Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSL Notifications in cPanel 68

Discussion in 'General Discussion' started by rodpascoe, Oct 19, 2017.

  1. rodpascoe

    rodpascoe Member

    Joined:
    Aug 12, 2012
    Messages:
    9
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    [Moderator Note]

    Here's the most recent update on this topic for anyone visiting this thread for the first time:

    [End Moderator Note]


    Hello, I hope someone can help me.

    I upgraded to cPanel 68 and the instant I did so (and every day since) all my users have started receiving autoSSL error emails like this one :-

    Code:
    exampledomain.co.uk: The AutoSSL certificate expires on 2017-05-11 at 00:00:00 UTC. At the time of this notice, the certificate expired “159 days, 19 hours, 55 minutes, and 48 seconds” ago.
    AutoSSL did not renew the certificate for “exampledomain.co.uk”. You must take action to keep this site secure.
    
    The “cPanel” AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems:
    
     webdisk.exampledomain.co.uk [ Last AutoSSL Run at “2017-10-16 at 23:54:07 UTC” ]
    The system queried for a temporary file at “http://webdisk.exampledomain.co.uk/.well-known/pki-validation/C14A94680F46EA0B29D3DF1E93E14EFC.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “webdisk.exampledomain.co.uk” resolved to an IP address “91.210.235.75” that does not exist on this server.
    
    
    This is only part of the email, it's a long email listing failures for every cname like ftp, web disk etc.

    I am getting loads of support tickets asking what the hell is going on as users don't understand the email and for the life of me I cannot find how to disable these emails.

    This is where the cPanel/WHM documentation pages really let customers down, they are so difficult to navigate and find anything in, they really need an overhaul as the current plain text 1990's looking system just doesn't help anymore.
     
    #1 rodpascoe, Oct 19, 2017
    Last edited by a moderator: Nov 16, 2017
  2. quarterstaff

    quarterstaff Member

    Joined:
    Feb 23, 2012
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Is there an answer for this one? This is a big problem. I too am starting to get panic support calls and email from everyone hosted on my server. We need the ability to turn off those emails, or find out why this is happening....
     
  3. quarterstaff

    quarterstaff Member

    Joined:
    Feb 23, 2012
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    I was also seeing expired certs even though they are up to date in the backend. I turned off cachewall (xvarnish) and *poof* they are back. Likely related. rodpascoe - are you running varnish?
     
  4. cPWilliamL

    cPWilliamL cP Technical Analyst II
    Staff Member

    Joined:
    May 15, 2017
    Messages:
    257
    Likes Received:
    27
    Trophy Points:
    103
    Location:
    America
    cPanel Access Level:
    Root Administrator
    Please check the release notes for 68 below:
    68 Release Notes - Version 68 Documentation - cPanel Documentation
    Did you check the Contact Manager in WHM?
     
  5. quarterstaff

    quarterstaff Member

    Joined:
    Feb 23, 2012
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    OK, so which one do I turn off for this message:

    The “cPanel” AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems...

    I don't see an option for that one.
     
  6. rodpascoe

    rodpascoe Member

    Joined:
    Aug 12, 2012
    Messages:
    9
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Thanks, I've disabled the option now.

    You might want to do a check when a server is upgraded as it sent thousands of emails for certificates that expired months ago.

    Perhaps it might be an idea to leave this disabled and allow server owners to make their own choice about what gets sent automatically.
     
  7. RobinMiller

    RobinMiller Member

    Joined:
    Oct 10, 2017
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Scotland
    cPanel Access Level:
    Root Administrator
    I'm also seeing this problem after the upgrade to cPanel 68. It appears that AutoSSL (using Let's Encrypt) has managed (up to now) to secure a number of cPanel related subdomains e.g. cpanel.user.server.com, webdisk.user.server.com etc which now fail the
    /.well-known/acme-challenge/ check process (webdisk, for example, may require a login that is not available to AutoSSL).

    In our case these domains aren't really important for the user's SSL Certificate, they can access them securely via the server's address and certificate. I do see that there is an option for the user to exclude them from AutoSSL using the SSL/TLS Status interface, however, I have a lot of users who don't understand what they're seeing and it would be helpful if there was a global interface where I could set which of the cPanel subdomains are included in the AutoSSL process for all users.
     
