Shared SSL certificate

[Bdzzld]

Last night the server's main SSL certificate (let's call it server.domain.ext) was automatically renewed. I used to receive an e-mail after this was done in the past, but for some reason these e-mails are no longer sent out. Is this new/normal?
The server's main SSL certificate is set up as "Shared server certificate" but for some reason that certificate is not being renewed and still shows the old one in WHM (under [Manage SSL Hosts]). How does one renew this "Shared servers certificate"? Is this the proper way?

1) WHM>>SSL/TLS>>Manage SSL Hosts : Click [Delete] after the row for (www.)server.domain.ext
2) WHM>>SSL/TLS>>Install An SSL Host : Enter server.domain.ext in the domain field and press [autofill by domain]. Let WHM autofill everything and press [install] afterwards

If that's the proper way, that's not that user friendly and not that logical at all.

Ain't it an idea to let WHM install the new SSL certificate for server.domain.ext once it gets renewed if it's set up as "Shared server certificate" as well?

Thanking you in advance.

 

[cPanelLauren]

The "Shared Server Certificate" portion hasn't been a part of WHM's Manage SSL Hosts since V74 and is no longer used, the certificate there covers the hostname over apache. The issue you're running into is due to the fact that the Service SSL certificate only covers the following services when automatically installed:

Dovecot Mail Server
cPanel and WHM Services as well as cPanel, WebDisk, Webmail
Exim Server
FTP Server

You can also use the certificate for Apache and if you'd like to do so you need to install it on Apache by going to WHM>>SSL/TLS>>Install an SSL certificate on a domain


As far as the notification goes, the system should still be notifying as a part of the checkallsslcerts process, you might check the cPanel error logs to determine if a notification was sent out when the SSL was renewed.

 

[Bdzzld]

Dear @cPanelLauren :

Thanks for clearing things up.

As far as I can tell the "shared ssl certifcate" portion has been replaced by "set as primary". But are exactly identical. Right?

I've already tried adding the SSL certificate via "Install an SSL" but then an error appears that there's already an SSL certificate present for that domain name. That's indeed the case, but it does not ask if you would like to overwrite the old certificate with the newer one. Therefore I assume it must be manually deleted first in "Manage SSL Hosts" (step 1). I'd just like it to be confirmed.

It appears that you do not receive an e-mail about the server's SSL certificate being renewed if you've the Admin notifications set to "Notify the administrator for AutoSSL certificate request failures, warnings, and deferrals." in "AutoSSL" 's options tab. There's no option to differentiate between the global annual renewal or renewal of client's domain names by AutoSSL.

Thanking you in advance.

 

[cPanelLauren]

As far as I can tell the "shared ssl certifcate" portion has been replaced by "set as primary". But are exactly identical. Right?

The Make Primary function is explained as: Whether the website is the IP address's designated primary website for HTTPS.

This existed in v74 as well. The primary function of the Shared SSL was for mod_userdir:

Shared SSL Certificate
This section of WHM allows you to share an SSL certificate. Your customers can use a shared SSL certificate to access your website via the mod_userdir module. For more information about the mod_userdir module, read our Apache mod_userdir Tweak documentation.

To share an SSL certificate, select the desired certificate from the You may select a different shared SSL certificate below menu and click Share. The system will redirect you to a new interface that contains a confirmation message.

I've already tried adding the SSL certificate via "Install an SSL" but then an error appears that there's already an SSL certificate present for that domain name.

On a v80 server I was not able to replicate the issue you were experiencing with installing an SSL for Apache through WHM when one was already present:

SSL Host Successfully Installed
You have successfully configured SSL.

The SSL website is now active and accessible via HTTPS on this domain:

server.domain.tld
The SSL certificate also supports this domain, but this domain does not refer to the SSL website mentioned above:
www.server.domain.tld
Click “OK” to reload this page.

It appears that you do not receive an e-mail about the server's SSL certificate being renewed if you've the Admin notifications set to "Notify the administrator for AutoSSL certificate request failures, warnings, and deferrals." in "AutoSSL" 's options tab. There's no option to differentiate between the global annual renewal or renewal of client's domain names by AutoSSL.

That is quite odd as the process to install a hostname SSL is actually completely different than the one that is completed for AutoSSL, the two of them are unrelated. The notification that goes out when an SSL is provisioned for the hostname originates from /usr/local/cpanel/bin/checkallsslcerts as opposed to the one being issued for AutoSSL which is modifiable in a few different places (contact manager, tweak settings for example). It's possible this was an old issue that is fixed in newer versions as well.

 

[Bdzzld]

@cPanelLauren :

The server is running the latest version of WHM (80.0.18) and the server's FQDN has been set as primary domain name:


The error you're unable to replicate is the following:

With kind regards.

 

[cPanelLauren]

Hi @Bdzzld

It looks like that SSL certificate you have installed on the hostname is still valid until 7/15/19 which is most likely why it's indicating you already have an SSL installed.

 

[Bdzzld]

@cPanelLauren :
1) I'd like to install the new SSL certificate before the old one is expired. I'd like to know if that's done by first deleting the older one and the installing the new one. Just to be sure!
2) Which log should I look into to see why I did not receive an e-mail with the new SSL certificate? If that's an issue, then that's still there as this server is running the latest version.

 

[cPanelLauren]

In this instance it would seem that you'd need to remove the valid certificate before installing another one. Out of curiosity is the hostname the other certificate different than the current hostname and what you're installing the certificate for? Or does the new certificate include a different SAN (domain or Subject Alternate Name)? It might further explain why you're being requested to remove the other certificate first.

To find out whether or not the email was sent you should be able to see in the cPanel error logs, you might also check the exim logs to see all email sent to the email account you have set for admin emails.

 

[Bdzzld]

@cPanelLauren :
Nope, just the SSL certificate (for both server.domain.tld and www.server.domain.tld) issued annually by cPanel Certification Authority. The almost expired one is the one issued last year (which was normally received by e-mail).

 

[cPanelLauren]

I just went back and looked at my emails for when I initially obtained the certificate for the hostname, do you know if the last time the certificate was installed was during the original (not a reissue but on the creation of the server)


The point of that being that the only time I have found that email is sent is when cPanel is initially installed or if the hostname changes, reissues are not receiving the email.

 

[Bdzzld]

@cPanelLauren : The old SSL certificate, which is about to expire next month, was also an automatical renewed one.

 

[cPanelLauren]

Feel free to open a ticket using the link in my signature, if you'd like for us to look more in-depth into what's occurring as there's really only so much I can suggest without access to the system. Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!