The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Errors from cPanel Store API when requesting autossl certs

Discussion in 'Security' started by Nick Bagley, Nov 8, 2016.

Tags:
  1. Nick Bagley

    Nick Bagley Registered

    Joined:
    Nov 8, 2016
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Boston
    cPanel Access Level:
    Root Administrator
    Whenever I try to provision SSL certs from AutoSSL I get back errors such as the following:

    Code:
    7:25:00 PM ERROR AutoSSL failed to request an SSL certificate for “propelflorist.thrivehivesite.com” because of an error: Cpanel::Exception::cPStoreError/(XID bw85ua) The cPanel Store returned an error (X::UnknownError) in response to the request “POST ssl/certificate/free”: Service Unvailable at /usr/local/cpanel/Cpanel/Exception/CORE.pm line 77. Cpanel::Exception::create("cPStoreError", HASH(0x41d2970)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 231 Cpanel::cPStore::__ANON__(Cpanel::Exception::HTTP::Server=HASH(0x45510c8)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 103 Try::Tiny::try(CODE(0x42a2238), Try::Tiny::Catch=REF(0x4295630)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 239 Cpanel::cPStore::_request(Cpanel::cPStore::LicenseAuthn=HASH(0x41ad780), "post", "ssl/certificate/free", "item_params", HASH(0x42a21c0)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 178 Cpanel::cPStore::post(Cpanel::cPStore::LicenseAuthn=HASH(0x41ad780), "ssl/certificate/free", "item_params", HASH(0x42a21c0)) called at /usr/local/cpanel/Cpanel/SSL/Auto/Provider/cPanel.pm line 169 Cpanel::SSL::Auto::Provider::cPanel::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80 eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71 Try::Tiny::try(CODE(0x3a8dcc8), Try::Tiny::Catch=REF(0x42a0cb0)) called at /usr/local/cpanel/Cpanel/SSL/Auto/Provider/cPanel.pm line 193 Cpanel::SSL::Auto::Provider::cPanel::renew_ssl_for_vhosts(Cpanel::SSL::Auto::Provider::cPanel=HASH(0x3780e80), "propelfl", "propelflorist.thrivehivesite.com", ARRAY(0x1925e68)) called at bin/autossl_check.pl line 259 bin::autossl_check::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80 eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71 Try::Tiny::try(CODE(0x3b6dd08), Try::Tiny::Catch=REF(0x3b6a5b0)) called at bin/autossl_check.pl line 266 bin::autossl_check::__ANON__() called at /usr/local/cpanel/Cpanel/PIDFile.pm line 101 Cpanel::PIDFile::do("Cpanel::PIDFile", "/var/cpanel/autossl_check.pid", CODE(0x3781288)) called at bin/autossl_check.pl line 287 bin::autossl_check::_run_maybe_captured("--all") called at bin/autossl_check.pl line 109 bin::autossl_check::__ANON__() called at /usr/local/cpanel/Cpanel/CaptureFH.pm line 50 Cpanel::CaptureFH::do_with_output_captured_to_path_if_non_tty("/usr/local/cpanel/logs/error_log", CODE(0x374dc48)) called at bin/autossl_check.pl line 110 bin::autossl_check::run("--all") called at bin/autossl_check.pl line 78

    Any thoughts? I can upload the entire log file if needed.
     
    #1 Nick Bagley, Nov 8, 2016
    Last edited by a moderator: Nov 8, 2016
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,171
    Likes Received:
    1,295
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The AutoSSL feature requires outbound access to the store.cpanel.net server over port 443. Could you verify that no firewall rules are blocking outgoing traffic over port 443 to store.cpanel.net?

    Thank you.
     
  3. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    588
    Likes Received:
    88
    Trophy Points:
    153
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    I've got the same problem:

    [root@pim /]# /usr/local/cpanel/bin/checkallsslcerts
    The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID 752jpd) The cPanel Store returned an error (X::UnknownError) in response to the request âGET ssl/certificate/whm-licenseâ
    The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID ndwqsk) The cPanel Store returned an error (X::UnknownError) in response to the request âGET ssl/certificate/whm-licenseâ



    ^C
    [root@pim /]# iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
     
  4. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    588
    Likes Received:
    88
    Trophy Points:
    153
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    I have another server doing the same exact thing, both are fresh installs
     
  5. Tomorrow's Retail LLC

    Joined:
    Nov 8, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Central Florida
    cPanel Access Level:
    Root Administrator
    Same problem here.... I came on to ask about it but looks like I'm not alone.

    Fresh install from 2 days ago. Just started moving sites over today when I ran into this.
     
  6. thee1xz

    thee1xz Member

    Joined:
    Aug 8, 2016
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Northpole
    cPanel Access Level:
    DataCenter Provider
    Same problem here, I've already opened a ticket with cPanel relative to this, no certificates are being issued and expired certificates aren't being process - exact same error as OP.
     
