SSL Notifications in cPanel 68

[mtindor]

v68.0.14 introduced 3 new AutoSSL notification settings in WHM >> SSL/TLS >> Manage AutoSSL > Options which would seem to be the result of the "Implemented case CPANEL-16842: Add options to disable AutoSSL notifications."

I think the cPanel developers deserve the highest praise for both acknowledging the communities concerns, and acting so promptly to mitigate the unintended consequences of the new AutoSSL notifications feature.

They deserve some praise. Highest praise? The jury is out on that one. On an existing WHM 68 box that is now on .14, I see the options -- but they were enabled. I disabled them. If servers upgrading from WHM 66 to 68 have those options ENabled by default I'd consider that a fail. The idea is not to have _any_ of these emails sent out, not even once, unless the admin enables those options. In summary, assuming that a WHM 66 to 68 update does not automatically have those options disabled, I feel they should.

Mike

 

[rpvw]

Hi mtindor,

I know you didn't ask me, but my observations below may help:

Tweak settings > Send notifications when certificates approach expiry. seems to apply to Admins only

The three settings I mentioned above remove the notification options from the users cPanel Edit Contact Information and Preferences page - so I am going to go out on a limb and guess that these apply to users only.

I felt that the previous replies regarding the Tweak settings entry all left me with some doubt as to what it did exactly - so if some kind developer could give us a simple, unequivocal, (possible politically incorrect) clarification, I am sure everyone will thank you

 

[rpvw]

My apologies in advance, as this may upset some readers......

Well of course one can continue bashing the developers for whatever they did wrong - I know - I am often one of the first to loudly and thoroughly castigate when I see something I believe to be wrong.

However - repetition does little to solve an issue other than to irritate !

• Should this feature have been allowed to be pushed out in the form it was ? .... Of course not.
• Should someone have thought about the implications ? .... Probably, but they either didn't think it would be an issue, or it got overlooked.
• Did developers react to the communities concerns within a reasonable time frame ? ... I believe they did.

All in all - I still think they did a great job - having once been involved in a software application myself, and having users come onto my forum and just moan and complain incessantly often left me wondering why I was bothering at all (and our software was FOSS), so I appreciated it when someone took the time and trouble to give us any encouragement.

Bottom line, if you have something to say, be constructive and don't belabour the point. Software gets more complex and demanding every day. Users want it to do more, on a bigger variety of platforms, and maintain backward compatibility, and pay less for the privilege. If you think you can do a better job - we shall look forward to seeing your contribution !

 

[mtindor]

My apologies in advance, as this may upset some readers......

That may or may not have been directed at me, at least in part. Regardless, I don't take offense. I'm not a software developer, and i do appreciate what the developers do. Perhaps "fail" was too harsh -- maybe "partial fail". I feel it was still constructive criticism, as I don't think it would be too late for the cPanel folks to default those options to DISabled, assuming they aren't disabled by default on a 66-to-68 update.

Mike

PS: I can't do a better job, and you won't see any contribution from me.

 

[mtindor]

rpvw,

Thanks for the response. Do you have any idea if disabling those three notifications (under Manage AutoSSL-->Options) also disables (sets to =0) existing settings for the indivdual cPanel users that are entered into /var/cpanel/users/<account> ?

You had stated that it removes the options from the users' cPanel Edit Contact Information and Preference page, but I'm just wondering if it also goes through /var/cpanel/users/* and disables them (or if it even needs to). The whole function in WHM under Manage AutoSSL-->Options might act upon things higher up the chain, thus ignoring any related lines in a /var/cpanel/users/<account>.

I know that after I logged into a WHM 68.0.14 and unchecked the options in Manage AutoSSL-->Options, the lines in /var/cpanel/users/<account> still exist and did not change. Previous to this I had already run the script (provided by a cPanel forum member) that sets the options to =0 , and so it is unclear to me whether unchecking the items under Manage AutoSSL-->Options does anything to the /var/cpanel/users/<account> files -- or if it even needs to.

