By the way: thanks @NanoGame for the script. At least with this we can stop future emails. And i didn't know we can execute Cpanel Api commands that easily from a bash script.
Great!
Great!
Hello,
Thank you to everyone for taking the time to offer feedback regarding the new AutoSSL notifications in cPanel version 68. To update, we have an internal case open to implement a new feature that will allow administrators to globally disable the end-user AutoSSL notifications. I don't have a specific time frame to offer at this time, but I'll update this thread again as soon as more information is available.
In the meantime, the following user-submitted script will disable all end-user SSL notifications for all cPanel users:
SSL Notifications in cPanel 68
Thank you.
Thank you to everyone for taking the time to offer feedback regarding the new AutoSSL notifications in cPanel version 68. To update, we have an internal case open to implement a new feature that will allow administrators to globally disable the end-user AutoSSL notifications. I don't have a specific time frame to offer at this time, but I'll update this thread again as soon as more information is available.
In the meantime, the following user-submitted script will disable all end-user SSL notifications for all cPanel users:
More information about each cPanel API 2 function is available on this post:Hi Texo, we are getting a lot of tickets about these notices too. This is a little shell script I wrote to change the notifications for the 5 AutoSSL notices off for every user on the server.
Save it to /root/something.sh, chmod 755 something.sh and then run it with ./something.sh
Adjust the 0 values on the line above to 1 if you want to keep a particular notification on.Code:#!/bin/bash cd /var/cpanel/users for user in * do cpapi2 --user=$user CustInfo savecontactinfo notify_autossl_renewal=0 notify_autossl_renewal_coverage=0 notify_autossl_expiry_coverage=0 notify_autossl_expiry=0 notify_ssl_expiry=0 done
Hope this helps
SSL Notifications in cPanel 68
Thank you.
Duplika
Well-Known Member
Hopefully this is released soon, and gives cPanel a heads up to avoid this kind of mistakes on the future.
I like everyone else is hit by this, I have 20 servers. All I see is cpanel figuring out a way to hide the symptom but not sending out notices. But the problem still exists that the auto-ssl is no longer issuing certificate renewals behind cloudflare, is that correct?
I am approaching the warning dates from those emails. I assume they are correct that the replacement SSL will not be deployed. I use full-strict security at cloudflare and require a current SSL on the servers. These are all ecommerce stores with very high traffic. SSLs auto-renewed like clockwork before this upgrade which auto-deployed, I'll have words with my datacenter about that.
But what is being done to fix the lack of an ssl being re-issued at expiration?
I am approaching the warning dates from those emails. I assume they are correct that the replacement SSL will not be deployed. I use full-strict security at cloudflare and require a current SSL on the servers. These are all ecommerce stores with very high traffic. SSLs auto-renewed like clockwork before this upgrade which auto-deployed, I'll have words with my datacenter about that.
But what is being done to fix the lack of an ssl being re-issued at expiration?
Hi Quarterstaff. Did you manage to find a solution to Cachewall preventing AutoSSL certs from updating? I have also found it necessary to disable Cachewall and do a manual check of AutoSSL to get cert updated.
I've also been hit by this problem and received a LOT of support tickets. I agree that this is way too confusing for end users and it should be disabled ASAP as a stop gap measure. It would be fantastic for WHM admins to be able to receive a summary of all issues though, or to be able check them out through the web interface.
I've moved that particular issue to a separate thread for further discussion:
New Thread - CloudFlare and AutoSSL
I recommend reaching out to their support team to report the issue to see if this is something they have a patch for, or if they are working towards a resolution.
Thank you.
Hi stormy, All the problems are logged during each AutoSSL run and are viewable in the WHM »SSL/TLS »Manage AutoSSL » Logs
We have opened CPANEL-16842 to add an option to disable AutoSSL notifications server-
wide.
Certificate expiry notifications (both AutoSSL and non-AutoSSL) can already be disabled server-wide in WHM »Tweak Settings » Notifications » Send notifications when certificates approach expiry.
