cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

Thank you to everyone for taking the time to offer feedback regarding the new AutoSSL notifications in cPanel version 68. To update, we have an internal case open to implement a new feature that will allow administrators to globally disable the end-user AutoSSL notifications. I don't have a specific time frame to offer at this time, but I'll update this thread again as soon as more information is available.

In the meantime, the following user-submitted script will disable all end-user SSL notifications for all cPanel users:

Hi Texo, we are getting a lot of tickets about these notices too. This is a little shell script I wrote to change the notifications for the 5 AutoSSL notices off for every user on the server.

Save it to /root/something.sh, chmod 755 something.sh and then run it with ./something.sh

Code:
#!/bin/bash
cd /var/cpanel/users
for user in *
do
    cpapi2 --user=$user CustInfo savecontactinfo notify_autossl_renewal=0 notify_autossl_renewal_coverage=0 notify_autossl_expiry_coverage=0 notify_autossl_expiry=0 notify_ssl_expiry=0
done
Adjust the 0 values on the line above to 1 if you want to keep a particular notification on.

Hope this helps :)
More information about each cPanel API 2 function is available on this post:

SSL Notifications in cPanel 68

Thank you.
 
  • Like
Reactions: Metro2

BFFMediaInc

Member
Sep 29, 2016
8
1
1
USA
cPanel Access Level
Reseller Owner
I like everyone else is hit by this, I have 20 servers. All I see is cpanel figuring out a way to hide the symptom but not sending out notices. But the problem still exists that the auto-ssl is no longer issuing certificate renewals behind cloudflare, is that correct?

I am approaching the warning dates from those emails. I assume they are correct that the replacement SSL will not be deployed. I use full-strict security at cloudflare and require a current SSL on the servers. These are all ecommerce stores with very high traffic. SSLs auto-renewed like clockwork before this upgrade which auto-deployed, I'll have words with my datacenter about that.

But what is being done to fix the lack of an ssl being re-issued at expiration?
 
  • Like
Reactions: feldon27

Stephen Hare

Registered
Nov 12, 2017
1
0
1
Spain
cPanel Access Level
Root Administrator
I was also seeing expired certs even though they are up to date in the backend. I turned off cachewall (xvarnish) and *poof* they are back. Likely related. rodpascoe - are you running varnish?
Hi Quarterstaff. Did you manage to find a solution to Cachewall preventing AutoSSL certs from updating? I have also found it necessary to disable Cachewall and do a manual check of AutoSSL to get cert updated.
 

stormy

Well-Known Member
Nov 22, 2003
167
17
168
Spain
cPanel Access Level
Root Administrator
I've also been hit by this problem and received a LOT of support tickets. I agree that this is way too confusing for end users and it should be disabled ASAP as a stop gap measure. It would be fantastic for WHM admins to be able to receive a summary of all issues though, or to be able check them out through the web interface.
 
  • Like
Reactions: feldon27

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
But the problem still exists that the auto-ssl is no longer issuing certificate renewals behind cloudflare, is that correct?
I've moved that particular issue to a separate thread for further discussion:

New Thread - CloudFlare and AutoSSL

Hi Quarterstaff. Did you manage to find a solution to Cachewall preventing AutoSSL certs from updating? I have also found it necessary to disable Cachewall and do a manual check of AutoSSL to get cert updated.
I recommend reaching out to their support team to report the issue to see if this is something they have a patch for, or if they are working towards a resolution.

Thank you.
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,481
35
208
cPanel Access Level
DataCenter Provider
I've also been hit by this problem and received a LOT of support tickets. I agree that this is way too confusing for end users and it should be disabled ASAP as a stop gap measure. It would be fantastic for WHM admins to be able to receive a summary of all issues though, or to be able check them out through the web interface.
Hi stormy, All the problems are logged during each AutoSSL run and are viewable in the WHM »SSL/TLS »Manage AutoSSL » Logs

We have opened CPANEL-16842 to add an option to disable AutoSSL notifications server-
wide.

