Intermediary CA Certificate Expiration

[cPanelLauren]

Hi Everyone,

This post is to provide you with essential and timely information about an unexpected incompatibility that began to unfold in the early morning hours on May 30, 2020, when an intermediary CA certificate used by Sectigo expired and some older versions of OpenSSL could not validate the certificate chain.
This event reduced compatibility with a wide range of software and services. Some of the impacted software was:

• New installations
• Updates for cPanel & WHM
• EasyApache

Several other services were affected as well. We have since installed an updated intermediate certificate provided by Sectigo to restore functionality.

Action may be required by you to ensure your SSL certificates, and those of your customers, issued by Sectigo before May 1, 2020, continue to function.

You can find more information here: https://support.cpanel.net/hc/en-us/articles/360048670574-Root-CA-Certificate-Expiration

Should you have any questions about SSL errors that you are experiencing after reading the knowledgebase article, please contact our Technical Support team through your customer portal.

 

[AndyB78]

Hello,

I believe there is one more intermediate certificate that is expired:

Common name: COMODO RSA Certification Authority
Organization: COMODO CA Limited
Location: Salford, Greater Manchester, GB
Valid from May 30, 2000 to May 30, 2020
Serial Number: 2766ee56eb49f38eabd770a2fc84de22
Signature Algorithm: sha384WithRSAEncryption
Issuer: AddTrust External CA Root

This comes up when I interrogate with SSL Checker for any cPanel server on different ports than 443 (like 993 or 2087).

I found out about this due to a problem with a script that connects to the IMAP server (we have OpenSSL 1.0.1e-fips on the server).

On one of the servers I did try to upcp --force and then update_sectigo_cabundles and checkallsslcerts --force but it didn't help.

Regards!

 

[GOT]

Is there some reason you can't push this fix out in an update so we do not have to manually fix all these servers?

 

[benito]

I can't find any invalid CRT on my servers, maybe its automatically updated?

 

[cPanelLauren]

Is there some reason you can't push this fix out in an update so we do not have to manually fix all these servers?

That autorepair should be running automatically actually - we're just providing you a way to run it on your own should you need to.

Hello,

I believe there is one more intermediate certificate that is expired:

Common name: COMODO RSA Certification Authority
Organization: COMODO CA Limited
Location: Salford, Greater Manchester, GB
Valid from May 30, 2000 to May 30, 2020
Serial Number: 2766ee56eb49f38eabd770a2fc84de22
Signature Algorithm: sha384WithRSAEncryption
Issuer: AddTrust External CA Root

This comes up when I interrogate with SSL Checker for any cPanel server on different ports than 443 (like 993 or 2087).

I found out about this due to a problem with a script that connects to the IMAP server (we have OpenSSL 1.0.1e-fips on the server).

On one of the servers I did try to upcp --force and then update_sectigo_cabundles and checkallsslcerts --force but it didn't help.

Regards!

The cert you're linking IS the CA root certificate. This is the issue. I was recently made aware of an issue affecting hostname certificates yesterday https://support.cpanel.net/hc/en-us...-does-not-update-hostname-certificate-Root-CA which I believe might be the cause of your issue?

I can't find any invalid CRT on my servers, maybe its automatically updated?

If your certs were issued AFTER May 1 2020 they wouldn't have been affected or they were already fixed if they were.

 

[ffeingol]

The cert you're linking IS the CA root certificate. This is the issue. I was recently made aware of an issue affecting hostname certificates yesterday https://support.cpanel.net/hc/en-us...-does-not-update-hostname-certificate-Root-CA which I believe might be the cause of your issue?

A) Is there going to be a better fix than manually going into each server and forcing the re-issue of the certs (which may really screw things up because of the Sectigo backlog. Some of us have a lot of servers and this is going to be very labor intensive and cause lots of issues with self-signed certs.
B) You can't read the above KB article without being logged into the cPanel ticket system.

I'm also torn on any auto-fix for "A" if the queue to issue Sectigo certs is more than a few minutes. We really can't have our servers have self-signed certs for hours.

 

[cPanelLauren]

I think there may be some confusion here.

1. The article you're quoting Autofixer does not update hostname certificate Root CA is only for the instances in which the AutoFixer does not fix the issue for the hostname certificate. It is not relevant to all sites.​

- The AutoFixer for this should be running automatically.​

- If you would like to run it manually you can run the following:​

/scripts/autorepair update_sectigo_cabundles
/scripts/restartsrv_apache

-The above is also noted in the initial article I linked: Root CA Certificate Expiration​

2. I'm currently viewing this article while not signed into the ticket system and I do not need to be logged in to view it. The article is set to be viewable by everyone​

 

[ffeingol]

@cPanelLauren every one of the hosts SSL's that I've tested have a root cert with a valid date of may 30, 2000 to may 30, 2020. Theare all certs for the physical cPanel host, as we use Let's Encrypt certs for all the sites. So far we've had minimal issues with this, but when you check/validate the certs, it's showing the root cert is expired. So based on my checking/testing of our servers, it's failing to 'fix' things on most host certs.

The page about the issues with the host cert required a login this morning.

 

[cPanelLauren]

Also noted in that article the reference to the currently open internal case for this CPANEL-32921 but until that's resolved the only method I'm aware of to resolve this is what's listed in the article.

I can't speak to what the article's view settings were earlier today but I do know that when I checked it, it was public. I don't think it should be changed from that setting and I did mention this to the guide admin so he is aware.

 

[wltnet]

@cPanelLauren I am having the issues with SSL cert expired on all the websites hosted on the server with Cpanel, and the Cpanel version is 86.0.21, I tried to run
/scripts/autorepair update_sectigo_cabundles
/scripts/restartsrv_apache

But all the websites still having the issues, not only that, now nscd is failed to run after those steps, how can I solve the SSL cert expired and the nscd issues?

Thanks

 

[cPanelLauren]

If your certificates themselves are expired (not the CA Root) and you're experiencing other issues i.e., issues with NSCD it does not sound like this issue. I'd suggest you open a ticket with our support team to investigate the issues you're having further.

I also want to note that the autofixer for hostname certificates was pushed and any continuing issues with this should be resolved.