Unable to install cPanel-issued SSL for hostname

[Techs-Y]

As mentioned in the title, we have faced an issue with installing cPanel-issued SSL certificate for services (exim, cPanel, FTP etc.). As a result, certificate that is being installed is self-signed and produces security warnings in client browsers. Here is the part of error log:

# /usr/local/cpanel/bin/checkallsslcerts --verbose
The system will check for the certificate for the “cpanel” service.
The system will attempt to replace the self-signed certificate for the “cpanel” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “cpanel” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “cpanel” service.
The system will attempt to install a certificate for the “cpanel” service from the cPanel store.
Received error “X::NoCertificate” from cPanel Store (No free ssl certificate found for this IP); requesting new certificate …
Setting up HTTP DCV (/var/www/html/.well-known/pki-validation/5624D84189B1B926829ADB003F1A6315.txt) …
    … complete.
Setting up DNS DCV (CNAME _5624d84189b1b926829adb003f1a6315.hostname.com) …
    … complete.
Attempting DNS DCV preflight check …
    … success!
Undoing previous HTTP DCV setup (/var/www/html/.well-known/pki-validation/E951377F44A947DDB670A02582365628.txt) …
    … done.
Undoing previous DNS DCV setup (CNAME _e951377f44a947ddb670a02582365628.hostname.com) …
    … done.
The system will check for the certificate for the “dovecot” service.
The system will attempt to replace the self-signed certificate for the “dovecot” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “dovecot” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “dovecot” service.
The system will check for the certificate for the “exim” service.
The system will attempt to replace the self-signed certificate for the “exim” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “exim” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “exim” service.
The system will check for the certificate for the “ftp” service.
The system will attempt to replace the self-signed certificate for the “ftp” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “ftp” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “ftp” service.
The cPanel Store is processing the hostname certificate request.
The system will check the cPanel Store again the next time that “/usr/local/cpanel/bin/checkallsslcerts” runs.

Let us know if any more info is needed.

 

[cPanelLauren]

Hi @Techs-Y

How much time did you allow for the certificate installation? It can take some time on some occasions. I don't see any errors in the request in this instance. If the certificate has still not been installed feel free to PM me the IP address and I can look up the status internally.

 

[Techs-Y]

Hi @Techs-Y

How much time did you allow for the certificate installation? It can take some time on some occasions. I don't see any errors in the request in this instance. If the certificate has still not been installed feel free to PM me the IP address and I can look up the status internally.

Hi!

Thanks for reply!

Is this time mentioned somewhere in config files? We let the script run till the end, if you are asking about it.

Sure, we are ready to provide you IP address. But could you clarify how could we send PM? Can't see nor button or link.

 

[cPanelLauren]

Is this time mentioned somewhere in config files? We let the script run till the end, if you are asking about it.

Unfortunately no, there is no set time frame for how long it will take Sectigo to issue a certificate due to the nature of SSL certificates and their workload the time frame can take minutes to hours (in some cases for manual approval a couple days)

Sure, we are ready to provide you IP address. But could you clarify how could we send PM? Can't see nor button or link.

You should be able to click my name in in this post and select "Start a Conversation"

 

[Techs-Y]

Hm.. This issue is our problem for a week. After running the /usr/local/cpanel/bin/checkallsslcerts --verbose script we waited a couple days, and SSL still not updated.


I suppose, this time is enough for certificate approval.


Unfortunately, we can't see it. But you may see the IP here -- it is one-time link

 

[cPanelLauren]

Hello @Techs-Y

I was able to get the IP address. I was able to find the transaction in our internal interface and found that the status is currently:

certificateStatus: PRE-SIGN FAILED!!!

I found that your hostname root domain has a CAA attached to it for letsencrypt.org. This may prevent Comodo from issuing a certificate.

domain.eu.        299    IN    CAA    0 issue "letsencrypt.org"

Would it be possible to remove this?

 

[Techs-Y]

Hello @Techs-Y

I was able to get the IP address. I was able to find the transaction in our internal interface and found that the status is currently:

certificateStatus: PRE-SIGN FAILED!!!

I found that your hostname root domain has a CAA attached to it for letsencrypt.org. This may prevent Comodo from issuing a certificate.

domain.eu.        299    IN    CAA    0 issue "letsencrypt.org"

Would it be possible to remove this?

Yes, we have just did it.
Should we try to re-run the script?

 

[cPanelLauren]

Hello,

I can see the certificate for the root domain was actually just issued as a result of that. If you can, re-run the checkallsslcerts script and let me know when you've completed that.

 

[Techs-Y]

Hello,

I can see the certificate for the root domain was actually just issued as a result of that. If you can, re-run the checkallsslcerts script and let me know when you've completed that.

We've re-run it couple times and here is the output:

The system will check for the certificate for the “cpanel” service.
The system will attempt to replace the self-signed certificate for the “cpanel” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “cpanel” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “cpanel” service.
The system will attempt to install a certificate for the “cpanel” service from the cPanel store.
The system will check for the certificate for the “dovecot” service.
The system will attempt to replace the self-signed certificate for the “dovecot” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “dovecot” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “dovecot” service.
The system will check for the certificate for the “exim” service.
The system will attempt to replace the self-signed certificate for the “exim” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “exim” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “exim” service.
The system will check for the certificate for the “ftp” service.
The system will attempt to replace the self-signed certificate for the “ftp” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “ftp” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “ftp” service.
The cPanel Store is processing the hostname certificate request.
The system will check the cPanel Store again the next time that “/usr/local/cpanel/bin/checkallsslcerts” runs.

Also we have checked SSL Storage manager and there is no updated SSL for the hostname still...

 

[cPanelLauren]

Hello,

Can you try one more time? I asked for the request to be manually canceled since the output you're showing was still seeing the old request.

 

[Techs-Y]

Hello,

Can you try one more time? I asked for the request to be manually canceled since the output you're showing was still seeing the old request.

Just tried - output is the same.

 

[cPanelLauren]

Thanks for that, unfortunately it looks like I had you re-run that a little prematurely. The revocation isn't complete. At this point feel free to open a ticket so that our analysts can assist you further if you'd like. I'd make sure to tell them the following in the ticket:

1. Link to this thread
2. Let them know that you had a CAA record in place for letsencrypt causing the certificate to fail with PRE-SIGN FAILED
3. You've removed the CAA record so it shouldn't be continuing to cause an issue
3. The request was manually revoked but is still in pending status

You might also give it some time (1-2 days) and try again.

 

[Techs-Y]

Okay, meanwhile can we use let'sencrypt SSL crtificate for server's hostname or this can be a problem for current pending process?

 

[Techs-Y]

Just follow up: Looks like this time cPanel Service SSL Certificate has been successfully updated. Not sure if it could be fixed without the revocation from cPanel stuff, but the fact - SSL now updated.
For future it would be good to know whether such issues could be resolved without contacting cPanel reps or there are some steps supposed to be done on cPanel's end anyways?
For now this thread can be closed.
Thank you for your support!

 

[cPanelLauren]

Okay, meanwhile can we use let'sencrypt SSL crtificate for server's hostname or this can be a problem for current pending process?

cPanel does not use letsencrypt to issue free hostname SSL certificates, it is only valid for 90-day AutoSSL certificates.

For future it would be good to know whether such issues could be resolved without contacting cPanel reps or there are some steps supposed to be done on cPanel's end anyways?

The issue was a result of the CAA record you had in place which referenced letsencrypt this limited the ability for Sectigo to issue a hostname SSL certificate. Once the CAA record had been removed, the issue would have rectified itself over time without the assistance of cPanel's support but it may have taken several days for the old request to time out.