SOLVED Manage SSL Services via WHM

Alongar

Member
Oct 5, 2019
21
2
3
America
cPanel Access Level
Website Owner
Hello,

I have self-signed SSL certificates on my cPanel/WHM services. Do I need to wait for the cPanel maintenance to run so the server can order a replacement certificate? If so, when does the maintenance script usually run (how often)? Also, can I run the script via the terminal before the auto maintenance script runs? Will that cause any issues? Any help would be appreciated. Thanks.
 

ZenHostingTravis

Well-Known Member
PartnerNOC
May 22, 2020
275
95
28
Australia
cPanel Access Level
Root Administrator
Hi @Alongar,

A self-signed certificate is a security certificate that is not signed by a certificate authority.

Does your hosting provider use the AutoSSL functionality that provisions free Comodo or Lets Encrypt certificates? They are valid for three months and are automatically renewed by the cPanel / WHM system.
 

Alongar

Member
Oct 5, 2019
21
2
3
America
cPanel Access Level
Website Owner
Hi @Alongar,

A self-signed certificate is a security certificate that is not signed by a certificate authority.

Does your hosting provider use the AutoSSL functionality that provisions free Comodo or Lets Encrypt certificates? They are valid for three months and are automatically renewed by the cPanel / WHM system.
@ZenHostingTravis

I'm on a VPS which has AutoSSL that provides free certs through cPanel (Sectigo cert). AutoSSL is enabled. I had 16 days left on my cert until it expired. My cPanel/WHM services never received a new issued certificate from cPanel and I thought the renewal for AutoSSL kicks in when you have 25 days left. With that said, I reset the certs under WHM>>Manage Service SSL Certificates and I received 'self-signed' certificates. In an attempt to retrieve a cPanel issued cert, I ran:
Code:
/usr/local/cpanel/bin/checkallsslcerts
Still no luck.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,028
313
cPanel Access Level
Root Administrator
What was the output from the checkallsslcerts command? You'll want to make sure the hostname of the server resolves properly in DNS, but if there are errors I would expect them to show up in that output. If you can send us that, making sure to remove any personal details like the domain or IP, that may give us more clues.
 

Alongar

Member
Oct 5, 2019
21
2
3
America
cPanel Access Level
Website Owner
Hello, @cPRex

This is what I get:

Code:
# /usr/local/cpanel/bin/checkallsslcerts
The system will check for the certificate for the “cpanel” service.
The system will attempt to replace the self-signed certificate for the “cpanel” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “cpanel” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “cpanel” service.
The system will attempt to install a certificate for the “cpanel” service from the cPanel store.
The system will check for the certificate for the “dovecot” service.
The system will attempt to replace the self-signed certificate for the “dovecot” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “dovecot” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “dovecot” service.
The system will check for the certificate for the “exim” service.
The system will attempt to replace the self-signed certificate for the “exim” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “exim” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “exim” service.
The cPanel Store is processing the hostname certificate request.
The system will check the cPanel Store again the next time that “/usr/local/cpanel/bin/checkallsslcerts” runs.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,028
313
cPanel Access Level
Root Administrator
Thanks for the additional output. That all seems normal to me. It did the request, sent it to the cPanel Store, and now it's waiting to be processed. If you think this is waiting longer than necessary (which should really be less than 10 minutes for that to get issued, in my experience) than I'd submit a ticket to our team so we can check the SSL order on our end and get you more details. It's possible there are other problems that are keeping the SSL from being issued on our side, but that output you sent is exactly what I like to see.
 

Alongar

Member
Oct 5, 2019
21
2
3
America
cPanel Access Level
Website Owner
Thanks for the additional output. That all seems normal to me. It did the request, sent it to the cPanel Store, and now it's waiting to be processed. If you think this is waiting longer than necessary (which should really be less than 10 minutes for that to get issued, in my experience) than I'd submit a ticket to our team so we can check the SSL order on our end and get you more details. It's possible there are other problems that are keeping the SSL from being issued on our side, but that output you sent is exactly what I like to see.
@cPRex

It's been longer than 24hrs.