  7. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    66
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    Here is the log for those accounts

    This log is from two days ago.
    Code:
    11:46:38 AM This system has AutoSSL set to use “cPanel (powered by Comodo)”.
    11:46:38 AM Checking websites for accountusername …
    11:46:38 AM The website “mydomain.com”, owned by accountusername, has a faulty SSL certificate (NOT_ALL_DOMAINS ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate.
    11:46:39 AM The system will attempt to renew SSL certificates for the following websites:
    11:46:39 AM mydomain.com (mydomain.com www.mydomain.com mail.mydomain.com)
    11:46:39 AM The system has completed the AutoSSL check for accountusername.
    11:46:39 AM The system has finished checking 1 user.
    
    And here is the log for the second account from yesterday.
    Code:
    7:57:41 PM This system has AutoSSL set to use “cPanel (powered by Comodo)”.
    7:57:41 PM Checking websites for “accountusername2” …
    7:57:42 PM The website “ar.mydomain2.com”, owned by “accountusername2”, has a faulty SSL certificate (ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate.
    7:57:42 PM The website “fa.mydomain2.com”, owned by “accountusername2”, has a faulty SSL certificate (ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate.
    7:57:42 PM The website “mydomain2.com”, owned by “accountusername2”, has a faulty SSL certificate (NOT_ALL_DOMAINS ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate.
    7:57:42 PM The website “tr.mydomain2.com”, owned by “accountusername2”, has a faulty SSL certificate (ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate.
    7:57:43 PM The system will attempt to renew SSL certificates for the following websites:
    7:57:43 PM ar.mydomain2.com (ar.mydomain2.com www.ar.mydomain2.com)
    7:57:43 PM fa.mydomain2.com (fa.mydomain2.com www.fa.mydomain2.com)
    7:57:43 PM mydomain2.com (mydomain2.com www.mydomain2.com mail.mydomain2.com)
    7:57:43 PM tr.mydomain2.com (tr.mydomain2.com www.tr.mydomain2.com)
    7:57:48 PM The system has completed the AutoSSL check for “accountusername2”.
    7:57:48 PM The system has finished checking 1 user.
    
    I used to have http to https redirects for those accounts a few days ago but the latest autossl logs don't have any errors or warnings.

    Should I wait? The websites are down now. Is there any way to force the renewal?
     
    #7 EneTar, Nov 9, 2016
    Last edited by a moderator: Nov 9, 2016
  8. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    66
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    I tried this for the domains above and I get the output as I should
    Code:
    curl --user-agent "COMODO DCV" --insecure --max-time 10 --retry 0 http://YOUR_DOMAIN.TLD/THE_TEXT_FILE.txt
    and the output of /usr/local/cpanel/bin/autossl_check_cpstore_queue is

    Code:
    Polling for “username1”’s new certificate for “tr.domain1.com” (order item ID “17874741”) …
    The certificate is not available. (processing)
    Polling for “username1”’s new certificate for “ar.domain1.com” (order item ID “17874753”) …
    The certificate is not available. (processing)
    Polling for “username1”’s new certificate for “fa.domain1.com” (order item ID “17874725”) …
    The certificate is not available. (processing)
    Polling for “username1”’s new certificate for “domain1.com” (order item ID “17734253”) …
    The certificate is not available. (processing)
    Polling for “username2”’s new certificate for “domain2.com” (order item ID “17874701”) …
    The certificate is not available. (processing)
    Polling for “username3”’s new certificate for “domain3.com” (order item ID “22239587”) …
    The certificate is not available. (processing)
    
    Any ideas?

    Comodo ips are whitelisted in csf
    Code:
    tcp|in|d=80|s=178.255.81.12 # Comodo SSL Resolver
    tcp|in|d=443|s=178.255.81.12 # Comodo SSL Resolver
    
    tcp|in|d=80|s=178.255.81.13 # Comodo SSL Resolver
    tcp|in|d=443|s=178.255.81.13 # Comodo SSL Resolver
    
    tcp|in|d=80|s=91.199.212.132 # Comodo DCV Server
    tcp|in|d=443|s=91.199.212.132 # Comodo DCV Server
    
    tcp|in|d=80|s=199.66.201.132 # Comodo DCV Server
    tcp|in|d=443|s=199.66.201.132 # Comodo DCV Server
     
    #8 EneTar, Nov 9, 2016
    Last edited by a moderator: Nov 9, 2016
  9. thee1xz

    thee1xz Member

    Joined:
    Aug 8, 2016
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Northpole
    cPanel Access Level:
    DataCenter Provider
  10. benito

    benito Well-Known Member

    Joined:
    Jan 8, 2004
    Messages:
    300
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Mar del Plata - Argentina
    Same error here.
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,171
    Likes Received:
    1,295
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    We've received a few reports about systems failing to acquire signed certificates from the cPanel Store. The issue is currently under investigation, and I'll update this thread with more information as it becomes available.

    Thank you.
     
  12. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    588
    Likes Received:
    88
    Trophy Points:
    153
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Seems to be working as of this morning, at least for the 2 servers I was having issues with.
     
