SOLVED How to disable "AutoSSL certificate installed!" emails?

[Benjamin D.]

(Hi, not sure I'm posting in the correct forum, please feel free to move me to another forum if necessary.)

How to disable "AutoSSL certificate installed!" emails coming from WHM? Sometimes I wake up, I have 40 of those, just over night. I went in WHM > Contact Manager > Notifications and I see an alert list for "AutoSSL has installed a certificate successfully." and so I'd like to disable that, but it's the only entry in there that's completely grayed out. According to WHM it's already disabled and from what I understand I should not have any of those "AutoSSL certificate installed!" emails. See screenshot attached. What's up with that?

...And is there a way to ONLY receive an email when there is an error, such as a coverage reduction and/or when the cert issuing is delayed/failed?

 

[HostNoc]

In WHM's Contact Manager interface (WHM >> Home >> Server Contacts >> Contact Manager):

• AutoSSL certificates expiring — An account's AutoSSL certificate expires soon.
• Installation of AutoSSL certificates — AutoSSL installed an SSL certificate.
• Installation of purchased SSL certificates — The system installed SSL certificates that a user purchased through the cPanel Market.
• SSL Certificate Expiration — A service-level SSL certificate has expired.
• SSL Certificate Expires Soon — An account's SSL certificate expires soon.
• SSL certificates expiring — An account's SSL certificate expires soon.

In cPanel's Contact Information interface (cPanel >> Home >> Preferences >> Contact Information):

• AutoSSL has renewed a certificate — AutoSSL successfully completed a certificate renewal.
• AutoSSL certificate expiry — An AutoSSL certificate will expire soon.
• SSL certificate expiry — A non-AutoSSL certificate will expire soon.

In cPanel, under "Contact Information", you'd need to disable the AutoSSL notifications. The particular notification referenced in that screenshot is:

"AutoSSL cannot renew a certificate because domains that fail validation exist on the current certificate."

Regards

 

[cPRex]

I believe the option you'll want is in WHM >> Manage AutoSSL under the "Options" area. I would guess both options there are set to "Notify the user for all AutoSSL events and normal successes" instead of just issues. Can you check that page?

 

[Benjamin D.]

This is what I'm seeing under WHM >> Manage AutoSSL under the "Options". See attached. I've noticed even though all the emails I'm getting over night are named "AutoSSL certificate installed!" I'm seeing this in each email I'm getting: There is no recorded error on the system for “mail.whatever.com”. This might mean that this domain failed DCV (Domain Control Validation) when the system requested the new certificate, but the domain has since passed DCV.

So perhaps WHM counts this success as a failure or something like that. I get TONS of those emails and there is absolutely nothing wrong with the current SSL coverage of any of those domains. Which option should I check so that WHM notification system shuts the F up?

Thx

 

[cPRex]

Yes, that would be a successful message. Switch to the "failures only" option and that will only tell you when things break.

 

[Benjamin D.]

cPRex, I've got to say that I'm impressed with your forum replies lately. You have helped me a couple times on here this year and I find it very refreshing to read replies from a cPanel staff member who actually seems to genuinely care about cPanel quality of service and customer service. You seem to be everywhere at once, you reply very quickly and you're helpful. Thanks for doing what you do, I appreciate your help.

I've set it to "Notify the administrator for AutoSSL certificate request failures only." so we'll see how it goes in 3 days.

BTW, is there a way for Let's Encrypt to issue SSL certs that last longer than 3 months? Before the Sectigo fiasco last year, and unless I don't recall correctly, both providers issued certs that lasted a year. I may be wrong, but I don't recall them being so short before.

 

[cPRex]

Thanks for the kind words!

There was some drama a couple years back about longer SSL certificates - you can read a bit about that here:

2-year Certificate Availability Ends on September 1, 2020

On September 1, all Certificate Authorities are required to stop issuing 2-year TLS/SSL certificates. The new industry-allowed maximum validity will be 1 year (398 days). DigiCert® Multi-year Plan certificates allow your customers to place a TLS/SSL certificate order for up to six years.

knowledge.digicert.com

Sectigo a Let's Encrypt use 90-day certificates because that seems to be a good amount of time to refresh the information. If the site is still online, it gets a new cert - if not, they didn't secure something that only had a short life for longer than they needed to. But no, there's not a way to change or adjust the 90-day timeline for our certs.

 

[Benjamin D.]

Yes, but the thing is that Sectigo failed to renew many of my server's certs last year. There apparently was a massive problem and many people, including me, reported it. I lost 3 customers who went elsewhere because of that. I'm now strictly using Let's Encrypt instead of Sectigo because of that horrible issue. Sectigo caused me PTSD. Remember this? UGH! WTF IS GOING ON WITH AUTOSSL? I'M LOSING CUSTOMERS NOW WHILE PAYING CPANEL PREMIUM PRICE.

You now understand that the longer AutoSSL certs remain valid, the less stress it causes me.

 

[cPRex]

That makes sense and I get that frustration for sure. There are paid options where you could purchase a one-year certificate, but for any of the automatically installed ones, the 90-day standard isn't something that is up to cPanel:

Why ninety-day lifetimes for certificates? - Let's Encrypt

We’re sometimes asked why we only offer certificates with ninety-day lifetimes. People who ask this are usually concerned that ninety days is too short and wish we would offer certificates lasting a year or more, like some other CAs do. Ninety days is nothing new on the Web. According to Firefox...

letsencrypt.org

 

[Benjamin D.]

Almost a week later, it seems to have fixed the issue. No more emails for now. Thanks.

 

[Benjamin D.]

Yeah, it's definitely fixed, thanks for the information cPRex!
This can be closed.