sajithgsm

Well-Known Member
Jun 9, 2020
48
10
83
Sri Lanka
cPanel Access Level
Root Administrator
Hi,
Since today, I'm getting this error on each cpanel.

The certificate has the following errors: Certificate #4 (CN=DST Root CA X3,O=Digital Signature Trust Co.) has 1 validation error: CERT_HAS_EXPIRED.

how can I fix this?

But when I go to the SSL / TLS Status, its showing very normal and in browsers, SSL green lock also working very fine.

Do you have any idea how to fix this?
I'm using Lets Encrypt SSL.
 
Last edited:

mtindor

Well-Known Member
Sep 14, 2004
1,417
82
178
inside a catfish
cPanel Access Level
Root Administrator
Same here. On all domains on the server.

For instance, if I go to MyDomain Login, it should redirect to https://www.mydomain.com:2083 with a valid SSL certificate for www.mydomain.com. However, that is not working. Same thing with all webmail / cpanel and dovecot / exim certs tied to individual domains.

Basically none of the SSL certs are working EXCEPT for customer websites -- The certs seem to be working on all of hte customer websites. But not for email (dovecot / Exim) or cPanel services ( webmail, cpanel, etc)

Just started getting reports within the past hour or so.

Basically, dovecot/exim and /cpanel and /webmail etc are ONLY using/seeing the primary server hostname SSL certificate. They are not seeing/using the customer-domain-specific SSLs for those services like they should be.

Mike
 
  • Like
Reactions: sajithgsm

smurf

Well-Known Member
Jun 4, 2009
51
9
58
Let's Encrypt Root CA X3 expiry is the issue. LE announced it in April 2021:

 
  • Like
Reactions: sajithgsm

sajithgsm

Well-Known Member
Jun 9, 2020
48
10
83
Sri Lanka
cPanel Access Level
Root Administrator
Let's Encrypt Root CA X3 expiry is the issue. LE announced it in April 2021:

Do you have any easy method to fix this on WHM?
 

mtindor

Well-Known Member
Sep 14, 2004
1,417
82
178
inside a catfish
cPanel Access Level
Root Administrator
cPanel support has told us it's a CloudLinux issue, are you running CloudLinux too ?
I am running CL. CL6 ELS on the affected server. Although I have two other CL6 ELS servers not affected (thus far) and a CL8 server not affected (thus far).

All of my CL6 ELS servers are running:

Sep 20 11:35:32 Updated: openssl-1.0.1e-62.el6.cloudlinux.els.x86_64
Sep 20 11:35:33 Updated: openssl-devel-1.0.1e-62.el6.cloudlinux.els.x86_64
Sep 24 11:35:33 Updated: 1:ea-openssl11-1.1.1l-1.el6.cloudlinux.x86_64
Sep 24 11:35:34 Updated: 1:ea-openssl11-devel-1.1.1l-1.el6.cloudlinux.x86_64
 

mtindor

Well-Known Member
Sep 14, 2004
1,417
82
178
inside a catfish
cPanel Access Level
Root Administrator
CloudLinux checked the ca-certificates package but it's up to date on our CloudLinux 7 server :

Code:
rpm -qa ca-certificates
ca-certificates-2021.2.50-72.el7_9.noarch
Three CL6 ELS servers:
ca-certificates-2020.2.41-65.1.el6_10.noarch

One CL8 server:
ca-certificates-2021.2.50-80.0.el8_4.noarch

So far (knock on wood) only one of my four servers is affected (a CL6 ELS box). But who knows if more/all will be affected eventually.
 

mtindor

Well-Known Member
Sep 14, 2004
1,417
82
178
inside a catfish
cPanel Access Level
Root Administrator
I've got a ticket open with the DC, and with CL (because cPanel is not providing the CL license for this particular server and insists that I open tickets with everyone else first, and them as a last resort).
 

quietFinn

Well-Known Member
Feb 4, 2006
1,394
179
193
Finland
cPanel Access Level
Root Administrator
I switched from Let's Encrypt to Sectigo, ran Upgrade to Latest Version and then Run AutoSSL For All Users. After that it seems to be working.
CloudLinux 6 & 7 servers.