  13. thee1xz

    thee1xz Member

    Joined:
    Aug 8, 2016
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Northpole
    cPanel Access Level:
    DataCenter Provider
    Some of our servers issued the certificates, however there's a lot which are still 'processing' with the same errors.
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,171
    Likes Received:
    1,295
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I don't have an update to report at this time, however I do see reports that certificates have processed.

    Your server will automatically order the free signed certificate when the server runs the /usr/local/cpanel/bin/checkallsslcerts tool as part of the upcp maintenance script. However, you can run the script manually if you'd like to see if the error messages still appear:

    Code:
    /usr/local/cpanel/bin/checkallsslcerts
    Keep in mind that certificates are not issued instantly, and processing times can sometimes take up to 24 hours.

    Thank you.
     
    #14 cPanelMichael, Nov 9, 2016
    Last edited: Nov 10, 2016
  15. thee1xz

    thee1xz Member

    Joined:
    Aug 8, 2016
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Northpole
    cPanel Access Level:
    DataCenter Provider
    Correction to Michael's command above, add an 's' to the end.

    /usr/local/cpanel/bin/checkallsslcerts
     
    cPanelMichael likes this.
  16. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    788
    Likes Received:
    6
    Trophy Points:
    168
    Did you resolve this, I'm having the same problem...

    Code:
    2:41:37 PM ERROR AutoSSL failed to request an SSL certificate for “removed.com” because of an error: Cpanel::Exception::cPStoreError/(XID 72y2aw) The cPanel Store returned an error (X::Item::ActivationFailure) in response to the request “POST ssl/certificate/free”: Generic exception at /usr/local/cpanel/Cpanel/Exception/CORE.pm line 77. Cpanel::Exception::create("cPStoreError", HASH(0x4d030c0)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 231 Cpanel::cPStore::__ANON__(Cpanel::Exception::HTTP::Server=HASH(0x4fd61e0)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 103 Try::Tiny::try(CODE(0x4d03588), Try::Tiny::Catch=REF(0x4d0a228)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 239 Cpanel::cPStore::_request(Cpanel::cPStore::LicenseAuthn=HASH(0x46ad708), "post", "ssl/certificate/free", "item_params", HASH(0x4d0a420)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 178 Cpanel::cPStore::post(Cpanel::cPStore::LicenseAuthn=HASH(0x46ad708), "ssl/certificate/free", "item_params", HASH(0x4d0a420)) called at /usr/local/cpanel/Cpanel/SSL/Auto/Provider/cPanel.pm line 169 Cpanel::SSL::Auto::Provider::cPanel::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80 eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71 Try::Tiny::try(CODE(0x46ad420), Try::Tiny::Catch=REF(0x4d195d0)) called at /usr/local/cpanel/Cpanel/SSL/Auto/Provider/cPanel.pm line 193 Cpanel::SSL::Auto::Provider::cPanel::renew_ssl_for_vhosts(Cpanel::SSL::Auto::Provider::cPanel=HASH(0x3b2a298), "removed", "removed.com", ARRAY(0x1926b20)) called at bin/autossl_check.pl line 259 bin::autossl_check::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80 eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71 Try::Tiny::try(CODE(0x469f7d8), Try::Tiny::Catch=REF(0x469f208)) called at bin/autossl_check.pl line 266 bin::autossl_check::__ANON__() called at /usr/local/cpanel/Cpanel/PIDFile.pm line 101 Cpanel::PIDFile::do("Cpanel::PIDFile", "/var/cpanel/autossl_check.pid", CODE(0x43c48f0)) called at bin/autossl_check.pl line 287 bin::autossl_check::_run_maybe_captured("--user", "removed") called at bin/autossl_check.pl line 109 bin::autossl_check::__ANON__() called at /usr/local/cpanel/Cpanel/CaptureFH.pm line 50 Cpanel::CaptureFH::do_with_output_captured_to_path_if_non_tty("/usr/local/cpanel/logs/error_log", CODE(0x4390f28)) called at bin/autossl_check.pl line 110 bin::autossl_check::run("--user", "removed") called at bin/autossl_check.pl line 78
    
     
    #16 4u123, Nov 10, 2016
    Last edited by a moderator: Nov 10, 2016
  17. Nick Bagley

    Nick Bagley Registered

    Joined:
    Nov 8, 2016
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Boston
    cPanel Access Level:
    Root Administrator
    Still periodically seeing this with certain domains. Still waiting for an actual resolution
     
  18. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,171
    Likes Received:
    1,295
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    This can happen if your server's firewall is blocking access attempts from Comodo to validate the certificate, but validation is also sometimes delayed for a few hours during manual steps sometimes required by Comodo during the validation process. Anyone experiencing an issue with certificate issuance where it's been over 24 hours since the initial request for the certificate was made can open a support ticket using the link in my signature so we can check on the status of the order.

    Thank you.
     
  19. Nick Bagley

    Nick Bagley Registered

    Joined:
    Nov 8, 2016
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Boston
    cPanel Access Level:
    Root Administrator
    What should I do to ensure that the firewall is not blocking Comodo?
     
  20. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    66
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    All my certs have been renewed and currently it doesn't seem to be any problem at all.
     
Loading...

Share This Page