Sectigo not accepting one-off requests

air-america

Registered
Oct 19, 2021
3
4
3
United States
cPanel Access Level
Root Administrator
Now nice...
Any news on "provider cannot currently accept incoming requests"
This service is the only reason why I kept cPanel, right!


Log for the AutoSSL run for “basesnet”: Wednesday, February 16, 2022 11:39:37 PM GMT-0500 (cPanel (powered by Sectigo))
11:39:37 PM AutoSSL’s configured provider is “cPanel (powered by Sectigo)”.
This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
Analyzing “basesnet”’s domains …
11:39:37 PM Analyzing “baseballsales.net” (website) …
11:39:37 PM ERROR TLS Status: Defective
ERROR Certificate expiry: 2/17/22, 12:00 AM UTC (0.19 days ago)
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
11:39:37 PM Attempting to ensure the existence of necessary CAA records …
11:39:37 PM No CAA records were created.
11:39:37 PM Verifying 3 domains’ management status …
Verifying “cPanel (powered by Sectigo)”’s authorization on 3 domains via DNS CAA records …
11:39:38 PM “mail.baseballsales.net” is managed.
“www.baseballsales.net” is managed.
“baseballsales.net” is managed.
All of this user’s 3 domains are managed.
CA authorized: “baseballsales.net”
CA authorized: “mail.baseballsales.net”
CA authorized: “www.baseballsales.net”
“cPanel (powered by Sectigo)” is authorized to issue certificates for 3 of this user’s 3 domains.
11:39:38 PM Performing HTTP DCV (Domain Control Validation) on 3 domains …
11:39:38 PM Local HTTP DCV OK: baseballsales.net
Local HTTP DCV OK: www.baseballsales.net
Local HTTP DCV OK: mail.baseballsales.net
11:39:38 PM No local DNS DCV is necessary.
11:39:38 PM Processing “basesnet”’s local DCV results …
11:39:38 PM Analyzing “baseballsales.net”’s DCV results …
11:39:38 PM AutoSSL will request a new certificate.
11:39:38 PM The system will attempt to renew the SSL certificate for (baseballsales.net: baseballsales.net www.baseballsales.net mail.baseballsales.net).
11:39:40 PM The “cPanel (powered by Sectigo)” provider cannot currently accept incoming requests. The system will try again later.
The system has completed “basesnet”’s AutoSSL check.
 

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,302
68
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
Yes, it becomes annoying several times a week. I just switched back to Let's Encrypt on some servers and it works far better. To those customers needing SSL compatibilty on old devices, I simply warned that the free Sectigo service is intermitent and may fail.. at any given time. So I now have servers with Let's Encrypt for modern sites, and servers with Sectigo for the oldies.
 
  • Like
Reactions: air-america

chalupa

Member
Jul 15, 2014
19
2
53
cPanel Access Level
DataCenter Provider
I'm having this issue with one of our customers on multiple servers with multiple domains. These are existing domains having SSLs that are not renewing within the expiration date and the sites are failing to have an SSL because it doesn't renew before the 15 days of expiry
/var/cpanel/logs/autossl
grep "provider cannot currently accept incoming requests" 2022-04-*/txt | cut -d: -f1 | uniq -c
21 2022-04-02T02
37 2022-04-03T02
52 2022-04-04T02
58 2022-04-05T02
63 2022-04-06T02
67 2022-04-07T02
71 2022-04-08T02
69 2022-04-09T02
67 2022-04-10T02
59 2022-04-11T02
55 2022-04-12T02
55 2022-04-13T02
53 2022-04-14T02
59 2022-04-15T02

Looks to have started this month at least was considerably elevated as last month not as many
grep "provider cannot currently accept incoming requests" 2022-03-*/txt | cut -d: -f1 | uniq -c | tail -4
1 2022-03-27T02
1 2022-03-28T02

Sectigo AutoSSL has been consistently inconsistent for at least the few months and seems that if you simply manually renew it works most times. That's what this customer has seen and I've seen this with it simply not working and this error wasn't seen just that it will be issued but never is. I gathered the domain names that were having issues and found that the same domains had the same issue up to 22 times

grep -B1 "provider cannot currently accept incoming requests" 2022-04-*/txt | grep renew | cut -d: -f6- | awk '{print $1}' > /home/temp/ssldomainissues

sort /home/temp/ckulpa.10399843 | uniq -c | sort -rn | head | awk '{print $1}'
22
20
19
19
18
18
18
17
17
16


sort /home/temp/ckulpa.10399843 | uniq -c | sort -rn | wc -l
193

over 190 different domains.

which of course, if the domain is within 15 days of expiring then. I just tried to renew one of the domains manually and it failed many do renew.
 
Last edited:
  • Like
Reactions: Kent Brockman

chalupa

Member
Jul 15, 2014
19
2
53
cPanel Access Level
DataCenter Provider
@chalupa - we know exactly why it's happening - Sectigo can't handle the traffic they are receiving. They just aren't fixing things on their end.
Ah shoot. Ok. Yeah I mean, if it failed for a few days and then was ok and clients weren't left without coverage it wouldn't be a big problem but it's unfortunate this service isn't being propped up. Thanks.
 
  • Like
Reactions: cPRex

WorkinOnIt

Well-Known Member
Aug 3, 2016
261
43
78
UK
cPanel Access Level
Root Administrator
I am still getting this issue.

I am switching to Let's Encrypt for the domains that fail, but then I switch back inside the Manage SSL Hosts section, because I am also using the Sectigo cpanel service to renew hostnames ssl etc.... My understanding that cpanel does not allow that with Let's Encrypt. Is there a particular reason why not? Could we not just ditch sectigo altogether.... it seems their service is wholly unreliable....