System failed to acquire a signed certificate from the cPanel Store

May 5, 2017
19
3
3
Kamas, Utah
cPanel Access Level
Root Administrator
Hi,
I started receiving notifications through cPanel in February:

Subject line: 1 service generated warnings while checking SSL certificates

Content: The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID vcqhek) The cPanel Store returned an error (X::PermissionDenied) in response to the request “POST ssl/certificate/whm-license”: Free hostname certs are not allowed by this partner

I called GoDaddy support (GoDaddy is our hosting provider) to find out what was causing this and they determined it was related to our Service SSL certificates. I renewed them manually (even though they were not expiring until May) through WHM which seemed to work fine, but I still keep getting the above notifications every day.

I've looked around the cPanel forum for a solution and can see other people are having similar issues, however I am not sure if my issue is exactly the same.

I ran the "hostname" and "dig a host.name.tld" commands (which I've seen suggested in other posts) and here's the output from those (I've obfuscated the hostname and IP):

1) hostname
Code:
hosts.example.org
2) dig a host.example.org
Code:
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> a hosts.example.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13201
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;hosts.example.org.    IN    A

;; ANSWER SECTION:
hosts.example.org.    3600 IN    A    xxx.xxx.xxx.xxx

;; Query time: 28 msec
;; SERVER: 208.109.96.1#53(208.109.96.1)
;; WHEN: Sat Apr 13 08:33:15 2019
;; MSG SIZE  rcvd: 64
After this I ran the "/usr/local/cpanel/bin/checkallsslcerts" command and got the following output:
Code:
The system will check for the certificate for the “cpanel” service.
The system will attempt to replace the self-signed certificate for the “cpanel” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “cpanel” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “cpanel” service.
The system will attempt to install a certificate for the “cpanel” service from the cPanel store.
Received error “X::NoCertificate” from cPanel Store; requesting new certificate …
Setting up HTTP DCV (/var/www/html/.well-known/pki-validation/BCA30B7B48C3E2B510EBE90A58FEBFA7.txt) …
    … complete.
Setting up DNS DCV (CNAME _bca30b7b48c3e2b510ebe90a58febfa7.hosts.example.org) …
    … complete.
Attempting DNS DCV preflight check …
    FAILED: The DNS DCV check (_bca30b7b48c3e2b510ebe90a58febfa7.hosts.example.org IN CNAME) did not return the expected value (b6d2a6f2a96273ae8635bbdbdfabf86f.4557d9adaa29eae5f7898ca3b72499af.comodoca.com).
Attempting HTTP DCV preflight check …
    … success!
(XID vcqhek) The cPanel Store returned an error (X::PermissionDenied) in response to the request “POST ssl/certificate/whm-license”: Free hostname certs are not allowed by this partner
Undoing HTTP DCV setup (/var/www/html/.well-known/pki-validation/BCA30B7B48C3E2B510EBE90A58FEBFA7.txt) …
    … done.
Undoing DNS DCV setup (CNAME _bca30b7b48c3e2b510ebe90a58febfa7.hosts.example.org) …
    … done.
[WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID vcqhek) The cPanel Store returned an error (X::PermissionDenied) in response to the request “POST ssl/certificate/whm-license”: Free hostname certs are not allowed by this partner
The system will check for the certificate for the “dovecot” service.
The system will attempt to replace the self-signed certificate for the “dovecot” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “dovecot” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “dovecot” service.
The system will check for the certificate for the “exim” service.
The system will attempt to replace the self-signed certificate for the “exim” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “exim” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “exim” service.
The system will check for the certificate for the “ftp” service.
The system will attempt to replace the self-signed certificate for the “ftp” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “ftp” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “ftp” service.
Can you help identify the issue? I'd like to resolve whatever is causing the errors I'm seeing, but I'm not very familiar with this territory of our server/cPanel.

Thank you!
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,743
306
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
I find this interesting. I was not aware a partner could block the free hostname SSL certificates.

I look forward to hearing a reply from cPanel, but it sounds like godaddy is blocking the free hostname certificates in order to push their clients into buying them?
 
  • Like
Reactions: livingmiracles

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,257
313
Houston
GoDaddy most certainly does block the ability for their customers to provision free hostname certificates, this is an issue you'll need to discuss with them further and is definitely what is occurring here.

I was not aware a partner could block the free hostname SSL certificates.
They can block a number of things including this through Manage2
 
May 5, 2017
19
3
3
Kamas, Utah
cPanel Access Level
Root Administrator
Thank you for the reply.

Just to clarify, when you're looking at the code I provided in my first post, you can tell that GoDaddy is blocking the free hostname certificates (i.e., what's needed for the cPanel Service SSL certificates)?

Thanks!
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,257
313
Houston
Hello @livingmiracles

As shown by @Infopro that code specifically states that they're being blocked

Code:
 Free hostname certs are not allowed by this partner
You'll need to discuss with GoDaddy how they want you to proceed with securing the hostname in this instance.