Gettin errors from checkallsslcerts script

[pmaz]

I have a brand new instalation of Centos 7.8 + Cpanel 88.0.12. Everething is working well, except that I get the following erros when running:

/usr/local/cpanel/bin/checkallsslcerts --verbose

The system will check for the certificate for the “cpanel” service.
The system will attempt to verify that the certificate for the “cpanel” service is still valid using OCSP (Online Certificate Status Protocol).
The system will attempt to replace the revoked certificate for the “cpanel” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “cpanel” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “cpanel” service.
The system will attempt to install a certificate for the “cpanel” service from the cPanel store.
Received error “X::NoCertificate” from cPanel Store (No free ssl certificate fou nd for this IP); requesting new certificate …
Setting up HTTP DCV (/var/www/html/.well-known/pki-validation/A896831E27CE64E98AC8DD0A784E58AF.txt) …
… complete.
Setting up DNS DCV (CNAME _a896831e27ce64e98ac8dd0a784e58af.vps-example.example.com) …
… complete.
Attempting DNS DCV preflight check …
FAILED: The DNS DCV check (_a896831e27ce64e98ac8dd0a784e58af.vps-example.com IN CNAME) did not return the expected value (7c21eacf44cead30e8d35b552e48f6b6.9181c7b5bd88b4236734572958f72741.comodoca.com).
Attempting HTTP DCV preflight check …
FAILED: Cpanel::Exception/(XID mjt7jr) The system queried for a temporary file at “http://vps-example.com.com/.well-known/pki-validation/A896831E27CE64E98AC8DD0A784E58AF.txt”, but the web server responded with the following error: 403 (Forbidden). A DNS (Domain Name System) or web server misconfiguration may exist.
at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 356.
...
...
...
[WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: Neither HTTP nor DNS DCV preflight checks succeeded!
------

Two things that I don't undestand:

• I already have a valid comodo certificate that expires in 2021 installed on the domain automatically when the centos was provisioned, so why the script is not recognizing it and instead trying to get a new one?
• I checked that the temporary file created for the DNV challenge is present and accesible from the web. (http://vps-example.com.com/.well-known/pki-validation/XXXXX.txt), and there is no .htacces file present in /www/ that would indicate a permissions issue.

Thanks!

 

[cPanelLauren]

You may already have a certificate but did you install it on anything besides apache? Service SSL's must be installed separately at WHM>>Service Configuration>>Manage Service SSL Certificates.

As far as why the DCV check is failing if you perform a curl request as follows what is the output?

curl -vvI http://vps.domain.tld/.well-known/pki-validation/hash.txt

 

[pmaz]

You may already have a certificate but did you install it on anything besides apache? Service SSL's must be installed separately at WHM>>Service Configuration>>Manage Service SSL Certificates.

It is installed and working.

As far as why the DCV check is failing if you perform a curl request as follows what is the output?

curl -vvI http://vps.domain.tld/.well-known/pki-validation/hash.txt

< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Sat, 18 Jul 2020 00:09:31 GMT
Date: Sat, 18 Jul 2020 00:09:31 GMT
< Server: Apache
Server: Apache
< Last-Modified: Sat, 18 Jul 2020 00:09:20 GMT
Last-Modified: Sat, 18 Jul 2020 00:09:20 GMT
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 10
Content-Length: 10
< Cache-Control: no-cache, no-store, must-revalidate
Cache-Control: no-cache, no-store, must-revalidate
< Pragma: no-cache
Pragma: no-cache
< Expires: 0
Expires: 0
< Content-Type: text/plain
Content-Type: text/plain

Thank you for your help.

 

[andrew.n]

This is usually occurs if your hostname is not pointed correctly to the main IP of the server or if in Basic WebHost Manager Setup in WHM under IPV4 address you set a different IP than your main IP of your server.

 

[pmaz]

The IP address in Basic WebHost Manager is corrrectly pointing to the IP of the server.

 

[andrew.n]

and the hostname is also resolving to the correct IP?

 

[pmaz]

and the hostname is also resolving to the correct IP?

Yes. I don't understand why the script is getting a 403 error when I can access the temporary file from in a browser from outside.

 

[cPanelLauren]

Well at this point I am a bit confused, why are you trying to install a certificate if you've already installed one? The store error isn't that it is not recognizing you have a certificate but that you don't have one issued from the cPanel store.

If you go to WHM>>Server Configuration>>Apache Configuration>>Include Editor do you have any Apache Includes present? Are you by chance using Imunify?

 

[pmaz]

Well at this point I am a bit confused, why are you trying to install a certificate if you've already installed one? The store error isn't that it is not recognizing you have a certificate but that you don't have one issued from the cPanel store.

If you go to WHM>>Server Configuration>>Apache Configuration>>Include Editor do you have any Apache Includes present? Are you by chance using Imunify?

I was not trying to install a new certificate. I was just getting daily warnings errors from the script, as you can see in my first post.

But you are right, I was using a pre-virtual host include. For some reason that must have been the problem because now I run again checkallsslcerts and it succeeds. Thank you!