The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Update to v60 changed SSL certs to self-signed

Discussion in 'Security' started by jndawson, Oct 12, 2016.

  1. jndawson

    jndawson Well-Known Member

    Joined:
    Aug 27, 2014
    Messages:
    103
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    We auto-updated to v60.0.3 last night. One of our servers got self-signed certs installed on all services. The real CA certs don't expire until 11/23/16. We re-installed the CA server cert on all services, the cert shows up in 'Manage Service SSL Certificates' and as the Apache cert.

    All of the autossl settings were turned off before this happened. The installed certs in /var/cpanel/ssl/system/certs/ are all CA certs, and there aren't any self-signed certs listed.

    Where are the self-signed certs located and how do we get rid of them?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello @jndawson,

    Can you confirm that self-signed, and not cPanel-signed certificates were issued?

    The cPanel-signed hostname certificate is issued independently of the options you have configured in "WHM >> Manage AutoSSL". Here's the document that explains how this works:

    Free cPanel-signed certificate

    The following conditions are also used to determine when to replace an existing certificate:
    • Maintains a weak signature algorithm.
    • Revoked.
    • Self-signed.
    • Invalid (For example, your server's hostname must be valid and resolve in DNS).
    • Expires in less than 25 days.
    Is it possible the existing certificate met one of the conditions other than the expiry date? If so, and if you'd still prefer to use your own certificates, here's the section of the document linked above that explains the steps you can take:


    Thank you.
     
  3. jndawson

    jndawson Well-Known Member

    Joined:
    Aug 27, 2014
    Messages:
    103
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Yes, as I noted, it is self-signed. It is also one we created in 11/2014 (exp 11/15) while setting up that server, which was replaced by a CA cert (which expires 11/23/16).
    weak algorithm - no
    revoked - no
    self-signed - no
    invalid - no
    expires in less than 25 days - no

    Did that. Removed all out-of-date certs. Re-installed the CA certs at least twice.

    Still have the old cert notice popping up in browsers and email clients.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you open a support ticket using the link in my signature so we can take a closer look and determine what happened during the update process? You can post the ticket number here and we will update this thread with the outcome.

    Thank you.
     
  5. jndawson

    jndawson Well-Known Member

    Joined:
    Aug 27, 2014
    Messages:
    103
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    tkt
    7779973
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    To update, the support ticket is still in-progress, however it looks like this is potentially related to an internal case (CPANEL-9214). This case is open to address an issue where expired SSL certificates are copied over to "/var/cpanel/ssl/domain_tls/" during the update to cPanel 60. The invalid certificates take priority over valid service certificates, resulting in the replacement of the valid certificates. The current workaround is to manually install the valid certificates via "WHM >> Manage Service SSL Certificates" and then remove the expired/invalid certificates from the "/var/cpanel/ssl/domain_tls/" directory. I'll update this thread again once the resolution is published.

    Thank you.
     
  7. jndawson

    jndawson Well-Known Member

    Joined:
    Aug 27, 2014
    Messages:
    103
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Followup: It appears the culprit is case CPANEL-9214 as cPanelMichael mentioned. The odd thing is that it didn't happen to any of the other cPanel boxes we have. We're still checking things out, but it looks like that was it.
     
  8. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    The system copied the installed certificates into the Domain TLS storage when the update happened in order to enable SNI on cpsrvd and other services that now use Domain TLS. It is likely you didn't have any expired or self-signed certificates installed any other machines.

    Before the changes in CPANEL-9214 the system assumed that if you had installed the certificate it should be used. The changes in CPANEL-9214 will pass each installed certificate though a verification to ensure its not expired, self-signed, or invalid before copied it over to Domain TLS.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    The resolution to this case is now published to the "Current" build tier as part of cPanel version 60.0.4:

    Fixed case CPANEL-9214: Make the Apache->DomainTLS copy script ignore invalid certificates.

    An explanation of our release tiers is available on our cPanel & WHM Versions and the Release Process documentation.

    Thank you.
     
Loading...

Share This Page