Service SSL Certificates expire in 11 days, but not auto renewing

Operating System & Version
CentOS v7.9.2009
cPanel & WHM Version
v100.0.3

qcomber

Member
Nov 10, 2015
19
2
53
London
cPanel Access Level
Root Administrator
I'm receiving daily emails saying that the cPanel service certificates are due to expire on the 11/28/21:
'You need to install a new certificate as soon as possible. You can do this with WHM’s “Manage Service SSL Certificates” interface at
https://host.name.com:2087/scripts2/manageservicecrts.

Going to this page in WHM, it shows that the currently installed certs are:
  • Issued by cPanel
  • RSA, 2,048-bit
  • Valid, i.e. the hostname resolves to the correct IP and a reverse lookup on the IP resolves to the hostname
  • Shows the orange/yellow triangle warning: 'This certificate will expire in 11 days. Contact your Certificate Authority (cPanel, Inc.) to request a certificate renewal.'
  • We have a valid cPanel license, but there was an issue with this a few days ago due to what appeared to be an conflict caused by upcp - this needed to be resolved by running /scripts/check_cpanel_rpms --fix then /usr/local/cpanel/cpkeyclt.
The page at Manage Service SSL Certificates | cPanel & WHM Documentation states that cPanel issues free certs for these host services and that upcp should auto install a new cert if they are due to expire within 25 days. However, after 'Processing command `/usr/local/cpanel/bin/checkallsslcerts --allow-retry --verbose`' the upcp logs state '[2021-11-11 03:30:37 +0000] [/usr/local/cpanel/bin/checkallsslcerts] The “exim” service’s certificate will expire soon (Nov 28, 2021). If this certificate remains installed on Nov 25, 2021, the system will attempt to replace it.'

On other machines I have running cPanel, these service certs seem to get updated automatically without the service certificate expiry emails being sent. I'm concerned that there's something stopping auto renewal and they will not renew even after the 25th.

Please advise.
 
Last edited by a moderator:

qcomber

Member
Nov 10, 2015
19
2
53
London
cPanel Access Level
Root Administrator
I just found this: https://support.cpanel.net/hc/en-us...ates-are-renewed-three-days-before-expiration

This looks like the problem - case number is COBRA-13510 - When /usr/local/cpanel/bin/checkallsslcerts runs it thinks cPanel provided hostname certificates are third-party SSL certificates, which causes the SSL to be renewed three days prior to expiration.

Should I follow the instructions in the workaround ie. run the three commands?
OR
Should I wait until 3 days before expiry?
 

cPanelAnthony

Administrator
Staff member
Oct 18, 2021
583
54
103
Houston, TX
cPanel Access Level
Root Administrator
I just found this: https://support.cpanel.net/hc/en-us...ates-are-renewed-three-days-before-expiration

This looks like the problem - case number is COBRA-13510 - When /usr/local/cpanel/bin/checkallsslcerts runs it thinks cPanel provided hostname certificates are third-party SSL certificates, which causes the SSL to be renewed three days prior to expiration.

Should I follow the instructions in the workaround ie. run the three commands?
OR
Should I wait until 3 days before expiry?
Hello! Upon reviewing, either option should be fine. The certificates should renew at three days, but you can do the workaround if you want to get this done early and not have to worry.
 

dexus

Well-Known Member
Jan 14, 2006
181
11
168
cPanel Access Level
Root Administrator
I do not understand why is SSL renewal period now lowered to less than 3 days. It should be at least 7 days, or better 15 days.
 

