Failed update of services SSL certificates.

[Remus76]

Hi!
I manage a VPS. CentOS v7.9.2009, cPanel v100.0.5
Lately I receive error warnings after update retry of SSL Certificates of Exim, Dovecot and WHM.
I have 15 more days to solve the problem, or else I assume mail accounts will stop working.

The system failed to acquire a signed certificate from the cPanel Store. at bin/checkallsslcerts.pl line 654.

There is no checkallsslcerts.pl file to check line 654. I searched entire installation of Centos.

I had also error message after command needs-restarting. There were countless lines like this.
http://138.118.173.126/cpanelsync/repos/CentOS/7/cpanel-plugins/x86_64/repodata/99b0ad5f230073f622ec9ed0c4629af674a01a6cf89967b987b69403cab97552-filelists.sqlite.bz2: [Errno 14] HTTP Error 404 - Not Found
Now this error is gone, but still can't update the SSL certificates.
Could it be caused by regular use of systemctl daemon-reexec? I try to avoid reboot.

Thank you!

 

[andrew.n]

Can you run this command and see what error you get?

/usr/local/cpanel/bin/checkallsslcerts

 

[Remus76]

Thank you for reply. I used it with --verbose. Same story for other two services.

The system will check for the certificate for the “cpanel” service.
The system will attempt to verify that the certificate for the “cpanel” service is still valid using OCSP (Online Certificate Status Protocol).
The “cpanel” service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. The system will attempt to renew and install a new certificate to the “cpanel” service and any other services that use the old certificate.
The system will attempt to install a certificate for the “cpanel” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “cpanel” service.
The system will attempt to install a certificate for the “cpanel” service from the cPanel store.
[WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: The system failed to acquire a signed certificate from the cPanel Store. at bin/checkallsslcerts.pl line 654.

 

[andrew.n]

As this doesn't provide enough information the best would be to Submit a Ticket at cPanel directly to investigate this further. Alternatively you can also hire a cPanel certified sys admin from Resources to look into this for you.

@cPanelAnthony

 

[cPanelAnthony]

Thank you, @andrew.n

If you could open a ticket an provide the ID, that would be very helpful.

 

[Remus76]

This is my request number. 94391391
Thanks to both of you!

 

[cPanelAnthony]

Thanks! I am following this ticket.

 

[timmit]

ok we have the exact same problem. Same line number, everything. Is there an update what was wrong? Then I can fix it on our server as well.

 

[Bayern]

Hi everyone!
Was this solved, I have exactly the same situation since the latest update:
I run a VPS with CentOS v7.9.2009, cPanel v100.0.5 and since the last update I receive error warnings after every update retry of SSL Certificates of FTP, Exim, Dovecot and WHM.
I also tried to find the file mentioned in the error report, but there is no checkallsslcerts.pl file to check line 654.
I ran /usr/local/cpanel/bin/checkallsslcerts as suggested by andrew.n and ended up having 100% similar message as Remus76.

Any help would be appreciated.

 

[Cyrtocara]

Hi, i have exactly the same problem for 3 dedicated servers out of 10 without finding a solution. Do you have any news?

 

[Jean-Paul Bleau]

I also have the same issue. Except for the IP address:
http://178.18.193.52/cpanelsync/rep...f89967b987b69403cab97552-filelists.sqlite.bz2: [Errno 14] HTTP Error 404 - Not Found

Any update would be appreciated.

 

[cPanelAnthony]

It looks like the issue in this ticket was due to a stale CSR file that had to be moved out of the way. It was fixed by moving the file out of the way and re-running AutoSSL.

[root@HOST ~]cPs# mv /var/cpanel/hostname_cert_csrs{,.cpbkp} -v
‘/var/cpanel/hostname_cert_csrs’ -> ‘/var/cpanel/hostname_cert_csrs.cpbkp’

However, this issue can be caused by a variety of problems. It would be best to open a ticket using the link in my signature if anyone is having issues. Otherwise, please reach out to your web hosting provider if you cannot open one with us directly.

 

[jhawkins003]

We had this exact issue as well. Happy to report the fix by cPanelAnthony worked like a charm.

 

[timmit]

Ok the fix works but I think that we know possibly why the csrs is stale:

The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request “POST ssl/certificate/whm-license/90-day”: We were unable to process your request. Please try again later.

But maybe make something in the /usr/local/cpanel/bin/checkallsslcerts that removes stale csrs files...

And could it be that because the server is set on autossl => letsencrypt that the queue isn't correctly processed for the cpanel store part?

 

[cPanelAnthony]

Hello! I don't believe that would cause an issue, but that is a good suggestion!

 

[astroud]

However, this issue can be caused by a variety of problems. It would be best to open a ticket using the link in my signature if anyone is having issues. Otherwise, please reach out to your web hosting provider if you cannot open one with us directly.

We encountered this same issue over the weekend. I've got a ticket open as well. #94392338

Are the renewals now contingent on using a hostname with a domain name that you can manage?
Right now we have a couple of VPSes using subdomains that our hosting provider provided, example: vps1234.hosting.com

To the best of my–albeit relatively new–knowledge, this wasn't a problem in the past.

 

[cPanelAnthony]

We encountered this same issue over the weekend. I've got a ticket open as well. #94392338

Are the renewals now contingent on using a hostname with a domain name that you can manage?
Right now we have a couple of VPSes using subdomains that our hosting provider provided, example: vps1234.hosting.com

To the best of my–albeit relatively new–knowledge, this wasn't a problem in the past.

Thank you for the update. I am looking into your question here and will get back to you.

 

[astroud]

Thank you for the update. I am looking into your question here and will get back to you.

Thanks Anthony. Looks like our issue was entirely related to the Sectigo outage. Everything's good now.

 

[Bayern]

I'm also glad to confirm that the fix by cPanelAnthony worked. Thanks!

 

[coursevector]

I just ran into this problem. Below is the timeline of things I did:

1. Tried running

# /usr/local/cpanel/bin/checkallsslcerts

which resulted in the error message:

[WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error:
The system failed to acquire a signed certificate from the cPanel Store. at bin/checkallsslcerts.pl line 654.

2. Tried @cPanelAnthony fix, which DID remove the stale CSR

3. Tried running again:

# /usr/local/cpanel/bin/checkallsslcerts

which resulted in the error message:

[WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: 
(XID 649yf2) The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request 
“POST ssl/certificate/whm-license/90-day”: We were unable to process your request. Please try again later.

How can I fix this?