SOLVED Primary Domain (No Valid Certificate)

Radhi

Active Member
Feb 5, 2019
26
3
3
Tunisie
cPanel Access Level
Root Administrator
Hello, we have a server with several websites that you can use distinctively.
One of the sites has an SSL certificate from Cpanel, as is the following image.

<image removed by request>

But we wanted to install the certificate on another domain, but the process failed, he says.

Primary Domain (No Valid Certificate)

<image removed by request>

Which forced us to install cloudflare certificate.

Is it possible to solve this problem and install a free ssl certificate from the cPanal for the last domain?

Thanks in advance.
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
4,812
594
273
cPanel Access Level
Root Administrator
Hey there! There is no reason you couldn't use the free AutoSSL tools for every domain on the machine. cPanel will not overwrite the existing SSL by default, so you would have to remove it before attempting to set up the SSL using cPanel.

If you visit WHM >> Manage AutoSSL you would be able to view the SSL logs to see if there is an issue. You can also run the following command on the server to try and issue just the one certificate, which may give you logs that are easier to read:

Code:
/usr/local/cpanel/bin/autossl_check --user=username
You'll just need to replace the "username" in that command with your actual cPanel username.
 
  • Like
Reactions: Radhi

Radhi

Active Member
Feb 5, 2019
26
3
3
Tunisie
cPanel Access Level
Root Administrator
Hey there! There is no reason you couldn't use the free AutoSSL tools for every domain on the machine. cPanel will not overwrite the existing SSL by default, so you would have to remove it before attempting to set up the SSL using cPanel.

If you visit WHM >> Manage AutoSSL you would be able to view the SSL logs to see if there is an issue. You can also run the following command on the server to try and issue just the one certificate, which may give you logs that are easier to read:

Code:
/usr/local/cpanel/bin/autossl_check --user=username
You'll just need to replace the "username" in that command with your actual cPanel username.
Hi
You have run the last command and this is the result.

