cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
11,895
1,068
313
Houston
So, are you saying that all cPanel servers should have this resolved but now? ("This is related to a CA Root certificate expiring, and these issues should be resolved at this time.") I see no issues on my server's performance (in modern browsers), nor with AutoSSL, nor errors reported when running AutoSSL for all users, but I did notice when FTPS started to fail connections if the client didn't like the certificate chain having an expired cert in it. I can work around that, but isn't the issue of the expired cert in the chain still present? ( https://whatsmychaincert.com/?cpanel.net )

If so, would the solution be to change the cert chain on the server, or are we awaiting an upstream fix to resolve this?

If it is something we can do, where would it be done? (Home »Service Configuration »Manage Service SSL Certificates, Home »SSL/TLS »SSL Storage Manager, or ???)

Please give us clear advice as to whether and how we should take action or wait for an upstream solution.

-Pete
As I said in my initial response, if you have a cert affected by this and you need to resolve it immediately you can rerun autossl it will detect the expired CA Root and regenerate the cert with the non-expired CA Root Certificate. The only issue with that was the fact that Sectigo became overwhelmed by the number of requests it was receiving. We have completed work on an AutoFixer script for this at this time that will automatically update the CA Root Cert on affected SSL certificates this can be run with the following:

Code:
/scripts/autorepair update_sectigo_cabundles
And is detailed in the documentation link I sent with my response: SSL Certificates Showing as Expired

Please let me know if there are still uncertainties on what you should or need to do to resolve this.
 
  • Like
Reactions: PeteS

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
11,895
1,068
313
Houston
We are seeing issues related to on-server applications trying to send mail and being unable to connect with the mail server "error establishing ssl connection: certificate verify failed". All of the mitigation suggestions have already been tried. This doesn't appear to be an AutoSSL issue at this point, it is an OpenSSL issue.
Did you follow the suggested steps to resolve the issues with your certificates (if they were issued prior to May 1st) including your hostname certificate.
 

PeteS

Well-Known Member
Jun 8, 2017
189
35
28
Oregon
cPanel Access Level
Root Administrator
As I said in my initial response, if you have a cert affected by this and you need to resolve it immediately you can rerun autossl it will detect the expired CA Root and regenerate the cert with the non-expired CA Root Certificate. The only issue with that was the fact that Sectigo became overwhelmed by the number of requests it was receiving. We have completed work on an AutoFixer script for this at this time that will automatically update the CA Root Cert on affected SSL certificates this can be run with the following:

Code:
/scripts/autorepair update_sectigo_cabundles
And is detailed in the documentation link I sent with my response: SSL Certificates Showing as Expired

Please let me know if there are still uncertainties on what you should or need to do to resolve this.
Actually, the link to SSL Certificates Showing as Expired was not above anywhere that I can see. But that did it! :)

The second command was what I needed (/usr/local/cpanel/bin/checkallsslcerts –force). The first had already been run automatically (same a as running AutoSSL for all users in WHM, I suspect).

Now the server certificate chain is 100% good.

Thanks!

-Pete
 

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
11,895
1,068
313
Houston
Actually, the link to SSL Certificates Showing as Expired was not above anywhere that I can see. But that did it! :)

The second command was what I needed (/usr/local/cpanel/bin/checkallsslcerts –force). The first had already been run automatically (same a as running AutoSSL for all users in WHM, I suspect).

Now the server certificate chain is 100% good.

Thanks!

-Pete
That's my mistake at the time of the original writing all we had was AutoSSL Runs not Completing - cPanel (powered by Sectigo) cannot currently accept incoming requests but the new article that I linked is more detailed on the issue and was put out AFTER I wrote the response

I'm glad that fixed the issue! There's also the official announcement thread on this that may be useful to follow if you continue to have issues with this as well Intermediary CA Certificate Expiration though I don't anticipate that.
 

vikins

Well-Known Member
Oct 3, 2006
120
1
168
I tried many things, but I think the one that did it was that I found some files in ~username/ssl/certs for the account that was having this specific problem. At the time I wasn't sure if this was happening server wide, I knew of the issue specifically with one account and was scrambling to get that solved. Once I renamed that directory and restarted appropriate server processes the issue resolved. The certs directory was recreated but is now empty. The files in that directory were over 10 years old and some of them were cabundles. It's been so long that I no longer know why those files were there in the first place. But this appears to have been the issue. All seems fine now.