Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SSL expired, how to force renewal?

Discussion in 'Security' started by GoWilkes, Jun 24, 2019.

  1. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    425
    Likes Received:
    7
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    I have an account with AutoSSL running, but the certificate expired yesterday, anyway:

    AutoSSL last ran on June 24, 2019.
    Expired on June 23, 2019. The certificate will renew via AutoSSL.

    The client is calling me, upset because anyone going to their site now gets an error. How do I force it to renew the certificate NOW instead of waiting until 3am?
     
  2. nixuser

    nixuser Well-Known Member

    Joined:
    May 30, 2014
    Messages:
    112
    Likes Received:
    25
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Twitter:
    Tried running it for the user from Manage SSL? Go to Manage AutoSSL and check logs to see what went wrong, if it didn't work.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    425
    Likes Received:
    7
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    The log file didn't have anything unexpected, it just said:

    3:40:57 AM Analyzing “example.com” …
    3:40:57 AM ERROR TLS Status: Defective
    ERROR Certificate expiry: 6/24/19, 12:00 AM UTC (0.68 days from now)
    ERROR Defect: ALMOST_EXPIRED: The certificate will expire very soon.

    I went under "Manage Users" and clicked to check this domain, generating a new log for it. This one had a new error:

    3:28:54 PM Analyzing “example.com” …
    3:28:54 PM ERROR TLS Status: Defective
    ERROR Certificate expiry: 6/24/19, 12:00 AM UTC (0.81 days ago)
    ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).

    I've been Googling for anything on the OPENSSL_VERIFY error message, but haven't found anything helpful. I can confirm that the domain is in the Pending queue, but that's not going to run for another 9+ hours. The client is already very angry with me because it's had an error all day, and just hanging out for 9 hours is probably going to result in losing them.
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,935
    Likes Received:
    485
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Please feel free to open a ticket to cPanel Technical Support. No need to wait if you're having some sort of pressing issue like this.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. nixuser

    nixuser Well-Known Member

    Joined:
    May 30, 2014
    Messages:
    112
    Likes Received:
    25
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Twitter:
    Try removing the old expired ssl and run autossl again.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    425
    Likes Received:
    7
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    @Infopro, I tried to submit a ticket but had an error message. When it go to the point of "Prepare Server for Support" I kept getting an error that said:

    A fatal error or timeout occurred while processing this directive.

    I clicked on Next, anyway, and then got the following error:

    Unhandled exception string: Can't use an undefined value as a HASH reference at /home/support/lib/API/V3/Tickets/Submission.pm line 207.

    It looks like the ticket went through anyway, but there's an estimated time of 22 hours for a reply.

    FWIW, the SSL didn't renew last night, either, so I'm still having the same problem.
     
  7. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    425
    Likes Received:
    7
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    I would, but I can't see any way to do either. How do I delete the SSL and manually force it to create a new one?
     
  8. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,459
    Likes Received:
    503
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    What's present in WHM>>SSL/TLS>>Manage AutoSSL -> Logs for the account/domain in question?

    Any time a certificate isn't issued prior to the expiration with AutoSSL is due to an error.

    What is the ticket ID for your ticket?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    425
    Likes Received:
    7
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    I ran a check on the account, and here's the entire log for it. Note that I have 2 subdomains for the account, and they both renewed just fine; it's only the main account having an issue.

    Code:
    Log for the AutoSSL run for “example”: Tuesday, June 25, 2019 7:36:59 PM GMT-0400 (cPanel (powered by Comodo))
     7:36:59 PM AutoSSL’s configured provider is “cPanel (powered by Comodo)”.
     This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
     Checking websites for “example” …
     7:37:00 PM Analyzing “new.example.com” …
     7:37:00 PM SUCCESS TLS Status: OK
     Certificate expiry: 7/26/19, 12:00 AM UTC (30.02 days from now)
     7:37:00 PM Analyzing “example.com” …
     7:37:00 PM ERROR TLS Status: Defective
     ERROR Certificate expiry: 6/24/19, 12:00 AM UTC (1.98 days ago)
     ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
     7:37:00 PM Analyzing “urchin.example.com” …
     7:37:00 PM SUCCESS TLS Status: OK
     Certificate expiry: 7/26/19, 12:00 AM UTC (30.02 days from now)
     7:37:00 PM Performing DCV (Domain Control Validation) …
     7:37:00 PM Local HTTP DCV OK: example.com
     Local HTTP DCV OK: www.example.com (via example.com)
     Local HTTP DCV OK: mail.example.com (via example.com)
     7:37:00 PM Analyzing “example.com”’s DCV results …
     7:37:00 PM AutoSSL will request a new certificate.
     7:37:00 PM The system will attempt to renew the SSL certificate for the website (example.com: example.com www.example.com mail.example.com).
     No CAA record added because there is no CAA record from another provider in the DNS for example.com.
     7:37:01 PM The provider “cPanel (powered by Comodo)”’s AutoSSL queue already contains a certificate request for “example”’s website “example.com”. The request’s start time is Jun 24, 2019, 7:38:02 AM UTC, and its last poll time is Jun 25, 2019, 6:54:07 PM UTC.
     7:37:01 PM The system has completed the AutoSSL check for “example”.

    12682573; someone literally JUST replied and said that cPanel is having an issue connecting with Sectigo servers to perform the DCV check, so the problem appears to be on Sectigo's end. If that's the case then I'm surprised that no one else has reported this issue.

    I may have no choice but to move to LetsEncrypt for the AutoSSL provider. I'm going to wait until 2am, and if I haven't heard anything more than I'll have to do that before going to bed.
     
  10. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    425
    Likes Received:
    7
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Just to update... I had the client call and was pretty upset, so I went ahead and moved over to Let's Encrypt. It took about 3 minutes, and now it's all good :)

    For those that read this later and choose to go that route, just SSH to your server as root and use the command:

    Code:
    /scripts/install_lets_encrypt_autossl_provider
    This takes about a minute to run. Then when it's done, log in to WHM and go to "Manage AutoSSL". Under "Providers", select "Let's Encrypt", then "Save". Then go to "Manage Users", select the user that needs an immediate update, and click the "Check 'example'" button next to their username.

    Or, you can click on "Run AutoSSL For All Users" at the top of the page and it will renew certificates for all that are pending.
     
  11. nixuser

    nixuser Well-Known Member

    Joined:
    May 30, 2014
    Messages:
    112
    Likes Received:
    25
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Twitter:
    Nice, glad to hear that it was sorted out.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,459
    Likes Received:
    503
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @GoWilkes

    I just checked in on that ticket and you were definitely affected by the issue with communicating with sectigo. I know that this is something to do with a communication error on their end and we've made them aware, we're also working with them to resolve it.

    In the meantime, the workaround is indeed to switch to Let's Encrypt and I'm glad that it worked for you and your clients have gotten their SSL's issued.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice