The certificate chain failed OpenSSL verification

jtgroup

Active Member
Nov 21, 2017
30
2
8
UK
cPanel Access Level
Root Administrator
Hello,

I was wondering if someone could help me with this please.

One of our customers had their SSL certificate yesterday. A new one couldn't be installed. Error message from the 'Auto SSL' log is:

Code:
Log for the AutoSSL run for “account-name”: Thursday, May 24, 2018 9:45:36 AM GMT+0100 (cPanel (powered by Comodo))
 9:45:36 AM AutoSSL’s configured provider is “cPanel (powered by Comodo)”.
 Checking websites for “account-name” …
 9:45:36 AM Checking “account-domain.co.uk” …
 9:45:36 AM ERROR TLS Status: Defective
 ERROR Certificate expiry: 5/24/18, 12:00 AM UTC (0.36 days ago)
 ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
 AutoSSL will request a new certificate.
 9:45:36 AM The system will attempt to renew the SSL certificate for the website (example.co.uk: example.co.uk www.account-domain.co.uk mail.account-domain.co.uk webmail.account-domain.co.uk cpanel.account-domain.co.uk webdisk.account-domain.co.uk).
 9:45:39 AM The system has completed the AutoSSL check for “account-name”.
I'm worried because the new certificate will not install until tonight so we have a whole day with errors popping up on the web site. Is there anyway we can prevent this from happening again such as trying to get the certificate to renew a week before it is due to expire so that the old certificate remains in place until a new, valid one is installed?

Kind regards


James
 
Last edited by a moderator:

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,902
2,229
363
cPanel Access Level
DataCenter Provider
Twitter
Hello James,

Was the previously installed certificate issued by the AutoSSL feature, or was it a third-party SSL certificate? If it was a third-party SSL certificate, the following option is available under the Options tab in WHM >> Manage AutoSSL:

Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates.


Per it's description:

This option will allow AutoSSL to replace certificates that the AutoSSL system did not issue. When you enable this option, AutoSSL will install certificates that replace users’ CA-issued certificates if they are invalid or expire within 3 days.

Unless you fully understand this option, do not select it, because the system could unexpectedly replace an expiring or invalid EV or OV certificate with a DV certificate.
Thank you.
 

prakashnplink

Active Member
Apr 8, 2014
32
1
8
cPanel Access Level
Root Administrator
Got same error. The option "Allow autossl to replace..." also didn't helped. Here is the error I got.

Code:
Log for the AutoSSL run for “username”: Monday, May 28, 2018 12:04:09 PM GMT+05-45 (cPanel (powered by Comodo))
12:04:09 PM AutoSSL’s configured provider is “cPanel (powered by Comodo)”.
Checking websites for “username” …
12:04:09 PM Checking “username.com” …
12:04:09 PM ERROR TLS Status: Defective
Certificate expiry: 5/21/19, 12:21 PM UTC (358.25 days from now)
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:18:DEPTH_ZERO_SELF_SIGNED_CERT).
12:04:11 PM AutoSSL will request a new certificate.
12:04:11 PM The system will attempt to renew the SSL certificate for the website (username.com: username.com www.username.com mail.username.com webmail.username.com cpanel.username.com webdisk.username.com).
The provider “cPanel (powered by Comodo)”’s AutoSSL queue already contains a request for a certificate for “username”’s website “username.com”. The request’s start time is May 21, 2018, 12:21:51 PM UTC and its last poll time is May 28, 2018, 12:24:30 AM UTC.
12:04:11 PM The system has completed the AutoSSL check for “username”.
 

jtgroup

Active Member
Nov 21, 2017
30
2
8
UK
cPanel Access Level
Root Administrator
Hello Michael,

The previous certificate was an AutoSSL issued one and 'Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates' is selected.

Kind regards


James