Thanks @cPanelNick! Yes, I know the logs page, but you have to comb through everything that has been done, success or failure. A list with all the issues would be really handy. Anyway, not worth it to start a feature request for that
So what does it disable exactly? I'm on 68.0.12.
I'm confused about that setting, because I did disable the notifications and they were still sent. I had to run the script quoted above to disable them.
So what does it disable exactly? I'm on 68.0.12.
Hi @stormy,
Setting "Send notifications when certificates approach expiry" to "Off" under the "Notifications" tab in "WHM >> Tweak Settings" should prevent "/scripts/notify_expiring_certificates" from generating new notifications about expiring certificates (both AutoSSL and non-AutoSSL certificates). Is it possible the notifications that were sent were queued from before you disabled this option? Feel free to open a support ticket and we can verify it's working as expected on your system.
Thank you.
Just a side note but it also might be helpful in the meantime, if you're going to use the abovementioned bash script as a workaround with the cpapi2 function to note that AutoSSL needs to be enabled in WHM>>SSL/TLS>>Manage AutoSSL interface as well as within the feature list the user's package is using.
Thanks @cPanelMichael. I can confirm that the notifications are still being sent, I just received another one right now.
Thanks @cPanelLauren too. There's another reason the script didn't work: the Contact Information feature must be enabled as well, although it's listed as "Legacy". I had that disabled, and once enabled and checked, I could see that the individual notifications for AutoSSL were not disabled in ?goto_app=ContactInfo_Change.
I'm still confused at the server-wide setting. Does it only mean the notifications won't be activated by default for new accounts? Or does it mean that the notification is never sent? If it's the latter, it's not working for me.
Thanks @cPanelLauren too. There's another reason the script didn't work: the Contact Information feature must be enabled as well, although it's listed as "Legacy". I had that disabled, and once enabled and checked, I could see that the individual notifications for AutoSSL were not disabled in ?goto_app=ContactInfo_Change.
I'm still confused at the server-wide setting. Does it only mean the notifications won't be activated by default for new accounts? Or does it mean that the notification is never sent? If it's the latter, it's not working for me.
I'm not sure if it is helpful, however, we did add an API for this in v68:Thanks @cPanelNick! Yes, I know the logs page, but you have to comb through everything that has been done, success or failure. A list with all the issues would be really handy. Anyway, not worth it to start a feature request for that
Code:
# whmapi1 get_autossl_problems_for_user username=myusername
---
data:
problems_by_domain:
-
domain: this.tld
log: 2017-11-14T05:18:03Z
problem: “this.tld” does not resolve to any IPv4 addresses on the internet.
time: 2017-11-14T05:27:23Z
-The expiry notification system is separate from the AutoSSL system so the confusion is understandable. This system is responsible for sending expiry notifications for all certificate types. The tweak setting disables the expiry notifications system (SSL::CertificateExpiring and AutoSSL::CertificateExpiring - except for related DCV problems).
The following command will disable the expiry notification system:
Code:
whmapi1 set_tweaksetting key=notify_expiring_certificates value=0We opened up case CPANEL-16927 to move the all the expiry and related notifications for AutoSSL certificates to be controlled by the same options that were added in CPANEL-16842 (shipped in 68.0.14). Hopefully, this will reduce the confusion created by having two places where the notifications are controlled.
