New SSL order is in pending status too long

Mr.Novo

Active Member
Apr 9, 2017
40
5
58
Istanbul
cPanel Access Level
Root Administrator
Hi,

I've created a new account about 3 hours ago. I cant see any problem with sectigo SSL order generated but its waiting in Pending status since then.

I've checked DNS records all resolving to correct IP address except intodns.com (resolves www record with cname to another ip address)

I've sectigo order item id. Is there any way to check why its not available yet ?
 
Last edited by a moderator:

nlaruelle

Active Member
Sep 4, 2017
39
16
58
Belgium
cPanel Access Level
Website Owner
Hello all users and cPanel team!

I am experiencing the same issue now from my side, on my "monitored domain" (so, the failed of renewing affected my global uptime of my status page^^ my bad)

My best output ? Here :

9:01:55 AM The system will attempt to renew the SSL certificate for (monitoring.example.com: monitoring.example.com www.monitoring.example.com).
The “cPanel (powered by Sectigo)” provider’s AutoSSL queue already contains a certificate request for “userexample”’s website “monitoring.example.com”. The request’s start time is Oct 31, 2022, 12:20:23 AM UTC, and its last poll time is Oct 31, 2022, 1:42:01 AM UTC.


Output that I understand as…

"We heard your request, no worry. It will happen some time later… just chill and relax waiting to look your SSL Error disappear…"

I am a newbie and maybe, do not understand that log^^

Anyway, without SSL, the website it's like « DOWN » ^^ (not easy to chill as it could happen during a couple of hours, and the logs are not so understandable for a very new cPanel user / so he can wait for days before realising that the domain should for instance, remove an AAAA entry !? )

With cPanel, we are used to being helped by smooth processes, infinite troubleshooting options (easy options for the most part, support channel is amazing), and many things in cPanel help us to avoid downtime or other issues… thanks, it’s what we love!

But, I regret to see that, AutoSSL Feature looks still almost the same as my first days on cPanel since that time (I am sure developers improved that so much, but it’s still missing some user-friendliness there, no?)…

Also, I feel like Let’sEncrypt and Sectigo now must care more and more about the Max Requests per Hour on their generous servers !?

It's kinda "rare" that Sectigo or Let's Encryp fail to renew certificates, BUT it happens, and when it happens, I am actually not satisfied with the experience.

I know how to troubleshoot DNS misconfigurations. I learn that.

But I am not confident on what I should do, to expedite the Certificate SSL for a critical domain, just when the SSL provider “have a queue…”
that can last ‘hours…’ ? without ETA in the logs^^

With a proper config (DNS and so), my souvenirs say that one single user had to wait up to something like ~ 4 hours ? to get his certificate

In life, 4 hours it’s Not big, but it’s enough to lose a customer, that do not understand the situation…

(Sir, these SSL are free of charge, 4 hours sometimes maybe is the price !??)

My passion is to study the AutoSSL logs before sleeping^^ I already know some basics, I hope^^

Approximate workaround : playing games with autossl_check, delete_ssl_vhost, autossl_check_cpstore_queue
don't know exactly why "upcp" success to renew the certificate, but not "autossl_check --all".
…and as a prudent user, I am not comfortable to ask too much to upcp. Better to find a proper solution to avoid "failing to renew" and "failing to deliver" certificate :
- when all subdomains resolve
- no DNSSEC or IPv6 things
- proper perms on files/directories
- and everything already…

My end users paying for premium control panel seems very frustrated when they discover their website, under the SSL Certificate Error, because the task remains in the Sectigo queue indefinitely? (I don’t know? Tell me everything that I missed pls)

For us, it's a Rare but Long time concern (for me, my team, users…), and in that case, we are used to fix urgently the SSL issue for individual users, rare times when it happens. And try to explain : “Maybe some delay from the SSL provider, anyway it’s fixed now!?^^”.

Recent behavior on our side only on AutoSSL :


Is this happen only for me since weeks/months ?

It seems that now, we must to exclude the subdomains that not resolve, to avoid failing to deliver the whole main Certificate of a domain name… is that a new behavior to save provider ressources, or I miss something ? We just need advices to deal with that as our best, thanks.

Anyway, since it's a "rare" issue, difficult to reproduce… difficult to request a fix. It's the reason today I’ve only shared my experience and "feeling" to open the discussion if other users have to same experience.

Is someone aware of some improvement on the SSL Delivery/Renewing process, on the cPanel Road Map for 2023 ?

Thanks for any additional info or informational links that I missed!?