Certificate expiry notifications (both AutoSSL and non-AutoSSL) can already be disabled server-wide in WHM »Tweak Settings » Notifications » Send notifications when certificates approach expiry.
 

stormy

Well-Known Member
Nov 22, 2003
167
17
168
Spain
cPanel Access Level
Root Administrator
Thanks @cPanelNick! Yes, I know the logs page, but you have to comb through everything that has been done, success or failure. A list with all the issues would be really handy. Anyway, not worth it to start a feature request for that :)

Certificate expiry notifications (both AutoSSL and non-AutoSSL) can already be disabled server-wide in WHM »Tweak Settings » Notifications » Send notifications when certificates approach expiry.
I'm confused about that setting, because I did disable the notifications and they were still sent. I had to run the script quoted above to disable them.

So what does it disable exactly? I'm on 68.0.12.
 
  • Like
Reactions: Metro2

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
I'm confused about that setting, because I did disable the notifications and they were still sent. I had to run the script quoted above to disable them.

So what does it disable exactly? I'm on 68.0.12.
Hi @stormy,

Setting "Send notifications when certificates approach expiry" to "Off" under the "Notifications" tab in "WHM >> Tweak Settings" should prevent "/scripts/notify_expiring_certificates" from generating new notifications about expiring certificates (both AutoSSL and non-AutoSSL certificates). Is it possible the notifications that were sent were queued from before you disabled this option? Feel free to open a support ticket and we can verify it's working as expected on your system.

Thank you.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,272
313
Houston
Just a side note but it also might be helpful in the meantime, if you're going to use the abovementioned bash script as a workaround with the cpapi2 function to note that AutoSSL needs to be enabled in WHM>>SSL/TLS>>Manage AutoSSL interface as well as within the feature list the user's package is using.
 

stormy

Well-Known Member
Nov 22, 2003
167
17
168
Spain
cPanel Access Level
Root Administrator
Thanks @cPanelMichael. I can confirm that the notifications are still being sent, I just received another one right now.

Thanks @cPanelLauren too. There's another reason the script didn't work: the Contact Information feature must be enabled as well, although it's listed as "Legacy". I had that disabled, and once enabled and checked, I could see that the individual notifications for AutoSSL were not disabled in ?goto_app=ContactInfo_Change.

I'm still confused at the server-wide setting. Does it only mean the notifications won't be activated by default for new accounts? Or does it mean that the notification is never sent? If it's the latter, it's not working for me.
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,481
35
208
cPanel Access Level
DataCenter Provider
Thanks @cPanelNick! Yes, I know the logs page, but you have to comb through everything that has been done, success or failure. A list with all the issues would be really handy. Anyway, not worth it to start a feature request for that :)
I'm not sure if it is helpful, however, we did add an API for this in v68:

Code:
# whmapi1 get_autossl_problems_for_user username=myusername
---
data:
  problems_by_domain:
    -
      domain: this.tld
      log: 2017-11-14T05:18:03Z
      problem: “this.tld” does not resolve to any IPv4 addresses on the internet.
      time: 2017-11-14T05:27:23Z
    -
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,481
35
208
cPanel Access Level
DataCenter Provider
I'm confused about that setting, because I did disable the notifications and they were still sent. I had to run the script quoted above to disable them.

So what does it disable exactly? I'm on 68.0.12.
The expiry notification system is separate from the AutoSSL system so the confusion is understandable. This system is responsible for sending expiry notifications for all certificate types. The tweak setting disables the expiry notifications system (SSL::CertificateExpiring and AutoSSL::CertificateExpiring - except for related DCV problems).

The following command will disable the expiry notification system:
Code:
whmapi1 set_tweaksetting key=notify_expiring_certificates value=0
Its possible the cause of the unexpected notifications is the AutoSSL system sending them when a domain is failing DCV and is affecting the ability for it to renew before the expiry (AutoSSL::CertificateExpiring - when there are related DCV problems or AutoSSL::CertificateRenewalCoverage).

We opened up case CPANEL-16927 to move the all the expiry and related notifications for AutoSSL certificates to be controlled by the same options that were added in CPANEL-16842 (shipped in 68.0.14). Hopefully, this will reduce the confusion created by having two places where the notifications are controlled.