I guess that the question isn't really one I should expect you or any other user to answer. Some definitive clarification by the cPanel folks would be nice though. Basically, I just want to know what happens, behind the scenes, when those options are unchecked in Manage AutoSSL-->Options. Does it act upon information previously added to /var/cpanel/users/<account>? Or does it act on things higher up, thus ignoring any related entries in /var/cpanel/users/<account> when the options are disabled?

Mike

 

[sparek-3]

My apologies in advance, as this may upset some readers......

I would concur with what you said in this post.

The following is really get a bit off of this topic, but I think it applies to what @rpvw has said. For the record, I haven't read through this entire thread, but I think I have the gist of what is going on. I have not yet upgraded to cPanel 68, for reasons I am about to explain.

I think ultimately what all of this boils down to is a complete misuse (or misunderstanding) of the various cPanel release tiers (STABLE, RELEASE, CURRENT, EDGE, BETA?). I'm assuming that this "feature" was included in v68 when it was at EDGE and CURRENT? But the issue did not really raise it's head until v68 reached RELEASE? Am I correct in this assumption? If so, this is telling me that there's not enough people using CURRENT or EDGE and finding these issues before the version moves on up the cycle. Either that or cPanel is pushing out versions too fast through the various tiers.

cPanel has attempted to remedy some of this with their new LTS schedule that went into affect this year. But it's still not a perfect system.

I'm not sure of what the exact solution is. But just because there's not an immediate solution, doesn't mean you can't identify it as a problem.

In my opinion, cPanel would be a bit better served if they simplified these release tiers.

Have an EDGE release that's mostly for developers - people that develop plugins and addon products for cPanel. Not really real-world ready

Have an LTS version - perhaps twice a year instead of the current once per year. Continue to support both versions (provide security updates) for 12 months. Another words release an LTS in January, release another LTS in June but continue to support the January release through December, and continue to support the June release through May.

Have something in between - call it RELEASE or CURRENT. This tier gets updated more often. Ideally you'd provide some type of incentive (lower price?) to use this tier, the idea being to get more people willing to use this tier and identify real-wolrd issues before it reaches LTS. This only works if you have a legitimate number of using using this tier and using it in real-word production environments, otherwise everyone is just going to be on LTS and only identify the issues when the release hits LTS.

This is one reason why I stay a bit behind the RELEASE tier (I suppose STABLE is more of where I'm at, but you can likely expect to find more issues with v68 when it reaches STABLE as even more users get the update). I stay tuned into these forums to see what "issues" might exist in various releases.

I know all of this is a bit off of the original topic here. But I just think this issue could have been avoided if it had been identified earlier in the release cycle.

 

[rpvw]

Do you have any idea if disabling those three notifications (under Manage AutoSSL-->Options) also disables (sets to =0) existing settings for the indivdual cPanel users that are entered into /var/cpanel/users/<account> ?

I am sorry but I did not test that, since I had previously used the shell script that a user kindly provided in one of the many recent threads pertinent to this subject, to loop through all the users, and disable the notifications in each user cPanel so everything was already set to =0

unchecked the options in Manage AutoSSL-->Options, the lines in /var/cpanel/users/<account> still exist and did not change.

I also found that behaviour on users that I had disabled in WHM >> SSL/TLS >> Manage AutoSSL > Manage Users.

I raised a bug report about it because I felt that the notification options should not even be displayed in a users cPanel if the autoSSL had been disabled for that user - I never got a reply, so I closed the report in a fit of pique.

 

[rpvw]

You might like to read through a thread I opened some time ago relating to accelerated (and possibly unrealistic) release schedules and their consequences.

Updates and Minefields

 

[sparek-3]

Indeed!

I pretty much echo everything you said in that thread. Perhaps my post really belongs in that thread.

As you said, there just seems to be a lot missing from a quality control standpoint.

