Sectigo issues partial SSL certificate (only some of the hosts for the subdomain)

swbrains

Well-Known Member
Sep 13, 2006
240
34
178
I have AutoSSL enabled and for years it has worked properly. No recent changes to configuration on my end. Yesterday a new account was created with a subdomain of our primary domain (all new accounts start as subdomains of our domain on our hosting platform). Sectigo/cPanel did the AutoSSL check after the account was created and in the AutoSSL log it says:

Code:
8:47:39 PM AutoSSL will request a new certificate.
8:47:39 PM The system will attempt to renew the SSL certificates for (xxxxxxx.yyyyyyyy.com:  www.xxxxxxx.yyyyyyyy.com mail.xxxxxxx.yyyyyyyy.com...
(plus many other hosts at this subdomain)

But then the log later reports:
Code:
8:47:42 PM The cPanel Store received “m.xxxxxxx.yyyyyyyy.com”’s certificate order. (Order Item ID: 1360327337) The system will periodically poll the cPanel Store for the issued certificate and then install it after a successful retrieval.
8:47:44 PM The “cPanel (powered by Sectigo)” provider cannot currently accept incoming requests. The system will try again later.
The system has completed “yyyyyyyy”’s AutoSSL check.
8:48:02 PM Polling for “yyyyyyyy”’s new certificate for “m.xxxxxxx.yyyyyyyy.com” (order item ID “1360327337”) …
8:48:03 PM The certificate is available.
Installing “m.xxxxxxx.yyyyyyyy.com”’s new certificate …
So it received and installed a certificate, but the cert only has two of the hosts for the subdomain, even though it requested a larger number of hosts for this subdomain, which are all listed in the AutoSSL log file record for the initial request.

So now this site has SSL installed, but it's only partial and the site issues browser errors like 404s or security warnings that the site is insecure because the main subdomain URL isn't secured by the partial cert that was installed.

A couple of days ago this process worked fine and requested/installed a valid cert for all requested hosts for a new subdomain account. No changes were made on my part to the server or AutoSSL configuration.

It also seems like Sectigo/cPanel is taking longer to obtain the certificate now, as evidenced by the "cannot currently accept incoming requests..." message, which didn't appear in the past.

This is a blocking issue as we can no longer accept new hosting accounts unless we can be sure that Sectigo/cPanel will issue valid (i.e. not partial) SSL certificates, and in a timely manner.
 

cPanelAnthony

Administrator
Staff member
Oct 18, 2021
1,051
106
118
Houston, TX
cPanel Access Level
Root Administrator
This issue is now being tracked in the following thread.