CPANEL-16842 shipped in 68.0.14 with these changes:
  • AutoSSL options area will handle server-wide control for sending notifications for AutoSSL certificates except expiry. (AutoSSL::CertificateInstalled, AutoSSL::CertificateRenewalCoverage, and SSL::CertificateExpiring - when there are related DCV problems)
  • If the notifications are enabled in the AutoSSL options area users will retain the option to disable them in cPanel. Once available the following command line options will be able to disable the notifications server-wide:
    • Turn off all the AutoSSL notifications and prevent AutoSSL from replacing invalid or expiring non-AutoSSL certificates:
      Code:
      whmapi1 set_autossl_metadata metadata_json='{"clobber_externally_signed":0,"notify_autossl_expiry_coverage":0,"notify_autossl_renewal_coverage":0,"notify_autossl_renewal":0}'
    • Turn off all the AutoSSL notifications and allow AutoSSL to replace invalid or expiring non-AutoSSL certificates (not recommended):
      Code:
      whmapi1 set_autossl_metadata metadata_json='{"clobber_externally_signed":1,"notify_autossl_expiry_coverage":0,"notify_autossl_renewal_coverage":0,"notify_autossl_renewal":0}'
  • In v70 we added set_autossl_metadata_key to make this easier to set from the command line: WHM API 1 Functions - set_autossl_metadata_key - Software Development Kit - cPanel Documentation

When CPANEL-16927 is completed in a coming v70 release (available in EDGE):
  • Tweak Settings option will control sending notification non-AutoSSL certificates (SSL::CertificateExpiring) [Note: If AutoSSL is disabled we treat all certificates as non-AutoSSL certificates]
  • AutoSSL options area will handle control for sending notifications for AutoSSL certificates. (AutoSSL::CertificateInstalled, AutoSSL::CertificateRenewalCoverage, AutoSSL::CertificateExpiryCoverage [partial DCV failure - NEW] and AutoSSL::CertificateExpiring [full DCV failure])
  • We have also added some language in the WHM Contact Manager to clarify that the settings control which notifications the server administrator receives and where to adjust the settings for a cPanel user (in Contact Information)
  • If the notifications are enabled in the AutoSSL options area users will retain the option to disable them in cPanel and administrators will have the option to disable them in the WHM Contact Manager
When CPANEL-16928 is completed in a coming v70 release (available in EDGE):
  • We are adding additional granularity to control to the AutoSSL::CertificateInstalled notification as AutoSSL::CertificateInstalledCovergeReduced [New] and
    AutoSSL::CertificateInstalledUncoveredDomains [NEW]
    for administrators who want to disable the AutoSSL::CertificateInstalled success notifications. This allows administrators to reduce the number of notifications but still stay informed when a certificate that reduces the SSL coverage is installed. This is an important distinction since this usually means that a DCV problem was not corrected in time to prevent interruption of service by having an expected domain removed from the certificate.
  • Now that we have a way to distinguish between a coverage problem and a successful renewal, we will also change AutoSSL::CertificateInstalled (Success) to be disabled by default (If you have already saved/modified AutoSSL options, your existing settings will be preserved.)

Note: This post was edited to clarify how certificates are treated when AutoSSL is disabled, provide command line options for disabling AutoSSL notifications server-wide, and expand how CPANEL-16928 will be implemented.
 
Last edited:

swbrains

Well-Known Member
Sep 13, 2006
218
29
178
I also experienced a lot of support queries after 68 was released due to SSL "will expire soon" notifications being sent to my users. I actually handle SSL certificate renewal myself using scripts on my customers' sites to check and renew certs as needed (from Lets Encrypt). For some reason, Lets Encrypt is not an option in the list of Providers for AutoSSL (only Comodo is listed). Anyway, since my script starts trying to renew certs about 10 days prior to expiration, the cPanel notifications go out to customers prior to this, which of course is generating confusion. Again, this is for non-AutoSSL certs. I have AutoSSL disabled server wide in WHM and always have.

I had already disabled the notifications in Contact Manager, but continued to see the notices being sent. After reading this thread, I have disabled the Tweak Settings option. But shouldn't the Contact Manager notification settings in my screenshot below have stopped non-AutoSSL notifications regardless of the Tweak Settings option (as per the last setting shown)? Or was that setting overridden by an individual account setting? If so, what is the purpose of this WHM setting?

screencapture_000305.png

Finally, as mentioned in the prior post:
CPANEL-16927 is completed in a coming v70 release:
Tweak Settings option will control sending notification non-AutoSSL certificates


This sounds like what I need. Does this mean that there is currently no setting that will disable non-AutoSSL expiry notifications in 68.0.14, including the one in Tweak Settings I mentioned earlier?

