None of the certificates in the system ssl storage were acceptable to use for the “cpanel” service.

superaca-nos

Registered
Nov 6, 2019
3
0
1
Serbia
cPanel Access Level
Root Administrator
Hi,

I already read all similar threads on forum,but no luck so far.
Currently I have root (hostname) certificate expiring (will expire in 17 days).
I try renewing with /usr/local/cpanel/bin/checkallsslcerts but no luck.

Code:
The system will check for the certificate for the “cpanel” service.
The system will attempt to verify that the certificate for the “cpanel” service is still valid using OCSP (Online Certificate Status Protocol).
The “cpanel” service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. The system will attempt to renew and install a new certificate to the “cpanel” service and any other services that use the old certificate.
The system will attempt to install a certificate for the “cpanel” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “cpanel” service.
The system will attempt to install a certificate for the “cpanel” service from the cPanel store.
The system will check for the certificate for the “dovecot” service.
The system will attempt to verify that the certificate for the “dovecot” service is still valid using OCSP (Online Certificate Status Protocol).
The “dovecot” service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. The system will attempt to renew and install a new certificate to the “dovecot” service and any other services that use the old certificate.
The system will attempt to install a certificate for the “dovecot” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “dovecot” service.
The system will check for the certificate for the “exim” service.
The system will attempt to verify that the certificate for the “exim” service is still valid using OCSP (Online Certificate Status Protocol).
The “exim” service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. The system will attempt to renew and install a new certificate to the “exim” service and any other services that use the old certificate.
The system will attempt to install a certificate for the “exim” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “exim” service.
The system will check for the certificate for the “ftp” service.
The system will attempt to replace the self-signed certificate for the “ftp” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “ftp” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “ftp” service.
The cPanel Store is processing the hostname certificate request.
The system will check the cPanel Store again the next time that “/usr/local/cpanel/bin/checkallsslcerts” runs.
Can you help somehow ?
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,309
363
Houston
How long ago did you request the certificate initially? (i.e., how long has it been processing?)

Does the hostname resolve to the server?

Do you have any apache includes that include customizations which would affect the hostname?
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,309
363
Houston
It sounds as though there's an issue with the processing of the certificate, in this case, because I am limited to what I can look into on the forums I'd suggest you open a ticket with us to have it investigated further.

When you do open the ticket please update here with the Ticket ID and we'll update this thread with the outcome when available.

Thanks!
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,309
363
Houston
Hello,

I found this to be related to a CAA record in place for letsencrypt.

In order to resolve this so that you'll be able to obtain a hostname certificate for the server you'll need to remove the CAA record for letsencrypt.org or modify it for Sectigo.
Code:
[root@server ~]# dig CAA nosolutions.rs +short 128 issue "letsencrypt.org"
Sectigo will accept the following per https://support.sectigo.com/Com_KnowledgeDetailPageFaq?Id=kA01N000000zFMO We recognize the following domain names in "issue" and "issuewild" property tags as permitting us to issue: comodoca.com usertrust.com trust-provider.com sectigo.com