qcomber

Member
Nov 10, 2015
19
2
53
London
cPanel Access Level
Root Administrator
Hello! Upon reviewing, either option should be fine. The certificates should renew at three days, but you can do the workaround if you want to get this done early and not have to worry.
It's now Nov 25th and upcp ran this am at 03:30. Almost as expected, the service SSL certs *have not* been auto renewed. Pls see the log entries:
[2021-11-25 03:30:31 +0000] [/usr/local/cpanel/bin/checkallsslcerts] The system will check for the certificate for the “exim” service.
[2021-11-25 03:30:31 +0000] [/usr/local/cpanel/bin/checkallsslcerts] The system will attempt to verify that the certificate for the “exim” service is still valid using OCSP (Online Certificate Status Protocol).
[2021-11-25 03:30:31 +0000] [/usr/local/cpanel/bin/checkallsslcerts] The “exim” service’s certificate will expire soon (Nov 28, 2021). If this certificate remains installed on Nov 25, 2021, the system will attempt to replace it.
[2021-11-25 03:30:31 +0000] - Finished command `/usr/local/cpanel/bin/checkallsslcerts --allow-retry --verbose` in 0.402 seconds
[2021-11-25 03:30:31 +0000] Processing: Purging invalid or soon-to-expire Domain TLS entries for service domains
[2021-11-25 03:30:31 +0000] 62% complete

These appear to say that it has recognised the cert is expiring on the 28th and if it remains installed on the 25th it will try to replace it. This log entry is on the 25th and I can confirm the cert has not been auto updated.

I'm therefore forced into the workaround in my last post. I'm very wary of this as if there are any issues we may end up with no certificates on multiple live services.
 

qcomber

Member
Nov 10, 2015
19
2
53
London
cPanel Access Level
Root Administrator
I decided not to proceed with the work around until the weekend to mitigate the risk of interruption to multiple live services which are in constant use.

However, during last night's upcp the system did actually attempt the auto-update, hooray! It seems like cPanel need to look at the date conditions in upcp as they obviously don't match the logs or auto gen emails sent.

*BUT* the logs returned:
[2021-11-26 03:30:27 +0000] - Processing command `/usr/local/cpanel/bin/checkallsslcerts --allow-retry --verbose`
[2021-11-26 03:30:28 +0000] [/usr/local/cpanel/bin/checkallsslcerts] The system will check for the certificate for the “cpanel” service.
[2021-11-26 03:30:28 +0000] [/usr/local/cpanel/bin/checkallsslcerts] The system will attempt to verify that the certificate for the “cpanel” service is still valid using OCSP (Online Certificate Status Protocol).
[2021-11-26 03:30:28 +0000] [/usr/local/cpanel/bin/checkallsslcerts] The system will attempt to replace the certificate for the “cpanel” service with a signed certificate from the cPanel Store because the current certificate expires in less than 2 days.
[2021-11-26 03:30:33 +0000] [/usr/local/cpanel/bin/checkallsslcerts] The system will attempt to install a certificate for the “cpanel” service from the system ssl storage.
.
.
.
.
[2021-11-26 03:30:33 +0000] [/usr/local/cpanel/bin/checkallsslcerts] Succeeded domains: 8
[2021-11-26 03:30:33 +0000] [/usr/local/cpanel/bin/checkallsslcerts] Failed domains: 0
[2021-11-26 03:30:33 +0000] [/usr/local/cpanel/bin/checkallsslcerts] Requesting certificate from cPStore …
[2021-11-26 03:30:33 +0000] [/usr/local/cpanel/bin/checkallsslcerts] The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request “POST ssl/certificate/whm-license/90-day”: We were unable to process your request. Please try again later.

Please can someone confirm whether the cPanel Store is down?

If so then the workaround in my earlier post will not work - it uses /usr/local/cpanel/bin/checkallsslcerts...

EDIT 1: Or maybe this is related to the license issue I mentioned in my first post. This should not be the case as WHM is now working. I've also checked 'Server Configuration -> WHM Marketplace' and the license status is 'Active' AND the server's primary IP works in cPanel & WHM License Verification | cPanel, L.L.C..