CPANEL-16842 shipped in 68.0.14 with these changes:
- AutoSSL options area will handle server-wide control for sending notifications for AutoSSL certificates except expiry. (AutoSSL::CertificateInstalled, AutoSSL::CertificateRenewalCoverage, and SSL::CertificateExpiring - when there are related DCV problems)
- If the notifications are enabled in the AutoSSL options area users will retain the option to disable them in cPanel. Once available the following command line options will be able to disable the notifications server-wide:
- Turn off all the AutoSSL notifications and prevent AutoSSL from replacing invalid or expiring non-AutoSSL certificates:
Code:
whmapi1 set_autossl_metadata metadata_json='{"clobber_externally_signed":0,"notify_autossl_expiry_coverage":0,"notify_autossl_renewal_coverage":0,"notify_autossl_renewal":0}' - Turn off all the AutoSSL notifications and allow AutoSSL to replace invalid or expiring non-AutoSSL certificates (not recommended):
Code:
whmapi1 set_autossl_metadata metadata_json='{"clobber_externally_signed":1,"notify_autossl_expiry_coverage":0,"notify_autossl_renewal_coverage":0,"notify_autossl_renewal":0}'
- Turn off all the AutoSSL notifications and prevent AutoSSL from replacing invalid or expiring non-AutoSSL certificates:
- In v70 we added set_autossl_metadata_key to make this easier to set from the command line: WHM API 1 Functions - set_autossl_metadata_key - Software Development Kit - cPanel Documentation
When CPANEL-16927 is completed in a coming v70 release (available in EDGE):
- Tweak Settings option will control sending notification non-AutoSSL certificates (SSL::CertificateExpiring) [Note: If AutoSSL is disabled we treat all certificates as non-AutoSSL certificates]
- AutoSSL options area will handle control for sending notifications for AutoSSL certificates. (AutoSSL::CertificateInstalled, AutoSSL::CertificateRenewalCoverage, AutoSSL::CertificateExpiryCoverage [partial DCV failure - NEW] and AutoSSL::CertificateExpiring [full DCV failure])
- We have also added some language in the WHM Contact Manager to clarify that the settings control which notifications the server administrator receives and where to adjust the settings for a cPanel user (in Contact Information)
- If the notifications are enabled in the AutoSSL options area users will retain the option to disable them in cPanel and administrators will have the option to disable them in the WHM Contact Manager
- We are adding additional granularity to control to the AutoSSL::CertificateInstalled notification as AutoSSL::CertificateInstalledCovergeReduced [New] and
AutoSSL::CertificateInstalledUncoveredDomains [NEW]
for administrators who want to disable the AutoSSL::CertificateInstalled success notifications. This allows administrators to reduce the number of notifications but still stay informed when a certificate that reduces the SSL coverage is installed. This is an important distinction since this usually means that a DCV problem was not corrected in time to prevent interruption of service by having an expected domain removed from the certificate. - Now that we have a way to distinguish between a coverage problem and a successful renewal, we will also change AutoSSL::CertificateInstalled (Success) to be disabled by default (If you have already saved/modified AutoSSL options, your existing settings will be preserved.)
Note: This post was edited to clarify how certificates are treated when AutoSSL is disabled, provide command line options for disabling AutoSSL notifications server-wide, and expand how CPANEL-16928 will be implemented.
Last edited:
I also experienced a lot of support queries after 68 was released due to SSL "will expire soon" notifications being sent to my users. I actually handle SSL certificate renewal myself using scripts on my customers' sites to check and renew certs as needed (from Lets Encrypt). For some reason, Lets Encrypt is not an option in the list of Providers for AutoSSL (only Comodo is listed). Anyway, since my script starts trying to renew certs about 10 days prior to expiration, the cPanel notifications go out to customers prior to this, which of course is generating confusion. Again, this is for non-AutoSSL certs. I have AutoSSL disabled server wide in WHM and always have.
I had already disabled the notifications in Contact Manager, but continued to see the notices being sent. After reading this thread, I have disabled the Tweak Settings option. But shouldn't the Contact Manager notification settings in my screenshot below have stopped non-AutoSSL notifications regardless of the Tweak Settings option (as per the last setting shown)? Or was that setting overridden by an individual account setting? If so, what is the purpose of this WHM setting?
Finally, as mentioned in the prior post:
CPANEL-16927 is completed in a coming v70 release:
Tweak Settings option will control sending notification non-AutoSSL certificates
This sounds like what I need. Does this mean that there is currently no setting that will disable non-AutoSSL expiry notifications in 68.0.14, including the one in Tweak Settings I mentioned earlier?