Thanks for any clarity you can shed on this issue.
 
Last edited:

CrazySerb

Member
Apr 1, 2015
21
4
53
Canada
cPanel Access Level
Root Administrator
How did this "feature" reach Release? incomprehensible.
Right?

As in, whoever adds these features in that development pit obviously isn't the one testing them and approving them, and one hand isn't talking to the other one as the testers obviously don't have a full idea of all the new features implemented so they can properly test their effects. Or, if they do, they are doing a terrible job testing the effects of these new features and are just green lighting everything that even remotely looks good.

Either way, an issue.



If you're running EDGE or CURRENT you might expect some issues.
I'm not arguing with you. When you go to your WebHost Manager to select your tier, you'll note the links to the right of each one.

Click them to be taken to the cPanel glossary page where I got the quotes above.

View attachment 49163

I hope this helps!

Yeah, that's cute. Except that EDGE and CURRENT are usually the same version, and RELEASE is 50% of the time the same as well. And if it isn't, it says "recommended" right next to it.

Screenshot

So how did a feature like this *slip* into the RELEASE without proper testing and approval is beyond me.

And if you're going to label it a "recommended" release, two steps down from the bleeding EDGE and release candidate CURRENT, you'd think this one would get enough testing done by the time it's pushed out.

You'd think.

You guys screwed up and as someone mentioned should have had a fix for this the next night. And not just an API reference that leaves us scrambling to figure out how to even use that, but an actual function in WHM that lets us disable this with a click of a button globally.

Why?

Because there are only a dozen of us on this thread who even remotely thought about checking your forums for a solution, and there are tens of thousands of server admins out there who will suffer through this issue hoping for a fix of some sort for days and weeks, answering angry emails from customers who are as confused as they are on why they are even getting emails like these in the first place and what all that means.


I think a distinction needs to be made between the AutoSSL notifications and notifications for certificates the end user may have installed themselves from third parties.

With AutoSSL, sending notifications to the end user is a waste of time, since they can't do anything to resolve any of those problems. Expiry notifications on these certs are also pointless, considering the fact that they auto renew.

I think it's pretty reasonable to assume that AutoSSL notifications should go to the admin contact only.
Right?

These notifications to end users are pointless to begin with, so why even implement them in the first place?!

And not only implement them but force them in a way that doesn't allow us to turn them off, nor does it provide a default OFF setting on update allowing us to turn it ON ourselves if we so desire.

Sometimes I wonder who does use case testing in your offices there...


With all that said, thank you for providing the command line solution and whoever provided that shell script as well. It will do, for now, as a quick fix, for those of us who are lucky enough to find it and be able to implement it.
 
Last edited:
  • Like
Reactions: feldon27

rpvw

Well-Known Member
Jul 18, 2013
1,101
465
113
UK
cPanel Access Level
Root Administrator
v68.0.14 introduced 3 new AutoSSL notification settings in WHM >> SSL/TLS >> Manage AutoSSL > Options which would seem to be the result of the "Implemented case CPANEL-16842: Add options to disable AutoSSL notifications."

I think the cPanel developers deserve the highest praise for both acknowledging the communities concerns, and acting so promptly to mitigate the unintended consequences of the new AutoSSL notifications feature.
 
  • Like
Reactions: luissquall

rpvw

Well-Known Member
Jul 18, 2013
1,101
465
113
UK
cPanel Access Level
Root Administrator
v68.0.14 introduced 3 new AutoSSL notification settings in WHM >> SSL/TLS >> Manage AutoSSL > Options which would seem to be the result of the "Implemented case CPANEL-16842: Add options to disable AutoSSL notifications."
 
  • Like
Reactions: loudcanvas

mtindor

Well-Known Member
Sep 14, 2004
1,417
82
178
inside a catfish
cPanel Access Level
Root Administrator
v68.0.14 introduced 3 new AutoSSL notification settings in WHM >> SSL/TLS >> Manage AutoSSL > Options which would seem to be the result of the "Implemented case CPANEL-16842: Add options to disable AutoSSL notifications."
The question I would have [for cPanel, not for you] is whether disabling the notifications in this area will stop the notifications to users or if it will stop notifications to admins or both?

Mike