SOLVED The cPanel Store returned an error (X::TemporarilyUnavailable)

[cPRex]

Update - the hostname certificate issue has been resolved in versions 100.0.8. This was already fixed in all versions of 102.

@Reado - the issues you're seeing are related to the Sectigo issues being discussed here: In Progress - AutoSSL renewal problem

 

[horizon2021]

I'm also seeing this behavior on a server 5-days in a row now during the nightly cron the same as the first post:
The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request “POST ssl/certificate/whm-license/90-day

After 5 or so nights, this server updated its hostname certificate now.
One thing I noticed is that before WHM would send an email "your new hostname certificate has been issued" and this time, it did not send any such email.
I liked it sending that email so that when I found the cert different, I knew it was an intentional change.

 

[cPRex]

Hmmmm I'm not aware of any changes to the notification system. Do you see any evidence of it trying to send that if you use this search in the Exim logs?

grep -i certificate /var/log/exim_mainlog | grep -v mismatch

 

[horizon2021]

I've now had the hostname ssl cert renew on 3 servers with the new cpanel provided 90-day hostname cert, and none of them has sent an email regarding the new hostname cert being installed. All of them had the cpanel store temporarily unavailable error email sent several days in a row this time though until they finally completed this time (before I got no error emails and one success email per server when a new cert was installed.)

The last hostname SSL certificate email I got was in March of 2021 "Your free cPanel-signed hostname SSL certificate for <hostname> is available" and this was for a 1-year hostname cert.

 

[noox]

I got the same error mails for 3 days in a row now on my WHHM DNSOnly server. Is there something special to consider (as there is no AutoSSL) or should a just wait for a couple of days?
I'm on v100.0.9

 

[noox]

It failed today the 5th time on my WHM DNSOnly server. This time I noticed the hint in the mail:

This notice is the result of a request from “/usr/local/cpanel/bin/checkallsslcerts”.

So I executed this manually. Finally it worked.

 

[cPRex]

@horizon2021 - I confirmed the hostname SSL renewals are no longer sending that notification. I reached out to the team through case CPANEL-40040 to have them check and see if this is intended behavior (reduced noise since this happens every 90 days) or something that needs to be addressed. I'll be sure to post as I hear more on the issue.

 

[vagmor]

hello it has been more than a week that keeps failing to get new SSL for my dns only server...

and when i run /usr/local/cpanel/bin/checkallsslcerts i get this error


The system will check for the certificate for the “cpanel†service.
The system will attempt to verify that the certificate for the “cpanel†service is still valid using OCSP (Online Certificate Status Protocol).
The “cpanel†service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. The system will attempt to renew and install a new certificate to the “cpanel†service and any other services that use the old certificate.
The system will attempt to install a certificate for the “cpanel†service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “cpanel†service.
The system will attempt to install a certificate for the “cpanel†service from the cPanel store.
Setting up HTTP DCV (/usr/local/apache/htdocs/.well-known/pki-validation/F381A61B1D3A65F475DEC4466303391F.txt) …
… complete.
Setting up DNS DCV for “ns2.****.gr†…
… complete.

Attempting DNS DCV preflight checks …
ns2.***.gr: DNS DCV OK
www.ns2.****.gr: DNS DCV OK
mail.ns2.***.gr: DNS DCV OK
cpanel.ns2.****.gr: DNS DCV OK
webmail.ns2.***.gr: DNS DCV OK
whm.ns2.****.gr: DNS DCV OK
cpcalendars.ns2.****.gr: DNS DCV OK
cpcontacts.ns2.****.gr: DNS DCV OK
Succeeded domains: 8
Failed domains: 0
Requesting certificate from cPStore …
The response to the HTTP (Hypertext Transfer Protocol) “POST†request from “https://store.cpanel.net/json-api/ssl/certificate/whm-license/90-day†indicated an error (504, Gateway Time-out): <html><body><h1>504 Gateway Tim…
Undoing HTTP DCV setup (/usr/local/apache/htdocs/.well-known/pki-validation/F381A61B1D3A65F475DEC4466303391F.txt) …
… complete.
Enqueueing undo of DNS DCV setup (CNAME _f381a61b1d3a65f475dec4466303391f.ns2.****.gr) …
Undoing DNS DCV setup …
… done.
[WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID azjkyn) The response to the HTTP (Hypertext Transfer Protocol) “POST†request from “https://store.cpanel.net/json-api/ssl/certificate/whm-license/90-day†indicated an error (504, Gateway Time-out): <html><body><h1>504 Gateway Tim…
The system will check for the certificate for the “exim†service.
The system will attempt to verify that the certificate for the “exim†service is still valid using OCSP (Online Certificate Status Protocol).
The “exim†service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. The system will attempt to renew and install a new certificate to the “exim†service and any other services that use the old certificate.
The system will attempt to install a certificate for the “exim†service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “exim†service.