  8. rodpascoe

    rodpascoe Member

    Joined:
    Aug 12, 2012
    Messages:
    9
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    I can't understand how a company as massive as cPanel with installs of their product in the millions worldwide (new domain created every six seconds according to their website) can't test adequately before releasing a change in functionality like this.

    These forums are littered with threads like this one where something totally preventable with more testing has happened and caused a problem on real world servers.
     
    Duplika likes this.
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,998
    Likes Received:
    339
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    If you're running EDGE or CURRENT you might expect some issues.
     
  10. rodpascoe

    rodpascoe Member

    Joined:
    Aug 12, 2012
    Messages:
    9
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
  11. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,998
    Likes Received:
    339
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You've placed too much emphasis on the words tested and verified.

    CURRENT is a Release Candidate.
    EDGE is in Perpetual Development.
     
  12. rodpascoe

    rodpascoe Member

    Joined:
    Aug 12, 2012
    Messages:
    9
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    So basically you're saying that although you say on your page I linked to above (which WHM itself links to from it's interface) "This version is tested and verified" on CURRENT you actually don't mean it?

    You say on the same page EDGE is the only one not recommended on production servers, you're now implying CURRENT is too?

    It's all very well you quoting that text above about what you consider current to be but you don't have that text on the page you give us to let us make the choice above what release we use.

    Once again I'll post that link here :-

    Product Versions and the Release Process - cPanel Knowledge Base - cPanel Documentation

    That is the link you get to from within WHM when you go for help in choosing the level you're on.

    It says in plain English that CURRENT is tested and verified. It does NOT say any of the things you're now saying.

    Just admin your documentation is wrong/lacking and get it sorted rather than arguing semantics in a forum.
     
  13. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,998
    Likes Received:
    339
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm not arguing with you. When you go to your WebHost Manager to select your tier, you'll note the links to the right of each one.

    Click them to be taken to the cPanel glossary page where I got the quotes above.

    cPtiersss.png

    I hope this helps!
     
    sneader likes this.
  14. Agics

    Agics Member

    Joined:
    May 16, 2013
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Beside who's fault this is, I have to say it took me a lot of work to get this resolved, basically logging in into every cpanel account on my servers and disable the notifications.
    Yesterday I tried to get rid of the source of the messages. The messages vary from 403 access errors on the .well-known directory to resolve errors to the cpanel. subdomain :-S and "Size body exceeds..." errors. Removing manually the .well-known dir seems to solve the issue on some accounts but not all. Some problems disappear and come back after 1 day. The problem often relates to cpanel created subdomains, like "autodiscovery" or "mail" or "ipv6". Look at for example this log. Does not make much sense. The webdisk subdomain is cpanel created and does not have it's own dir path. Still it tries to make a certificate and sends a mail to owner of the account that it fails and looses coverage. (I removed the actual domain)
    Code:
    12:16:11 AM The website “[domain].nl”, owned by “web1153”, has a valid SSL certificate, but additional SSL coverage may be possible for the domain “ipv6.[domain].nl”. The system will attempt to replace this certificate with one that includes this additional domain.
    12:16:11 AM WARN The domain “webdisk.[domain].nl” failed domain control validation: The system queried for a temporary file at “https://webdisk.[domain].nl/403.shtml”, which was redirected from “http://webdisk.[domain].nl/.well-known/pki-validation/78B8389E8CB1DFDE9D28D2BAF1D6EAE2.txt”. The web server responded with the following error: 401 (Unauthorized). A DNS (Domain Name System) or web server misconfiguration may exist.
    12:16:11 AM WARN The current SSL certificate for “[domain].nl” secures the domain “webdisk.[domain].nl”. However, this domain failed local domain control validation. In order to maintain SSL domain coverage for this domain, the system will not attempt to replace the current certificate. 
     