Thanks for any clarity you can shed on this issue.
I had already disabled the notifications in Contact Manager, but continued to see the notices being sent. After reading this thread, I have disabled the Tweak Settings option. But shouldn't the Contact Manager notification settings in my screenshot below have stopped non-AutoSSL notifications regardless of the Tweak Settings option (as per the last setting shown)? Or was that setting overridden by an individual account setting? If so, what is the purpose of this WHM setting?
Finally, as mentioned in the prior post:
CPANEL-16927 is completed in a coming v70 release:
Tweak Settings option will control sending notification non-AutoSSL certificates
This sounds like what I need. Does this mean that there is currently no setting that will disable non-AutoSSL expiry notifications in 68.0.14, including the one in Tweak Settings I mentioned earlier?
Thanks for any clarity you can shed on this issue.
Last edited:
After upgrading cPanel/WHM to 68, i have been noticing that cPanel sending notification emails to client which is disturbing. Is there any way we can stop these notification.
Right?
As in, whoever adds these features in that development pit obviously isn't the one testing them and approving them, and one hand isn't talking to the other one as the testers obviously don't have a full idea of all the new features implemented so they can properly test their effects. Or, if they do, they are doing a terrible job testing the effects of these new features and are just green lighting everything that even remotely looks good.
Either way, an issue.
Yeah, that's cute. Except that EDGE and CURRENT are usually the same version, and RELEASE is 50% of the time the same as well. And if it isn't, it says "recommended" right next to it.
Screenshot
So how did a feature like this *slip* into the RELEASE without proper testing and approval is beyond me.
And if you're going to label it a "recommended" release, two steps down from the bleeding EDGE and release candidate CURRENT, you'd think this one would get enough testing done by the time it's pushed out.
You'd think.
You guys screwed up and as someone mentioned should have had a fix for this the next night. And not just an API reference that leaves us scrambling to figure out how to even use that, but an actual function in WHM that lets us disable this with a click of a button globally.
Why?
Because there are only a dozen of us on this thread who even remotely thought about checking your forums for a solution, and there are tens of thousands of server admins out there who will suffer through this issue hoping for a fix of some sort for days and weeks, answering angry emails from customers who are as confused as they are on why they are even getting emails like these in the first place and what all that means.
Right?
These notifications to end users are pointless to begin with, so why even implement them in the first place?!
And not only implement them but force them in a way that doesn't allow us to turn them off, nor does it provide a default OFF setting on update allowing us to turn it ON ourselves if we so desire.
Sometimes I wonder who does use case testing in your offices there...
With all that said, thank you for providing the command line solution and whoever provided that shell script as well. It will do, for now, as a quick fix, for those of us who are lucky enough to find it and be able to implement it.
Last edited:
v68.0.14 introduced 3 new AutoSSL notification settings in WHM >> SSL/TLS >> Manage AutoSSL > Options which would seem to be the result of the "Implemented case CPANEL-16842: Add options to disable AutoSSL notifications."
I think the cPanel developers deserve the highest praise for both acknowledging the communities concerns, and acting so promptly to mitigate the unintended consequences of the new AutoSSL notifications feature.
I think the cPanel developers deserve the highest praise for both acknowledging the communities concerns, and acting so promptly to mitigate the unintended consequences of the new AutoSSL notifications feature.
v68.0.14 introduced 3 new AutoSSL notification settings in WHM >> SSL/TLS >> Manage AutoSSL > Options which would seem to be the result of the "Implemented case CPANEL-16842: Add options to disable AutoSSL notifications."
The question I would have [for cPanel, not for you] is whether disabling the notifications in this area will stop the notifications to users or if it will stop notifications to admins or both?v68.0.14 introduced 3 new AutoSSL notification settings in WHM >> SSL/TLS >> Manage AutoSSL > Options which would seem to be the result of the "Implemented case CPANEL-16842: Add options to disable AutoSSL notifications."
Mike