[[email protected]*** ~]# /usr/local/cpanel/bin/autossl_check --user=m***
AutoSSL’s configured provider is “cPanel (powered by Sectigo)”.
This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
Analyzing “mzameer”’s domains …
Analyzing “haramain.mazameer.com” (website) …
TLS Status: Defective
Defect: NO_SSL: No SSL certificate is installed.
Analyzing “legacy.mazameer.com” (website) …
TLS Status: Defective
Defect: NO_SSL: No SSL certificate is installed.
Analyzing “mazameer.com” (website) …
TLS Status: Defective
Certificate expiry: 6/23/33, 1:38 PM UTC (4,481.05 days from now)
Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (1:19:SELF_SIGNED_CERT_IN_CHAIN).
Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (1:10:CERT_HAS_EXPIRED).
Impediment: CERTIFICATE_IS_EXTERNALLY_SIGNED: The certificate is neither self-signed nor from AutoSSL.
Analyzing “radio.mazameer.com” (website) …
TLS Status: Defective
Defect: NO_SSL: No SSL certificate is installed.
Analyzing “vb12.mazameer.com” (website) …
TLS Status: Defective
Defect: NO_SSL: No SSL certificate is installed.
Analyzing “vb2018.mazameer.com” (website) …
TLS Status: Defective
Defect: NO_SSL: No SSL certificate is installed.
Attempting to ensure the existence of necessary CAA records …
No CAA records were created.
Verifying 10 domains’ management status …
Verifying “cPanel (powered by Sectigo)”’s authorization on 10 domains via DNS CAA records …
“radio.mazameer.com” is managed.
“www.radio.mazameer.com” is managed.
“www.haramain.mazameer.com” is managed.
“vb12.mazameer.com” is managed.
“www.vb12.mazameer.com” is managed.
“haramain.mazameer.com” is managed.
“legacy.mazameer.com” is managed.
“www.legacy.mazameer.com” is managed.
“vb2018.mazameer.com” is managed.
“www.vb2018.mazameer.com” is managed.
All of this user’s 10 domains are managed.
CA authorized: “haramain.mazameer.com”
CA authorized: “www.haramain.mazameer.com”
CA authorized: “legacy.mazameer.com”
CA authorized: “www.legacy.mazameer.com”
CA authorized: “radio.mazameer.com”
CA authorized: “www.radio.mazameer.com”
CA authorized: “vb12.mazameer.com”
CA authorized: “vb2018.mazameer.com”
CA authorized: “www.vb12.mazameer.com”
CA authorized: “www.vb2018.mazameer.com”
“cPanel (powered by Sectigo)” is authorized to issue certificates for 10 of this user’s 10 domains.
Performing HTTP DCV (Domain Control Validation) on 10 domains …
Redirection #1 (radio.mazameer.com): http://radio.mazameer.com/.well-known/pki-validation/D4E37F5A73153FB9304395D9A918494A.txthttps://radio.mazameer.com/.well-known/pki-validation/D4E37F5A73153FB9304395D9A918494A.txt
“cPanel (powered by Sectigo)” forbids DCV HTTP redirections.
Redirection #1 (legacy.mazameer.com): http://legacy.mazameer.com/.well-known/pki-validation/FD9F94CD3432B9AF46907E755F4C5063.txthttps://legacy.mazameer.com/.well-known/pki-validation/FD9F94CD3432B9AF46907E755F4C5063.txt
“cPanel (powered by Sectigo)” forbids DCV HTTP redirections.
Local HTTP DCV error (vb12.mazameer.com): “vb12.mazameer.com” does not resolve to any IP addresses onthe internet.
Local HTTP DCV error (radio.mazameer.com): The system queried for a temporary file at “https://radio.mazameer.com/.well-known/pki-validation/D4E37F5A73153FB9304395D9A918494A.txt”, which was redirected from “http://radio.mazameer.com/.well-known/pki-validation/D4E37F5A73153FB9304395D9A918494A.txt”. The web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “radio.mazameer.com” resolved to an IP address “104.21.46.3” that does not exist on this server.
Local HTTP DCV error (legacy.mazameer.com): The system queried for a temporary file at “https://legacy.mazameer.com/.well-known/pki-validation/FD9F94CD3432B9AF46907E755F4C5063.txt”, which was redirected from “http://legacy.mazameer.com/.well-known/pki-validation/FD9F94CD3432B9AF46907E755F4C5063.txt”. The web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “legacy.mazameer.com” resolved to an IP address “104.21.46.3” that does not exist on this server.
Local HTTP DCV error (vb2018.mazameer.com): “vb2018.mazameer.com” does not resolve to any IP addresses on the internet.
Local HTTP DCV error (haramain.mazameer.com): “haramain.mazameer.com” does not resolve to any IP addresses on the internet.
Local HTTP DCV error (www.vb12.mazameer.com): “www.vb12.mazameer.com” does not resolve to any IP addresses on the internet.
Local HTTP DCV error (www.radio.mazameer.com): “www.radio.mazameer.com” does not resolve to any IP addresses on the internet.
Local HTTP DCV error (www.legacy.mazameer.com): “www.legacy.mazameer.com” does not resolve to any IP addresses on the internet.
Local HTTP DCV error (www.vb2018.mazameer.com): “www.vb2018.mazameer.com” does not resolve to any IP addresses on the internet.
Local HTTP DCV error (www.haramain.mazameer.com): “www.haramain.mazameer.com” does not resolve to anyIP addresses on the internet.
Verifying local authority for 10 domains …
No local authority: “legacy.mazameer.com”
No local authority: “vb12.mazameer.com”
No local authority: “haramain.mazameer.com”
No local authority: “vb2018.mazameer.com”
No local authority: “radio.mazameer.com”
No local authority: “www.haramain.mazameer.com”
No local authority: “www.vb2018.mazameer.com”
No local authority: “www.legacy.mazameer.com”
No local authority: “www.radio.mazameer.com”
No local authority: “www.vb12.mazameer.com”
No local DNS DCV is necessary.
Processing “mzameer”’s local DCV results …
Analyzing “haramain.mazameer.com”’s DCV results …
Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV.
Analyzing “legacy.mazameer.com”’s DCV results …
Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV.
Analyzing “radio.mazameer.com”’s DCV results …
Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV.
Analyzing “vb12.mazameer.com”’s DCV results …
Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV.
Analyzing “vb2018.mazameer.com”’s DCV results …
Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV.
The system has completed “mzameer”’s AutoSSL check.
[[email protected]*** ~]#
 

Radhi

Active Member
Feb 5, 2019
26
3
3
Tunisie
cPanel Access Level
Root Administrator
Thanks for posting that log file. Can you remove any redireciton that may be affecting the .well-known directory and see if that resolves the issue?
Thanks for your replay, but how to remove the redireciton?

Here's the record again.