    #14 Agics, Oct 20, 2017
    Last edited by a moderator: Oct 20, 2017
  15. RobinMiller

    RobinMiller Member

    Joined:
    Oct 10, 2017
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Scotland
    cPanel Access Level:
    Root Administrator
    That's actually very helpful, Infopro. I've just taken over running a number of servers and they should be set to "Release" but one of them, the one with problems is set to "Current". I shall manually disable the reports for the affected people and change the update cycle to something more appropriate.
     
    Infopro likes this.
  16. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    357
    Likes Received:
    4
    Trophy Points:
    168
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    Just to follow up. I have disabled the following options:
    [WHM - Tweak Settings] Send notifications when certificates approach expiry.
    [WHM - Contact Manager] AutoSSL cannot add any additional domains because domains that fail validation exist on current certificate.
    [WHM - Contact Manager] AutoSSL certificates expiring
    [WHM - Contact Manager] Installation of AutoSSL certificates
    [WHM - Contact Manager] Installation of purchased SSL certificates
    [WHM - Contact Manager] SSL Certificate Expiration
    [WHM - Contact Manager] SSL Certificate Expires Soon
    [WHM - Contact Manager] SSL certificates expiring

    but some notification emails are still being sent. I have checked and see, that in cPanel for users in [cPanel - Contact Information - Contact preferences] options for AutoSSL, SSL are enabled. Can that be a reason, why those emails are sent?

    Question: is there easy option to disable it globally? Is there easy (API?) way to disable this on all accounts? These emails create huge confusion for most of our customers and give troubles to support.
     
  17. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,484
    Likes Received:
    1,612
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you provide details and text from the specific notification that's still sent out?

    For WHM, the following WHM API 1 functions are available:

    WHM API 1 Functions - get_all_contact_importances - Software Development Kit - cPanel Documentation
    WHM API 1 Functions - set_application_contact_event_importance - Software Development Kit - cPanel Documentation

    For cPanel, the following cPanel API 2 functions are available:

    https://documentation.cpanel.net/display/SDK/cPanel+API+2+Functions+-+CustInfo::displaycontactinfo
    https://documentation.cpanel.net/display/SDK/cPanel+API+2+Functions+-+CustInfo::savecontactinfo

    The following WHM API 1 functions are also helpful for detecting AutoSSL problems:

    WHM API 1 Functions - get_autossl_problems_for_user - Software Development Kit - cPanel Documentation
    https://documentation.cpanel.net/display/SDK/WHM+API+1+Functions+-+get_autossl_problems_for_domain

    Additionally, we should have a new blog post regarding the AutoSSL changes in cPanel version 68 published soon. Once published, you can find it at:

    https://blog.cpanel.com/

    To update, it's now available at https://blog.cpanel.com/new-ssl-notifications-in-v68/

    Feel free to open a support ticket using the link in my signature if you are having trouble determining why AutoSSL is failing for a specific account or domain name so we can take a closer look.

    Thank you.
     
  18. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    357
    Likes Received:
    4
    Trophy Points:
    168
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    Here are screenshots.

    Update: listed API function reference does not list parameters for SSL notification setting. Could you ask developers and update it? :)
     

    Attached Files:

    #18 anton_latvia, Oct 27, 2017
    Last edited: Oct 27, 2017
  19. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,484
    Likes Received:
    1,612
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    In cPanel, under "Contact Information", you'd need to disable the AutoSSL notifications. The particular notification referenced in that screenshot is:

    "AutoSSL cannot renew a certificate because domains that fail validation exist on the current certificate."

    Documentation case DOC-9720 is open for this. I'll update this thread once the changes are published. In the meantime, here's a look at the new parameters:


    Update: The following document is now updated to include the additional parameters for the corresponding cPanel API 2 function:

    cPanel API 2 Functions - CustInfo::savecontactinfo - Software Development Kit - cPanel Documentation

    Thank you.
     
    #19 cPanelMichael, Oct 30, 2017
    Last edited: Dec 22, 2017
  20. MACscr

    MACscr Well-Known Member

    Joined:
    Sep 30, 2003
    Messages:
    193
    Likes Received:
    1
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Has anyone scripted anything up yet to disable these notifications server wide and by default for new accounts? Definitely a pain right now for me.
     
Loading...

Share This Page