SOLVED Unable to generate free service SSL for server hostname

[IdleServ]

Hi

cPanel requested the SSL service certificate before I had a valid CAA record in place.

Now I'm not sure which CAA record is valid, is it 0 issue "comodoca.com" or 0 issue "sectigo.com"?

I've ran /usr/local/cpanel/bin/checkallsslcerts multiple times over last few days with no success.

The system will check for the certificate for the “cpanel” service.
The system will attempt to replace the self-signed certificate for the “cpanel” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “cpanel” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “cpanel” service.
The system will attempt to install a certificate for the “cpanel” service from the cPanel store.
The system will check for the certificate for the “dovecot” service.
The system will attempt to verify that the certificate for the “dovecot” service is still valid using OCSP (Online Certificate Status Protocol).
The system will attempt to replace the revoked certificate for the “dovecot” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “dovecot” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “dovecot” service.
The system will check for the certificate for the “exim” service.
The system will attempt to verify that the certificate for the “exim” service is still valid using OCSP (Online Certificate Status Protocol).
The system will attempt to replace the revoked certificate for the “exim” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “exim” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “exim” service.
The system will check for the certificate for the “ftp” service.
The system will attempt to replace the self-signed certificate for the “ftp” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “ftp” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “ftp” service.
The cPanel Store is processing the hostname certificate request.
The system will check the cPanel Store again the next time that “/usr/local/cpanel/bin/checkallsslcerts” runs.

Ticket #93889217

Thanks!

 

[cPRex]

Hey there! Sectigo still recognizes the older Comodo records, as anything from this list will work well in the CAA:

comodoca.com
usertrust.com
trust-provider.com
sectigo.com

As far as the issue, it looks like our team will need to login to the SSL provider to see why the status is set to "processing." Once we have more details I'll update this post with a resolution, or you can feel free to let us know what they find!

 

[cPRex]

It's also worth mentioning that there is not a requirement to have a CAA record at all - that would just restrict who can issue an SSL for the domain, but it's not something that AutoSSL has to see in order to function.

 

[IdleServ]

Hey there! Sectigo still recognizes the older Comodo records, as anything from this list will work well in the CAA:

comodoca.com
usertrust.com
trust-provider.com
sectigo.com

As far as the issue, it looks like our team will need to login to the SSL provider to see why the status is set to "processing." Once we have more details I'll update this post with a resolution, or you can feel free to let us know what they find!

Thanks cPRex! Good to know the valid CAA record domains.

I guess the missing subdomain record may be what has held it up.

 

[cPRex]

Any DNS issues would cause an issue for sure. I do see the hostname you provided in the ticket does resolve when I checked on my end just now, but we'll get an update to that ticket soon.

 

[cPRex]

Just for a quick follow-up - it looks like there was some CAA confusion that caused us to have to cancel the original order on our side. Once that was resolved the SSL was able to be issued properly. Glad it all worked out!