website “mydomain2.com”, owned by “accountusername2”, has a faulty SSL certificate (NOT_ALL_DOMAINS ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate.
7:57:42 PM The website “tr.mydomain2.com”, owned by “accountusername2”, has a faulty SSL certificate (ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate.
7:57:43 PM The system will attempt to renew SSL certificates for the following websites:
7:57:43 PM ar.mydomain2.com (ar.mydomain2.com www.ar.mydomain2.com)
7:57:43 PM fa.mydomain2.com (fa.mydomain2.com www.fa.mydomain2.com)
7:57:43 PM mydomain2.com (mydomain2.com www.mydomain2.com mail.mydomain2.com)
7:57:43 PM tr.mydomain2.com (tr.mydomain2.com www.tr.mydomain2.com)
7:57:48 PM The system has completed the AutoSSL check for “accountusername2”.
7:57:48 PM The system has finished checking 1 user.
I used to have http to https redirects for those accounts a few days ago but the latest autossl logs don't have any errors or warnings.

Should I wait? The websites are down now. Is there any way to force the renewal?
 
Last edited by a moderator:

EneTar

Well-Known Member
Dec 19, 2015
156
12
18
Greece
cPanel Access Level
Root Administrator
I tried this for the domains above and I get the output as I should
Code:
curl --user-agent "COMODO DCV" --insecure --max-time 10 --retry 0 http://YOUR_DOMAIN.TLD/THE_TEXT_FILE.txt
and the output of /usr/local/cpanel/bin/autossl_check_cpstore_queue is

Code:
Polling for “username1”’s new certificate for “tr.domain1.com” (order item ID “17874741”) …
The certificate is not available. (processing)
Polling for “username1”’s new certificate for “ar.domain1.com” (order item ID “17874753”) …
The certificate is not available. (processing)
Polling for “username1”’s new certificate for “fa.domain1.com” (order item ID “17874725”) …
The certificate is not available. (processing)
Polling for “username1”’s new certificate for “domain1.com” (order item ID “17734253”) …
The certificate is not available. (processing)
Polling for “username2”’s new certificate for “domain2.com” (order item ID “17874701”) …
The certificate is not available. (processing)
Polling for “username3”’s new certificate for “domain3.com” (order item ID “22239587”) …
The certificate is not available. (processing)
Any ideas?

Comodo ips are whitelisted in csf
Code:
tcp|in|d=80|s=178.255.81.12 # Comodo SSL Resolver
tcp|in|d=443|s=178.255.81.12 # Comodo SSL Resolver

tcp|in|d=80|s=178.255.81.13 # Comodo SSL Resolver
tcp|in|d=443|s=178.255.81.13 # Comodo SSL Resolver

tcp|in|d=80|s=91.199.212.132 # Comodo DCV Server
tcp|in|d=443|s=91.199.212.132 # Comodo DCV Server

tcp|in|d=80|s=199.66.201.132 # Comodo DCV Server
tcp|in|d=443|s=199.66.201.132 # Comodo DCV Server
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
Hello,

We've received a few reports about systems failing to acquire signed certificates from the cPanel Store. The issue is currently under investigation, and I'll update this thread with more information as it becomes available.

Thank you.
 

Jcats

Well-Known Member
PartnerNOC
May 25, 2011
806
156
168
New Jersey
cPanel Access Level
DataCenter Provider
Seems to be working as of this morning, at least for the 2 servers I was having issues with.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
Hello,

I don't have an update to report at this time, however I do see reports that certificates have processed.

Your server will automatically order the free signed certificate when the server runs the /usr/local/cpanel/bin/checkallsslcerts tool as part of the upcp maintenance script. However, you can run the script manually if you'd like to see if the error messages still appear:

Code:
/usr/local/cpanel/bin/checkallsslcerts
Keep in mind that certificates are not issued instantly, and processing times can sometimes take up to 24 hours.

Thank you.
 
Last edited:

4u123

Well-Known Member
PartnerNOC
Jan 2, 2006
938
21
168
Did you resolve this, I'm having the same problem...

Code:
2:41:37 PM ERROR AutoSSL failed to request an SSL certificate for “removed.com” because of an error: Cpanel::Exception::cPStoreError/(XID 72y2aw) The cPanel Store returned an error (X::Item::ActivationFailure) in response to the request “POST ssl/certificate/free”: Generic exception at /usr/local/cpanel/Cpanel/Exception/CORE.pm line 77. Cpanel::Exception::create("cPStoreError", HASH(0x4d030c0)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 231 Cpanel::cPStore::__ANON__(Cpanel::Exception::HTTP::Server=HASH(0x4fd61e0)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 103 Try::Tiny::try(CODE(0x4d03588), Try::Tiny::Catch=REF(0x4d0a228)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 239 Cpanel::cPStore::_request(Cpanel::cPStore::LicenseAuthn=HASH(0x46ad708), "post", "ssl/certificate/free", "item_params", HASH(0x4d0a420)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 178 Cpanel::cPStore::post(Cpanel::cPStore::LicenseAuthn=HASH(0x46ad708), "ssl/certificate/free", "item_params", HASH(0x4d0a420)) called at /usr/local/cpanel/Cpanel/SSL/Auto/Provider/cPanel.pm line 169 Cpanel::SSL::Auto::Provider::cPanel::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80 eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71 Try::Tiny::try(CODE(0x46ad420), Try::Tiny::Catch=REF(0x4d195d0)) called at /usr/local/cpanel/Cpanel/SSL/Auto/Provider/cPanel.pm line 193 Cpanel::SSL::Auto::Provider::cPanel::renew_ssl_for_vhosts(Cpanel::SSL::Auto::Provider::cPanel=HASH(0x3b2a298), "removed", "removed.com", ARRAY(0x1926b20)) called at bin/autossl_check.pl line 259 bin::autossl_check::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80 eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71 Try::Tiny::try(CODE(0x469f7d8), Try::Tiny::Catch=REF(0x469f208)) called at bin/autossl_check.pl line 266 bin::autossl_check::__ANON__() called at /usr/local/cpanel/Cpanel/PIDFile.pm line 101 Cpanel::PIDFile::do("Cpanel::PIDFile", "/var/cpanel/autossl_check.pid", CODE(0x43c48f0)) called at bin/autossl_check.pl line 287 bin::autossl_check::_run_maybe_captured("--user", "removed") called at bin/autossl_check.pl line 109 bin::autossl_check::__ANON__() called at /usr/local/cpanel/Cpanel/CaptureFH.pm line 50 Cpanel::CaptureFH::do_with_output_captured_to_path_if_non_tty("/usr/local/cpanel/logs/error_log", CODE(0x4390f28)) called at bin/autossl_check.pl line 110 bin::autossl_check::run("--user", "removed") called at bin/autossl_check.pl line 78
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
Hello,

This can happen if your server's firewall is blocking access attempts from Comodo to validate the certificate, but validation is also sometimes delayed for a few hours during manual steps sometimes required by Comodo during the validation process. Anyone experiencing an issue with certificate issuance where it's been over 24 hours since the initial request for the certificate was made can open a support ticket using the link in my signature so we can check on the status of the order.

Thank you.