I also don't believe there is anything wrong with constructive criticism. A boardroom full of yes men won't get you very far. As long as it's done in a tactful manner and your posts are always polite, maybe a side of grumpy, but there's nothing wrong with that (mine are too at time).

 

[germany]

So, client will receive at least one notification.

 

[desk]

Hi,
I'm an end user managing a simple web site, & know nothing of scripts & servers. But I keep getting AutoSSL renewal notices (see attachment SSL letter.gif).
As far as I know, I've never had certificates attached to either of my domain names.
The server who seems to be sending the notices (Hudson Valley Host) is one I have never used.
The log-on page the letter sends me to will not accept my current cPanel username & password, nor any I have used in the past.

My question is simple: is there some way I can stop the reminders from my end?
I don't know if they can be treated as ordinary junk mail, as the sender is listed as my own cPanel account, from my email address at my current servers. (If they were blocked, it might destabilize the situation.)
I spoke to my servers, who directed me to the other server that seems to send the letters, but after days of being put on tickets the reminders keep arriving.

Can you suggest any remedy?
Thanks

 

[sparek-3]

(I'm slightly off-topic again)

The log-on page the letter sends me to will not accept my current cPanel username & password, nor any I have used in the past.

You probably shouldn't do that. This is how phishing scams work. Your real cPanel username and password may be compromised now. I would suggest that you log into your real cPanel account (http://yourdomain.tld/cpanel) and change your password as soon as possible.

I'm not saying that this particular link was a phishing scam, but you never know. If your real login isn't working, then it's obviously not a link to your real cPanel.

 

[cPanelMichael]

For some reason, Lets Encrypt is not an option in the list of Providers for AutoSSL (only Comodo is listed).

Let's Encrypt isn't enabled by default. Documentation on how to enable it as an AutoSSL provider is available at:

The Let's Encrypt Plugin - cPanel Knowledge Base - cPanel Documentation

I had already disabled the notifications in Contact Manager, but continued to see the notices being sent. After reading this thread, I have disabled the Tweak Settings option. But shouldn't the Contact Manager notification settings in my screenshot below have stopped non-AutoSSL notifications regardless of the Tweak Settings option (as per the last setting shown)? Or was that setting overridden by an individual account setting? If so, what is the purpose of this WHM setting?

The "SSL certificates expiring" notification in "WHM >> Contact Manager" controls whether non-AutoSSL certificate expiry notifications are sent to the server administrator. cPanel users will still default to receiving certificate expiry notifications unless you disable the following option under "Notifications" in "WHM >> Tweak Settings".

Send notifications when certificates approach expiry.

The idea is not to have _any_ of these emails sent out, not even once, unless the admin enables those options. In summary, assuming that a WHM 66 to 68 update does not automatically have those options disabled, I feel they should.

The following case was implemented in cPanel version 68.0.9 to help alleviate this concern for expiry notifications:

Fixed case CPANEL-16548: Defer sending certificate expiry notifications until history catches up.

Per the changes in this case, certificate expiry notifications are not sent out for the first ten days after an upgrade. Note this does not apply to new installations of cPanel.

I guess that the question isn't really one I should expect you or any other user to answer. Some definitive clarification by the cPanel folks would be nice though. Basically, I just want to know what happens, behind the scenes, when those options are unchecked in Manage AutoSSL-->Options. Does it act upon information previously added to /var/cpanel/users/<account>? Or does it act on things higher up, thus ignoring any related entries in /var/cpanel/users/<account> when the options are disabled?

It should ignore previously saved cPanel contact preferences and disable those notifications globally (while preserving the user-configured options in the event you enable those notifications from "WHM >> Manage AutoSSL >> Options" in the future).

I raised a bug report about it because I felt that the notification options should not even be displayed in a users cPanel if the autoSSL had been disabled for that user - I never got a reply, so I closed the report in a fit of pique.

This is fixed as of cPanel version 68.0.12:

Fixed case CPANEL-16755: Ensure disabled notifications options are hidden in cPanel.

