Seriously, why was AutoSSL changed?

Operating System & Version
CloudLinux 7
cPanel & WHM Version
100.0.10

DennisMidjord

Well-Known Member
Sep 27, 2016
304
59
78
Denmark
cPanel Access Level
Root Administrator
AutoSSL has always been working great. It has had a few minor issues, but ever since October/November, we've had issues with AutoSSL almost daily.

Most of these issues are related to AutoSSL not being able to issue a certificate for a domain/subdomain that doesn't exist. This makes sense, but it has worked for years before October/November. I don't know whether AutoSSL automatically excluded the domain or if it was just ignored, but it worked without problems.

In one case, a client was trying to run AutoSSL for an addon domain that had a subdomain: subdomain.example.com
This subdomain had a valid A record that pointed to the cPanel server.
Because this subdomain was added through cPanel, cPanel also added www.subdomain.example.com - this does not have any DNS records whatsoever.

AutoSSL has been failing to renew the certificate since January 7th 2022 (52 days ago) and kept failing.
Code:
9:12:16 PM Analyzing “subdomain.example.com” (website) …
9:12:16 PM ERROR TLS Status: Defective
ERROR Certificate expiry: 1/7/22, 12:00 AM UTC (52.84 days ago)
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
...
...
9:12:44 PM Analyzing “subdomain.example.com”’s DCV results …
9:12:44 PM AutoSSL will request a new certificate.
9:12:44 PM The system will attempt to renew the SSL certificate for (subdomain.example.com: subdomain.example.com www.subdomain.example.com).
9:12:47 PM The cPanel Store received “subdomain.example.com”’s certificate order. (Order Item ID: 1523412849) The system will periodically poll the cPanel Store for the issued certificate and then install it after a successful retrieval.
The system has completed “username”’s AutoSSL check.
9:14:02 PM Polling for “username”’s new certificate for “subdomain.example.com” (order item ID “1523412849”) …
9:14:03 PM The certificate is not available. (processing)
As you can see, AutoSSL included www.subdomain.example.com. It would keep looking and get back to "The certificate is not available". The certificate has always been able to be renewed, up until October/November - even though no DNS record has ever existed for www.subdomain.example.com.

As soon as I excluded www.subdomain.example.com from AutoSSL, the certificate was installed in first try.

I would guess this is the problem of 99% of the cases we have where AutoSSL is failing to renew/install a certificate.

What has happened?
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,360
1,632
363
cPanel Access Level
Root Administrator
Hey there! Unfortunately this one wasn't up to us. The SSL providers implemented stricter verification processes around that time you mention. Some additional details on that can be found here:


but let me know if you have questions.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,360
1,632
363
cPanel Access Level
Root Administrator
While that would be possible, that isn't the spirit of what AutoSSL is for. AutoSSL is designed to cover every domain that is configured on the server-side, not just the ones that pass DCV. It's important for those checks to take place as-is so they can alert server managers about potential issues.