EDIT 2: Progress, well maybe... I updated the cron to run upcp now and not at 3:30 in the am. See log:
[2021-11-27 00:24:56 +0000] [/usr/local/cpanel/bin/checkallsslcerts] The system will attempt to replace the certificate for the “exim” service with a signed certificate from the cPanel Store because the current certificate expires in less than 2 days.
[2021-11-27 00:24:56 +0000] [/usr/local/cpanel/bin/checkallsslcerts] The system will attempt to install a certificate for the “exim” service from the system ssl storage.
[2021-11-27 00:24:56 +0000] [/usr/local/cpanel/bin/checkallsslcerts] None of the certificates in the system ssl storage were acceptable to use for the “exim” service.
[2021-11-27 00:24:56 +0000] [/usr/local/cpanel/bin/checkallsslcerts] The cPanel Store is processing the hostname certificate request.
[2021-11-27 00:24:56 +0000] [/usr/local/cpanel/bin/checkallsslcerts] The system will check the cPanel Store again in an hour to see if the cPanel Store issued the certificate.
[2021-11-27 00:24:56 +0000] - Finished command `/usr/local/cpanel/bin/checkallsslcerts --allow-retry --verbose` in 79.331 seconds

The log suggest that the cPanel Store has now been successfully contacted (ie it's not down or blocked) and the new cert has been ordered, but it needs to check back with the store "in an hour" to see if it's been issued?
 
Last edited:

qcomber

Member
Nov 10, 2015
19
2
53
London
cPanel Access Level
Root Administrator
After my last post, I reset the upcp cron to run at 3:30am. I received the dreaded 'The SSL certificate for “cpanel” on “host.name.com” will expire in less than 30 days.' at 03:31.

BUT, something has auto-installed the certs - WHM Manage Service SSL Certificates screen now shows they are set to expire 2/26/22. The upcp log from 03:30 doesn't confirm successful installation of new certs specifically, but it also doesn't mention retrying the store in an hour, so maybe it was that, but if so then why send the email?

What a seat of the pants palaver. Hopefully cPanel can get COBRA-13510 resolved before 26th Feb next year to avoid a month of bricking it to a last minute crescendo - well last few hours.

For peace of mind I'm considering a third party wildcard cert with a longer term expiry. Can anyone advise/recommend?
 
Last edited:

Gingerweb

Member
May 14, 2013
5
0
51
cPanel Access Level
Website Owner
I have had exactly the same issue, mine were due to expire tomorrow and hadnt renewed 3 days before so i ran:

/usr/local/cpanel/bin/checkallsslcerts

which i got from https://support.cpanel.net/hc/en-us...free-SSL-Certificate-on-the-server-s-hostname

i got this "receipt"

Requesting certificate from cPStore …
Order submitted. (Order item ID: 1349350401)

The cPanel Store is processing the hostname certificate request.
The system will check the cPanel Store again the next time that “/usr/local/cpanel/bin/checkallsslcerts” runs.

this reinstalled "self signed certificates" just over 10 hours ago and they are still all i have got so all my accounts are getting certificate errors, how long will the proper certs take to be installed please?
 

Gingerweb

Member
May 14, 2013
5
0
51
cPanel Access Level
Website Owner
Disappointed no reply from Cpanel, we had to buy a replacement SSL certificate for the Cpanel server and install it, i thought these were automatically sorted. Nightmare few days with cert warnings
 

galileuNet

Registered
Nov 30, 2021
2
0
1
--
cPanel Access Level
Root Administrator
Hello,
I have the same problem.
For us, and according cPanel supportthe problem is related to recent domain control validation requirements of cPanel free hostname certificate provider, Sectigo. The new requirements essentially dictate that the server be authoritative for the hostname's DNS, and that HTTP DCV validation will no longer function as it used to. More information in this link: Free hostname certificates remain in the pending queue

Internal case mentioned in the article, CPANEL-39321, will -not- allow HTTP DCV to work as it used to. The fix for the internal case will simply prevent cPanel's side of things from checking HTTP DCV at all, as it will not pass due to Sectigo's new requirements.

The only known workaround at this time is to ensure your cPanel server is authoritative for the hostname's DNS.

Modifications to Available File-Based Methods of Domain Control Validation

This is all I Know

A solution maybe, it's add NS record pointing to server subdomain (if your register company can), (host IN NS ns.name.com) This will make your cPanel server authoritative for the subdomain.

If not works, the last solution is install a third part certificate
 

cPanelAnthony

Administrator
Staff member
Oct 18, 2021
583
54
103
Houston, TX
cPanel Access Level
Root Administrator