shimmy

Active Member
Nov 13, 2002
34
0
156
For the last few days I get this error when logging into WHM "Invalid License File."

I can make it go away only by turning off the firewall and running /usr/local/cpanel/cpkeyclt

But when I turn the firewall back on the next day I get the same error.

What IP address do I need to whitelist?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,028
313
cPanel Access Level
Root Administrator
Hey there! At least you were able to isolate the issue to the firewall, so that's a great starting point.

We have a list of ports that need to be opened in our documentation here:


The IPs do rotate once in a while, but you'll want to focus on port 2089, making sure that is open for traffic. Can you try that and let me know if that helps?
 

shimmy

Active Member
Nov 13, 2002
34
0
156
The Firewall I'm using is ConfigServer, and I checked the port configuration against the documentation you just provided and my port set up is correct. 2089 TCP_OUT is already allowed on my firewall.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,028
313
cPanel Access Level
Root Administrator
As a test, can you run this command from your server to see if that connects?

Code:
telnet 208.74.121.83 2089
You may also be able to get additional data about the connection problem in /usr/local/cpanel/logs/license_log as that will show the server and port your machine is trying to connect to. Here is an example snippet from that log file from my personal machine:

Code:
Tue Dec 15 01:00:36 2020: License request made by process 864224 - /usr/local/cpanel/3rdparty/bin/perl /usr/local/cpanel/scripts/updatenow.static-cpanelsync --upcp --log=/var/cpanel/updatelogs/update.1608012002.log
Tue Dec 15 01:00:36 2020: License Update Request
Tue Dec 15 01:00:36 2020: Using full manual DNS resolution
Tue Dec 15 01:00:37 2020: Trying server 208.74.121.85
Tue Dec 15 01:00:37 2020: Connected using local address 1.2.3.4
Tue Dec 15 01:00:37 2020: Server 208.74.121.85 on port 2089 returned:
Key Accepted
Key Follows
Tue Dec 15 01:00:37 2020: Obtained lock license file
Tue Dec 15 01:00:37 2020: Update openid connect client credentials
Tue Dec 15 01:00:37 2020: Accepted 31.002 license from server 208.74.121.85 on port 2089
Tue Dec 15 01:00:37 2020: License update succeeded after trying 1 server
Tue Dec 15 01:00:37 2020: Scheduling cpsrvd restart for successful license refresh (graceful with autofallback to hard)
 

shimmy

Active Member
Nov 13, 2002
34
0
156
Here are the errors from the logs, and I don't see those IPs blocked:

Wed Dec 16 08:17:02 2020: License server hostnames could not be resolved to IP addresses; using fallbacks
Wed Dec 16 08:17:02 2020: Trying server 208.74.121.85
Wed Dec 16 08:17:20 2020: License update failed for server 208.74.121.85
Wed Dec 16 08:17:20 2020: Trying server 208.74.123.2
Wed Dec 16 08:17:37 2020: License update failed for server 208.74.123.2
Wed Dec 16 08:17:37 2020: Trying server 208.74.123.3
Wed Dec 16 08:17:54 2020: License update failed for server 208.74.123.3
Wed Dec 16 08:17:54 2020: Trying server 208.74.121.83
Wed Dec 16 08:18:11 2020: License update failed for server 208.74.121.83
Wed Dec 16 08:18:11 2020: Trying server 208.74.121.86
Wed Dec 16 08:18:28 2020: License update failed for server 208.74.121.86
Wed Dec 16 08:18:28 2020: Trying server 208.74.121.82
Wed Dec 16 08:18:45 2020: License update failed for server 208.74.121.82
Wed Dec 16 08:18:45 2020: License update failed after trying 6 servers
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,028
313
cPanel Access Level
Root Administrator
It's interesting to me that shutting off CSF resolves the issue even though you aren't seeing the IPs blocked anywhere on the system. If you run this command:

Code:
grep -R 208.74 /etc/csf/
so you get any output? Even if not, it sounds like you've isolated the issue to the CSF tool, so you may need to contact them directly for more assistance with that as that is not part of the cPanel software. They offer support directly at ConfigServer Technical Support and also have a forum at ConfigServer Community Forum - Index page
 

shimmy

Active Member
Nov 13, 2002
34
0
156
the only output is some IPs i put on the allow list this morning when I trying to find cpanel IPs
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,028
313
cPanel Access Level
Root Administrator
That's good - that's just extra confirmation that nothing is being blocked on the cPanel network by CSF that you aren't aware of.

If you have a chance to try that telnet command that could reveal additional details, but it definitely seems like there is something up with CSF on the machine that is causing an issue.
 

shimmy

Active Member
Nov 13, 2002
34
0
156
Not just this machine. I have 5 servers and all 5 suddenly got the same problem . I'll install telnet on one of them now.
 

shimmy

Active Member
Nov 13, 2002
34
0
156
i ran that telnet command. Result is:
telnet: connect to address 208.74.121.83: Connection refused
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,028
313
cPanel Access Level
Root Administrator
I haven't had any reports of license issues in general today so I don't have much else to add on that part, but it's odd that this is affecting five of your machines. If you disable CSF does that telnet command work properly?

It might be best to submit a ticket to our support team so we can take a look directly.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,028
313
cPanel Access Level
Root Administrator
That sounds good - that'll give us the best chance to see the issue in real-time and do some troubleshooting. I will say in advance that we won't be able to disable or tweak CSF on our end for you, so the tech may ask you to adjust or disable that on your side.
 

shimmy

Active Member
Nov 13, 2002
34
0
156
I do see a diffence between my logs anf yours. Yours said:
Tue Dec 15 01:00:37 2020: Accepted 31.002 license from server 208.74.121.85 on port 2089

Mine says:
Wed Dec 16 12:27:46 2020: Accepted 31.002 license from server 208.74.121.85 on port 993

port 993 is open on my server, but can that be the problem? How can I make it use 2089?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,028
313
cPanel Access Level
Root Administrator
You don't get to control the port that is used, but we start with 2089 and use the others as fallback ports if that is closed. Since yours was failing, it's likely moved on to the other ports, but this doesn't indicate an issue.