How to Remove Old, Expired, Self-signed, fqdn Certificate

[ChristopherChemist]

Good day,
I ran my website through a couple of online SSL certificate testers, Qualsys' ssllabs.com and another one, and discovered I have an expired, self-signed certificate on my system. It expired last December. AutoSSL is on for all the users (which is just one). When I search for the expired certificate in WHM, I don't find it. However, on looking at the report from the testing website, it shows the expired certificate is for the fully qualified domain name, epiphany.example.com, instead of for example.com. AutoSSL only takes care of users. I don't recall how I managed to create a certificate for the fqdn. Indeed, when I go to "epiphany.example.com", now, Firefox gives a certificate warning. The certificate uses "RSA 2048 bits (SHA256withRSA) No SNI", which seems to only be used by very old clients.

I would like to get rid of the certificate, but, I don't know how! I suspect this will involve using the terminal. I'd appreciate help with correcting my error, and getting rid of this certificate.

Thanks!

Chris

 

[cPRex]

Hey there! Is that domain for a domain name with web content or for the hostname of the server?

 

[ChristopherChemist]

Hey there! Is that domain for a domain name with web content or for the hostname of the server?

This is the hostname of the server (hostname.example.com). I don't find a zone record for this address in WHM (or in cPanel). When Firefox goes to this address, it complains of a security problem with the certificate, then, on telling it to continue anyway, it goes to an error page. If Firefox is given a made-up address, like hostnametest.example.com, it says the site is not found.
I don't really know what behavior is expected when someone tries to go to a fully qualified domain name, such as the aforementioned hostname.example.com.

 

[cPRex]

Thanks for the additional details. Normally I would expect this to go to the classic "Sorry" default page, as there isn't web content on the hostname.

Can you run this command and see if that gets a new certificate issued?

/usr/local/cpanel/bin/checkallsslcerts

 

[ChristopherChemist]

Thanks for the additional details. Normally I would expect this to go to the classic "Sorry" default page, as there isn't web content on the hostname.

Can you run this command and see if that gets a new certificate issued?

/usr/local/cpanel/bin/checkallsslcerts

Here's what I get:
The system will check for the certificate for the “cpanel” service.
The system will attempt to verify that the certificate for the “cpanel” service is still valid using OCSP (Online Certificate Status Protocol).
The certificate for the “cpanel” service passed all checks.
The system will check for the certificate for the “dovecot” service.
The system will attempt to verify that the certificate for the “dovecot” service is still valid using OCSP (Online Certificate Status Protocol).
The certificate for the “dovecot” service passed all checks.
The system will check for the certificate for the “exim” service.
The system will attempt to verify that the certificate for the “exim” service is still valid using OCSP (Online Certificate Status Protocol).
The certificate for the “exim” service passed all checks.

I should mention that this is a hosted VPS server.

 

[cPRex]

Great - thanks for that. That indicates the SSL is properly installed on the hostname, so your connections to cPanel and WHM, webmail, and other services are secured. By default, I would expect that to secure the connection for the hostname over port 443.

Do you have any other tools like Litespeed or nginx installed?

 

[ChristopherChemist]

With a recent cPanel update I installed the nginx cache option. No Litespeed or other tools I can think of.

 

[ChristopherChemist]

I tried going to hostname.example.com:443. It returns an error page that looks like this in the address bar: https://hostname.example.com/cgi-sys/defaultwebpage.cgi. That might give a clue as to where this "domain" is located in the system.

I'm surprised that the external web mail testing services figured out what the fqdn is.

Logrotate sends a nightly error message that seems to be a bug related to nginx. It looks like a fix for that is in the pipeline, so I'll just wait for it. That probably is unrelated to this current issue.

 

[cPRex]

Yup, the nginx thing is a known bug that we're working on :D

Getting the defaulwebpage.cgi page is what I would expect - are you getting the error page only with the https version of the hostname?

 

[ChristopherChemist]

I tried going to http://hostname.example.com, but it immediately went to https://hostname.example.com, along with the certificate error.

 

[ChristopherChemist]

I've used "find" to find all files ending in ".crt". Found about 30 files. I'll go through these and see if I can find the culprit. Maybe I'll have more information tomorrow. Thanks for working on this!
Chris

 

[cPRex]

It's interesting to me that it's redirecting to https without you needing to do anything. I'm wondering if the hostname is somehow being routed to a vhost on the server for some reason.

You're always welcome to submit a ticket and we can check things directly on the system.

 

[ChristopherChemist]

I figured out part of my problem: the online certificate checker was also trying to see how the server behaved without SNI. Since my account is a hosted VPS, the SNI is required to get to "my part" of the server. I think that the "Without SNI" test is meaningless for my needs, and was finding certificates from the "host" that were meaningless to my account.
Maybe that will help someone else.

 

[cPRex]

That's definitely odd - I wouldn't expect any machine on the web in 2021 to not have SNI enabled, unless it was for a very specific configuration. I'm glad you were able to track that down!