[[email protected]*** ~]# /usr/local/cpanel/bin/autossl_check --user=mzameer
AutoSSL’s configured provider is “cPanel (powered by Sectigo)”.
This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
Analyzing “mzameer”’s domains …
Analyzing “legacy.mazameer.com” (website) …
TLS Status: Defective
Defect: NO_SSL: No SSL certificate is installed.
Analyzing “mazameer.com” (website) …
TLS Status: Defective
Certificate expiry: 6/23/33, 1:38 PM UTC (4,480.93 days from now)
Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (1:19:SELF_SIGNED_CERT_IN_CHAIN).
Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (1:10:CERT_HAS_EXPIRED).
Impediment: CERTIFICATE_IS_EXTERNALLY_SIGNED: The certificate is neither self-signed nor from AutoSSL.
Analyzing “vb12.mazameer.com” (website) …
TLS Status: Defective
Defect: NO_SSL: No SSL certificate is installed.
Analyzing “vb2018.mazameer.com” (website) …
TLS Status: Defective
Defect: NO_SSL: No SSL certificate is installed.
Attempting to ensure the existence of necessary CAA records …
No CAA records were created.
Verifying 6 domains’ management status …
Verifying “cPanel (powered by Sectigo)”’s authorization on 6 domains via DNS CAA records …
“legacy.mazameer.com” is managed.
“www.legacy.mazameer.com” is managed.
“vb12.mazameer.com” is managed.
“www.vb12.mazameer.com” is managed.
“vb2018.mazameer.com” is managed.
“www.vb2018.mazameer.com” is managed.
All of this user’s 6 domains are managed.
CA authorized: “vb12.mazameer.com”
CA authorized: “www.vb12.mazameer.com”
CA authorized: “legacy.mazameer.com”
CA authorized: “www.legacy.mazameer.com”
CA authorized: “vb2018.mazameer.com”
CA authorized: “www.vb2018.mazameer.com”
“cPanel (powered by Sectigo)” is authorized to issue certificates for 6 of this user’s 6 domains.
Performing HTTP DCV (Domain Control Validation) on 6 domains …
Redirection #1 (legacy.mazameer.com): http://legacy.mazameer.com/.well-known/pki-validation/8D02A2C9490F2A7A857DB1407AEB3DC2.txthttps://legacy.mazameer.com/.well-known/pki-validation/8D02A2C9490F2A7A857DB1407AEB3DC2.txt
“cPanel (powered by Sectigo)” forbids DCV HTTP redirections.
Local HTTP DCV error (vb12.mazameer.com): “vb12.mazameer.com” does not resolve to any IP addresses onthe internet.
Local HTTP DCV error (legacy.mazameer.com): The system queried for a temporary file at “https://legacy.mazameer.com/.well-known/pki-validation/8D02A2C9490F2A7A857DB1407AEB3DC2.txt”, which was redirected from “http://legacy.mazameer.com/.well-known/pki-validation/8D02A2C9490F2A7A857DB1407AEB3DC2.txt”. The web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “legacy.mazameer.com” resolved to an IP address “104.21.46.3” that does not exist on this server.
Local HTTP DCV error (vb2018.mazameer.com): “vb2018.mazameer.com” does not resolve to any IP addresses on the internet.
Local HTTP DCV error (www.vb12.mazameer.com): “www.vb12.mazameer.com” does not resolve to any IP addresses on the internet.
Local HTTP DCV error (www.legacy.mazameer.com): “www.legacy.mazameer.com” does not resolve to any IP addresses on the internet.
Local HTTP DCV error (www.vb2018.mazameer.com): “www.vb2018.mazameer.com” does not resolve to any IP addresses on the internet.
Verifying local authority for 6 domains …
No local authority: “legacy.mazameer.com”
No local authority: “vb12.mazameer.com”
No local authority: “vb2018.mazameer.com”
No local authority: “www.legacy.mazameer.com”
No local authority: “www.vb12.mazameer.com”
No local authority: “www.vb2018.mazameer.com”
No local DNS DCV is necessary.
Processing “mzameer”’s local DCV results …
Analyzing “legacy.mazameer.com”’s DCV results …
Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV.
Analyzing “vb12.mazameer.com”’s DCV results …
Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV.
Analyzing “vb2018.mazameer.com”’s DCV results …
Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV.
The system has completed “mzameer”’s AutoSSL check.
[[email protected]** ~]#
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
4,812
594
273
cPanel Access Level
Root Administrator
I'm not sure exactly how you would remove the redirection. There are many different ways the site can redirect as that could come from the .htaccess file or within the code itself. If you'd like us to check the machine directly you're always welcome to submit a ticket to our team.
 
  • Love
Reactions: Radhi

Radhi

Active Member
Feb 5, 2019
26
3
3
Tunisie
cPanel Access Level
Root Administrator
God bless you brother.
The important thing is, we want a solution by installing a free ssl certificate on the rest of the domains.
How is the solution I wonder?
Do I create a ticket or tell me something to do to solve this problem?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
4,812
594
273
cPanel Access Level
Root Administrator
I just wanted to follow-up to say the https redirection was happening through Cloudflare as well, which is why this wasn't working properly for a new certificate. After that was disabled, the SSL was issued normally. I'm glad we were able to help track that down.

For other users that may run into a similar issue, we have the following article that provides more details on this:

 
  • Love
Reactions: Radhi

Radhi

Active Member
Feb 5, 2019
26
3
3
Tunisie
cPanel Access Level
Root Administrator
I just wanted to follow-up to say the https redirection was happening through Cloudflare as well, which is why this wasn't working properly for a new certificate. After that was disabled, the SSL was issued normally. I'm glad we were able to help track that down.

For other users that may run into a similar issue, we have the following article that provides more details on this:

God bless you.
Thanks for your effort.
 
  • Like
Reactions: cPRex