Failed update of services SSL certificates.

cPanelAnthony

Administrator
Staff member
Oct 18, 2021
1,045
111
118
Houston, TX
cPanel Access Level
Root Administrator
I tried again this morning and the query went through. What was going on with the store?
I am not aware of specific cPanel store issues at this time. If the error happens again, can you open a support ticket immediately using the link in my signature and then update me with the ticket ID?
 

jestep

Well-Known Member
Dec 18, 2006
52
1
158
Having this same issue.

Does whm/cpanel use a specific port for ssl issuance for the hostname interface? There's no problem with the autossl for domains, but we have this server behind a hardware firewall with very limited ports open.
 

jestep

Well-Known Member
Dec 18, 2006
52
1
158
Update, it was a firewall issue with us that gave this exact error. Not sure what ports are being used but apparently blocking some prevents the server from properly requesting a certificate for the hostname.
 

jhawkins003

Well-Known Member
Jun 24, 2014
46
15
58
cPanel Access Level
Root Administrator
Update, it was a firewall issue with us that gave this exact error. Not sure what ports are being used but apparently blocking some prevents the server from properly requesting a certificate for the hostname.
I really wish the cPanel devs did a better job of communicating what ports and IP's are necessary for various essential functions on servers that have to live in a more locked down state. We ran into a similar issue with WordPress Toolkit. Some parts of it just don't work correctly behind a restrictive firewall, and when we attempted to get some clarity on what we would need to whitelist we just kinda got a ¯\_(ツ)_/¯.
 
  • Like
Reactions: jestep

jestep

Well-Known Member
Dec 18, 2006
52
1
158
I really wish the cPanel devs did a better job of communicating what ports and IP's are necessary for various essential functions on servers that have to live in a more locked down state. We ran into a similar issue with WordPress Toolkit. Some parts of it just don't work correctly behind a restrictive firewall, and when we attempted to get some clarity on what we would need to whitelist we just kinda got a ¯\_(ツ)_/¯.
I agree, we generally have no need to keep some of the cpanel services ports open because we don't use them ever and they are a potential security risk. Even if there isn't a direct vulnerability, if they're publicly available, people with be bashing at them 24/7. I have one server that we use CSF/LFD on and leaving the cpanel or webmail or other ports open will result in literally tens of thousands of blocked IP's in a matter of hours. But, it's definitely not clear enough what ports are needed both in and out for basic functionality, seems common to run into processes that use a port that is unexpected or undocumented. Apparently some services either use their own ports or don't use the cpanel licensing or normal ones. I didn't bother to monitor the process when I was able to successfully run it. I'll probably do that next time just so I know what things are going out on and coming back in on.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,360
1,628
363
cPanel Access Level
Root Administrator

jhawkins003

Well-Known Member
Jun 24, 2014
46
15
58
cPanel Access Level
Root Administrator
We have a full list of firewall options here:


If you're seeing something that needs to be opened that *isn't* on that list, please let me know so I can do some testing on my end.
I cannot speak for others, but our problem was inbound/oubound IP's - some internal services talk to other resources out on the internet and if you have a host that requires controlled access to a certain IP range then those services just go dark or work haphazardly (as was our experience testing Wordpress Toolkit).
 

chadreitsma

Registered
Mar 25, 2022
3
0
1
Canada
cPanel Access Level
Website Owner
Here's what worked for me
  1. I added the server's domain as an account
  2. Installed a wildcard certificate using Let's Encrypt
  3. Assigned it to the cPanel/cPanel services under Manage Service SSL Certificates --> Browse Certificates --> Apache (then selected the wildcard *.serverdomain.com from step 2)