 

[cPRex]

@vagmor - that seems like a different error than the original subject of this thread. Can you try temporarily disabling the firewall on your server and then running the "/usr/local/cpanel/bin/checkallsslcerts" command to see if that gets the SSL installed?

 

[vagmor]

@vagmor - that seems like a different error than the original subject of this thread. Can you try temporarily disabling the firewall on your server and then running the "/usr/local/cpanel/bin/checkallsslcerts" command to see if that gets the SSL installed?

yes it seems it was csf firewall... but i have the same type of setup for years... why it happened now? maybe you have some ips i should whitelist??

 

[cPRex]

We do have a list of Sectigo IPs here that you can add to the whitelist on the server:

https://support.cpanel.net/hc/en-us/articles/360053968633-What-IP-addresses-do-Sectigo-DCV-requests-originate-from-

It might be a good idea to add those permanently to ensure this issue doesn't happen again.

 

[Gürsoy Koç]

We do have a list of Sectigo IPs here that you can add to the whitelist on the server:

https://support.cpanel.net/hc/en-us/articles/360053968633-What-IP-addresses-do-Sectigo-DCV-requests-originate-from-

It might be a good idea to add those permanently to ensure this issue doesn't happen again.

These IP adresses are already included in /etc/csf/csf.allow file with /etc/csf/cpanel.comodo.allow Please check this file first from CSF / Firewall Allow Ips section.

 

[PPNSteve]

Just want to give this thread a little bump.. It's been happening on our servers as well since the last week of May 2022. Got service domains about to expire June 26th.... no renewing.

Anyone get it resolved or do we just wait for cPanel and Sectigo to get their $h!t together?

 

[cPRex]

@PPNSteve - you're likely experiencing this issue:

In Progress - AutoSSL renewal problem

I did speak with the team that works with Apache and AutoSSL to make them aware of that, so it has been passed along to the right people. I'm not sure I'll really have other updates to report on this, but it's always a good idea to keep an eye on the change logs to see when new features and...

forums.cpanel.net

which Sectigo hasn't been able to resolve completely.

 

[grindlay]

I hit this issue this week, my cert renewal is scheduled for 23:45 UTC. Four consecutive failures with:
" The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request “POST ssl/certificate/whm-license/90-day”: We were unable to process your request. Please try again later. "
I run CSF but I have the Sectigo IPs in the allow-list (double-checked) and ports 53 (TCP & UDP) and port 80 (TCP) were all open.
I solved by running:
/usr/local/cpanel/bin/checkallsslcerts
at 12pm on a Sunday, the renewal proceeded without a hitch.
I wonder if Sectigo servers are getting overloaded or if there is maintenance going on?

 

[cPRex]

I wonder if Sectigo servers are getting overloaded

That's exactly what's happening as far as we can tell.

 

[Gabriel Grigore]

I'm getting the same error two days in a row. Do you mean I justa have to delete the mentioned folder and retry (what command should I use for that?)? Or should I open a ticket?

 

[cPRex]

@Gabriel Grigore - I'm not aware of needing to delete any folders. If the SSL is close to renewal, please submit a ticket so we can look into this.

 

[WorkinOnIt]

Hi I'm trying to set up a VPS and keep getting for the last day or so

[WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID jzu9un) The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request “POST ssl/certificate/whm-license/90-day”: We were unable to process your request. Please try again later.

Why can't we choose Let's Encrypt for hostnames?

 

[JT1991]

Getting the same issue as above using Let's Encrypt. A little concerned since we had to stop using Sectigo months ago due to unresolved issues.