I stumbled on this in my cpanel/logs/error_log:


Code:
cpsrvd fb75096c016d: Cpanel::Exception::NetSSLeay/(XID vrjsuh) Net::SSLeay::ssl_write_all(SCALAR(0x2bf2e18)) produced an operating system error (EPIPE, Broken pipe) and 1 [asis,OpenSSL] [numerate,_6,error,errors]: ARRAY(0x2c5a950)
 at /usr/local/cpanel/Cpanel/Server/Connection/SSL.pm line 64.
    Cpanel::Server::Connection::SSL::write_buffer(Cpanel::Server::Connection::SSL=HASH(0x2b6b3b0), SCALAR(0x2bf2e18)) called at /usr/local/cpanel/Cpanel/Server/Response.pm line 217
    Cpanel::Server::Response::__ANON__(SCALAR(0x2bf2e18)) called at /usr/local/cpanel/Cpanel/Server/Responders/Stream/Gzip.pm line 92
    Cpanel::Server::Responders::Stream::Gzip::write(Cpanel::Server::Responders::Stream::Gzip=HASH(0x2bf30a0), 6) called at /usr/local/cpanel/Cpanel/Server/Responder.pm line 176
    Cpanel::Server::Responder::finish(Cpanel::Server::Responders::Stream::Gzip=HASH(0x2bf30a0), 2) called at /usr/local/cpanel/Cpanel/Server/Responders/Chunked/Gzip.pm line 29
    Cpanel::Server::Responders::Chunked::Gzip::finish(Cpanel::Server::Responders::Stream::Gzip=HASH(0x2bf30a0), 2) called at /usr/local/cpanel/Cpanel/Server/Responder.pm line 91
    Cpanel::Server::Responder::readonly_from_input_and_send_response(Cpanel::Server::Responders::Stream::Gzip=HASH(0x2bf30a0)) called at /usr/local/cpanel/Cpanel/Server/Response.pm line 141
    Cpanel::Server::Response::send_response(Cpanel::Server::Response=HASH(0x2b6b638), Cpanel::Server::Response::Source::ReadOnlyString=HASH(0x2b91ef0)) called at cpsrvd.pl line 3070
    cpanel::cpsrvd::servcontent("document", "./frontend/paper_lantern/libraries/cjt2-dist/frameworks.cmb.js", "use_magic", 1, "static", 1, "content_type", "text/javascript") called at cpsrvd.pl line 2805
    cpanel::cpsrvd::dodoc_cpaneld() called at cpsrvd.pl line 2028
    cpanel::cpsrvd::dodoc(HASH(0x136a998)) called at cpsrvd.pl line 1776
    cpanel::cpsrvd::handle_one_connection(5) called at cpsrvd.pl line 1102
    cpanel::cpsrvd::script() called at cpsrvd.pl line 431

Cpanel::Exception::NetSSLeay/(XID 5uw6fj) Net::SSLeay::ssl_write_all(HTTP/1.1 500 Internal Error\x{0d}\x{0a}Connection: close\x{0d}\x{0a}Content-type: text/html; charset="utf-8"\x{0d}\x{0a}X-Error-Message: Error ID fb75096c016d\x{0d}\x{0a}\x{0d}\x{0a}) produced an operating system error (EPIPE, Broken pipe) and 1 [asis,OpenSSL] [numerate,_6,error,errors]: ARRAY(0x2c5b070)
 at /usr/local/cpanel/Cpanel/Server/Connection/SSL.pm line 64.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,028
313
cPanel Access Level
Root Administrator
Those logs in your last reply seem like they are related to a cPanel user's access to their interface, and not something that would be related to the AutoSSL system. Let me know that ticket number once you get it submitted and then I can follow along and keep everyone here updated.
 

Alongar

Member
Oct 5, 2019
21
2
3
America
cPanel Access Level
Website Owner
So, the issue I had was a connection issue between my server and Sectigo. After whitelisting their IPs in my Firewall, the certificate was retrieved and installed. Thanks to cPanel techs for resolving the issue.