SOLVED Manage Service SSL Certificates (WHM) vs SSL/TLS (CPanel)

[gix0970]

This might not be an issue at all but it has been bothering me for some time...
I'm using Letsencrypt certificates for my domain and it works fine, and it renews every 3 months as expected. However when I look at the WHM's Manage Service SSL Certificates, it always shows the old expiring certificate (instead of the renewed one) for all the services (FTP, Exim, Dovecot, and Calendar, cPanel, WebDisk, Webmail, and WHM Services) . This is different when I see it from cPanel's SSL/TLS. Under Manage SSL Websites, the certificate shows the renewed certificate.
The renewed certificate seems to work when I use ssllabs.com to test. Users have no problem accessing email and websites - shows the renewed certificate.
Whether I reset the certificate or not (under WHM) it doesn't make any difference. Is it because I'm using different user when login to WHM and cPanel?
FYI, I'm using a dedicated server with only 1 domain name.
Any comments will be well appreciated...

 

[cPanelLauren]

Hello,

, I want to point out that Manage Service SSL certificates is not the same as AutoSSL. This interface is a 1 year certificate provided to the hostname of the server for free. It has absolutely no relation to the certificate that is installed on the domains.

 

[gix0970]

Sorry for my ignorance. Who does provide the free certificate? Where can I get it? When I first acquired this dedicated server from hostgator, it has self-signed certificate from itself.

The page says that "If no domain-specific certificate matches the SNI request or if the client doesn’t send an SNI request, the service falls back to its default certificate, which you can manage below. ". I interpret it that if my domain certificate has expired, and not renewed, it will fall back to the certificate I set here under WHM's Manage Service SSL Certificates, no?

What I have been doing is to use the same domain certificate I have and I have to reset it manually every time it gets renewed.

 

[gix0970]

I think I understand the difference now. The ones for services are meant for services like smtp, imap etc and the other one is only for apache.
The one for apache will auto renew (autoSSL) and if I use the same certificate for services then I have to install manually every time it is renewed. Is my understanding correct?

 

[cPanelLauren]

This is the hostname SSL - Manage Service SSL Certificates | cPanel & WHM Documentation it's a 1 year certificate for the hostname of the server provided by cPanel - backed by Sectigo.

It is installed automatically for the following services:
FTP
Exim
Calendar, cPanel, WebDisk, Webmail and WHM Services
Dovecot

The same certificate can be used for the hostname for the Apache service but must be installed manually by going to WHM>>SSL/TLS>>Install an SSL Certificate on a Domain -> Browse Certificates -> Browse Account: root

 

[skyrant]

This is the hostname SSL - Manage Service SSL Certificates | cPanel & WHM Documentation it's a 1 year certificate for the hostname of the server provided by cPanel - backed by Sectigo.

This does not work. Home » SSL/TLS » Purchase and Install an SSL Certificate shows an empty table or if i create a user for the domain it shows that domain and offers me to buy a certificate that is NOT free and does not even include the service hostname.

 

[cPanelLauren]

This does not work. Home » SSL/TLS » Purchase and Install an SSL Certificate shows an empty table or if i create a user for the domain it shows that domain and offers me to buy a certificate that is NOT free and does not even include the service hostname.

You're referencing the wrong location:

1. This hostname certificates are provisioned through WHM not cPanel​

• 2. You're referencing the SSL/TLS UI where you purchase a certificate which is entirely different.

As noted previously as well as in the documentation provided this is located at WHM>>Server Configuration>>Manage Service SSL Certificates.

 

[skyrant]

As noted previously as well as in the documentation provided this is located at WHM>>Server Configuration>>Manage Service SSL Certificates.

I don't see how i get my free SSL certificate from there but maybe you can explain. I can install a certificate if i have one and paste it into the install section. But i still don't have the free certificate and i still don't know where to get it.

Please don't tell me i can get it here: Manage Service SSL Certificates | cPanel & WHM Documentation because then we are talking in circles as that documentation tells me to go to Home » SSL/TLS » Purchase and Install an SSL Certificate.

 

[cPanelLauren]

I don't see how i get my free SSL certificate from there but maybe you can explain. I can install a certificate if i have one and paste it into the install section. But i still don't have the free certificate and i still don't know where to get it.

Please don't tell me i can get it here: Manage Service SSL Certificates | cPanel & WHM Documentation because then we are talking in circles as that documentation tells me to go to Home » SSL/TLS » Purchase and Install an SSL Certificate.

The only portion of that documentation that tells you to purchase an SSL is if you're a cPanel user, where your domain doesn't have an SSL. This is a note and should not be confused with the SSL for the hostname.

Pending the hostname of the server is valid and resolves to the server, the provisioning process is automatic. The only instance in which this won't take place automatically is

A. If your hosting provider has disabled the ability for you to obtain these SSL's in favor of using a proprietary system​

B. If there is an issue with the DNS/configuration of your hostname.​

You can manually request the certificate over CLI as the root user by running the following:

/usr/local/cpanel/bin/checkallsslcerts --verbose --allow-retry

 

[skyrant]

Thank you. That did work, i have valid signed certificates now.

Might be a good idea to put that command into that page/documentation. I doubt i am the only one that sets up new metal, installs cPanel and the DNS and or IP are not set up yet or still cached with the wrong info resulting in not get the certificate automatically.

 

[cPanelLauren]

I'm glad you've got it now, the exclusion of the command is actually on purpose in that documentation as this runs in the nightly maintenance updates every night. So if on day 1 you have an issue with propagation and the domain doesn't resolve, on day 2 it will try again.

We do have some information on the script here if you want to know more:

The checkallsslcerts Script | cPanel & WHM Documentation

The system runs several certificate-related functions during the nightly cPanel & WHM update (upcp) process.

docs.cpanel.net