How to Remove Old, Expired, Self-signed, fqdn Certificate

Operating System & Version
Centos 7.9
cPanel & WHM Version
WHM 96.0.8
Jun 7, 2019
14
1
3
United States
cPanel Access Level
Root Administrator
Good day,
I ran my website through a couple of online SSL certificate testers, Qualsys' ssllabs.com and another one, and discovered I have an expired, self-signed certificate on my system. It expired last December. AutoSSL is on for all the users (which is just one). When I search for the expired certificate in WHM, I don't find it. However, on looking at the report from the testing website, it shows the expired certificate is for the fully qualified domain name, epiphany.example.com, instead of for example.com. AutoSSL only takes care of users. I don't recall how I managed to create a certificate for the fqdn. Indeed, when I go to "epiphany.example.com", now, Firefox gives a certificate warning. The certificate uses "RSA 2048 bits (SHA256withRSA) No SNI", which seems to only be used by very old clients.

I would like to get rid of the certificate, but, I don't know how! I suspect this will involve using the terminal. I'd appreciate help with correcting my error, and getting rid of this certificate.

Thanks!

Chris
 
Jun 7, 2019
14
1
3
United States
cPanel Access Level
Root Administrator
Hey there! Is that domain for a domain name with web content or for the hostname of the server?
This is the hostname of the server (hostname.example.com). I don't find a zone record for this address in WHM (or in cPanel). When Firefox goes to this address, it complains of a security problem with the certificate, then, on telling it to continue anyway, it goes to an error page. If Firefox is given a made-up address, like hostnametest.example.com, it says the site is not found.
I don't really know what behavior is expected when someone tries to go to a fully qualified domain name, such as the aforementioned hostname.example.com.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,961
1,725
363
cPanel Access Level
Root Administrator
Thanks for the additional details. Normally I would expect this to go to the classic "Sorry" default page, as there isn't web content on the hostname.

Can you run this command and see if that gets a new certificate issued?

Code:
/usr/local/cpanel/bin/checkallsslcerts
 
Jun 7, 2019
14
1
3
United States
cPanel Access Level
Root Administrator
Thanks for the additional details. Normally I would expect this to go to the classic "Sorry" default page, as there isn't web content on the hostname.

Can you run this command and see if that gets a new certificate issued?

Code:
/usr/local/cpanel/bin/checkallsslcerts
Here's what I get:
The system will check for the certificate for the “cpanel” service.
The system will attempt to verify that the certificate for the “cpanel” service is still valid using OCSP (Online Certificate Status Protocol).
The certificate for the “cpanel” service passed all checks.
The system will check for the certificate for the “dovecot” service.
The system will attempt to verify that the certificate for the “dovecot” service is still valid using OCSP (Online Certificate Status Protocol).
The certificate for the “dovecot” service passed all checks.
The system will check for the certificate for the “exim” service.
The system will attempt to verify that the certificate for the “exim” service is still valid using OCSP (Online Certificate Status Protocol).
The certificate for the “exim” service passed all checks.

I should mention that this is a hosted VPS server.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,961
1,725
363
cPanel Access Level
Root Administrator
Great - thanks for that. That indicates the SSL is properly installed on the hostname, so your connections to cPanel and WHM, webmail, and other services are secured. By default, I would expect that to secure the connection for the hostname over port 443.

Do you have any other tools like Litespeed or nginx installed?
 
Jun 7, 2019
14
1
3
United States
cPanel Access Level
Root Administrator
I tried going to hostname.example.com:443. It returns an error page that looks like this in the address bar: https://hostname.example.com/cgi-sys/defaultwebpage.cgi. That might give a clue as to where this "domain" is located in the system.

I'm surprised that the external web mail testing services figured out what the fqdn is.

Logrotate sends a nightly error message that seems to be a bug related to nginx. It looks like a fix for that is in the pipeline, so I'll just wait for it. That probably is unrelated to this current issue.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,961
1,725
363
cPanel Access Level
Root Administrator
It's interesting to me that it's redirecting to https without you needing to do anything. I'm wondering if the hostname is somehow being routed to a vhost on the server for some reason.

You're always welcome to submit a ticket and we can check things directly on the system.
 
Jun 7, 2019
14
1
3
United States
cPanel Access Level
Root Administrator
I figured out part of my problem: the online certificate checker was also trying to see how the server behaved without SNI. Since my account is a hosted VPS, the SNI is required to get to "my part" of the server. I think that the "Without SNI" test is meaningless for my needs, and was finding certificates from the "host" that were meaningless to my account.
Maybe that will help someone else.