So, client will receive at least one notification.

Could you elaborate on the specific notification type you are referring to? New SSL expiry notifications are not sent out for the first ten days after upgrading to cPanel 68. This provides you with some time to configure your notification preferences.

My question is simple: is there some way I can stop the reminders from my end?
I don't know if they can be treated as ordinary junk mail, as the sender is listed as my own cPanel account, from my email address at my current servers. (If they were blocked, it might destabilize the situation.) I spoke to my servers, who directed me to the other server that seems to send the letters, but after days of being put on tickets the reminders keep arriving.

You'd need to access cPanel on the server that's generating the notifications to modify the preferences via the Contact Information option. If your username/password are not working, try contacting your hosting provider to see if they can provide you a valid username/password and login URL for cPanel access (e.g. Old-Server-IP/cpanel).

Thank you.

 

[wwwcad]

All my customers keeps receiving these emails every f***** day.

Hundreds of support tickets asking about what's going on.

People asking Refunds for their branded SSL certificates because we are reporting a fail in their "coverage".

Worst update by Cpanel ever.

 

[cPanelMichael]

Hi @wwwcad,

Were you able to review the previous posts regarding the steps you can take to disable the notifications for all cPanel users? Here's the link to the specific post:

SSL Notifications in cPanel 68

Thank you.

 

[wwwcad]

The only way to stop these emails server-wide was to add a system filter to exim.

/etc/cpanel_exim_system_filter

if $header_subject: contains "AutoSSL"
then
#If logfile configured  
#logwrite "BLOCKED AUTOSSL EMAIL $tod_log $sender_address $sender_address_domain $header_to $sender_address_local_part $header_subject"
   seen finish
endif

 

[cPanelMichael]

The only way to stop these emails server-wide was to add a system filter to exim.

Hello,

While a system filter rule is one way to stop the emails, the other method (referenced in my last response) should also work to stop the notifications. Can you verify if you tried using that script?

Thank you.

 

[wwwcad]

Hello,

While a system filter rule is one way to stop the emails, the other method (referenced in my last response) should also work to stop the notifications. Can you verify if you tried using that script?

Thank you.

No Michael, Sorry. The script was executed and it reported an OK to the changes requested via the API but the emails are still being sent in all our servers. The filter was the only solution to avoid them server-wide.

Example of some of the emails being sent.

2017-12-13 03:16:37 [718430] 1eP2DU-0030ta-3E <= [email protected] H=(localhost.localdomain) [127.0.0.1]:36433 I=[127.0.0.1]:25 P=esmtp S=43785 M8S=0 [email protected] T="[xxxx] \342\232\240 xxxx: The AutoSSL certificate renewal may cause a reduc" from <[email protected]> for [email protected]

 

[cPanelMichael]

The script was executed and it reported an OK to the changes requested via the API but the emails are still being sent in all our servers.

Feel free to open a support ticket using the link in my signature if you'd like us to take a closer look at the system and the email logs to see why exactly it didn't work as expected.

Thank you.

 

[stormy]

I need some final clarification on notifications, because things have changed and the documentation doesn't seem to be updated/complete. There are now 3 places to configure notifications:

1. Tweak settings > Notifications > Send notifications when certificates approach expiry ("Send a notification when an SSL certificate expires soon. The system will only send a notification for an AutoSSL-provided certificate if that certificate fails to renew".)

Does this send notifications to the cPanel user or to the server admin? Or both?

2. Contact manager: There are two related notifications here, "AutoSSL certificates expiring" and "SSL certificates expiring". Both say this: "This option performs no actions when the “Send notifications when certificates approach expiry.” option is disabled in WHM’s “Tweak Settings” interface."

So, depending on the answer to my question about 1, there's no way for the server admin only to receive notifications, and not notify the final users.

3. Manage AutoSSL > Options. Here are the new notification options. I think these are user only notifications. Am I right?

Thanks for the clarification!