In Progress UPS-417 AutoSSL not polling for new certs

[dstana]

AutoSSL is no longer installing new certs automatically on expired certs. If I run a manual check on individual users, it will pull and install a new cert.

When I run the check against all users, it does identify that the cert is expired but doesn't issue the cert.

The following is from a manually run check for all users on a particular domain. After this, it goes into the next domain but doesn't issue anything.

 11:59:24 AM Analyzing “domain.com” (website) …
11:59:24 AM ERROR TLS Status: Defective
ERROR Certificate expiry: 11/28/21, 12:00 AM UTC (3.79 days ago)
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
11:59:24 AM Attempting to ensure the existence of necessary CAA records …
11:59:24 AM No CAA records were created.
11:59:24 AM Verifying 8 domains’ management status …
Verifying “cPanel (powered by Sectigo)”’s authorization on 8 domains via DNS CAA records …
11:59:24 AM “webdisk.domain.com” is managed.
“cpanel.domain.com” is managed.
“mail.domain.com” is managed.
“www.domain.com” is managed.
“domain.com” is managed.
“webmail.domain.com” is managed.
“cpcontacts.domain.com” is managed.
“cpcalendars.domain.com” is managed.
All of this user’s 8 domains are managed.
CA authorized: “domain.com”
CA authorized: “mail.domain.com”
CA authorized: “www.domain.com”
CA authorized: “cpanel.domain.com”
CA authorized: “webdisk.domain.com”
CA authorized: “webmail.domain.com”
CA authorized: “cpcontacts.domain.com”
CA authorized: “cpcalendars.domain.com”
“cPanel (powered by Sectigo)” is authorized to issue certificates for 8 of this user’s 8 domains.
11:59:24 AM Performing HTTP DCV (Domain Control Validation) on 8 domains …
11:59:24 AM Local HTTP DCV OK: domain.com
Local HTTP DCV OK: www.domain.com
Local HTTP DCV OK: mail.domain.com
Local HTTP DCV OK: cpanel.domain.com
Local HTTP DCV OK: webdisk.domain.com
Local HTTP DCV OK: webmail.domain.com
Local HTTP DCV OK: cpcontacts.domain.com
Local HTTP DCV OK: cpcalendars.domain.com
11:59:24 AM No local DNS DCV is necessary.

But when I run the same thing against the individual user shortly after, it works as expected:

 12:57:50 PM AutoSSL’s configured provider is “cPanel (powered by Sectigo)”.
 This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
 Analyzing “user”’s domains …
 12:57:50 PM Analyzing “domain.com” (website) …
 12:57:50 PM ERROR TLS Status: Defective
 ERROR Certificate expiry: 11/28/21, 12:00 AM UTC (3.83 days ago)
 ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
 12:57:50 PM Attempting to ensure the existence of necessary CAA records …
 12:57:51 PM No CAA records were created.
 12:57:51 PM Verifying 8 domains’ management status …
 Verifying “cPanel (powered by Sectigo)”’s authorization on 8 domains via DNS CAA records …
 12:57:51 PM “webdisk.domain.com” is managed.
 “cpanel.domain.com” is managed.
 “mail.domain.com” is managed.
 “www.domain.com” is managed.
 “domain.com” is managed.
 “webmail.domain.com” is managed.
 “cpcontacts.domain.com” is managed.
 “cpcalendars.domain.com” is managed.
 All of this user’s 8 domains are managed.
 CA authorized: “domain.com”
 CA authorized: “www.domain.com”
 CA authorized: “cpanel.domain.com”
 CA authorized: “mail.domain.com”
 CA authorized: “cpcontacts.domain.com”
 CA authorized: “cpcalendars.domain.com”
 CA authorized: “webdisk.domain.com”
 CA authorized: “webmail.domain.com”
 “cPanel (powered by Sectigo)” is authorized to issue certificates for 8 of this user’s 8 domains.
 12:57:51 PM Performing HTTP DCV (Domain Control Validation) on 8 domains …
 12:57:53 PM Local HTTP DCV OK: domain.com
 Local HTTP DCV OK: www.domain.com
 Local HTTP DCV OK: mail.domain.com
 Local HTTP DCV OK: cpanel.domain.com
 Local HTTP DCV OK: webdisk.domain.com
 Local HTTP DCV OK: webmail.domain.com
 Local HTTP DCV OK: cpcontacts.domain.com
 Local HTTP DCV OK: cpcalendars.domain.com
 12:57:53 PM No local DNS DCV is necessary.
 12:57:53 PM Processing “user”’s local DCV results …
 12:57:53 PM Analyzing “domain.com”’s DCV results …
 12:57:53 PM AutoSSL will request a new certificate.
 12:57:53 PM The system will attempt to renew the SSL certificate for (domain.com: domain.com www.domain.com mail.domain.com webmail.domain.com cpanel.domain.com webdisk.domain.com cpcontacts.domain.com cpcalendars.domain.com).
 12:58:00 PM The cPanel Store received “domain.com”’s certificate order. (Order Item ID: 1354600783) The system will periodically poll the cPanel Store for the issued certificate and then install it after a successful retrieval.
 The system has completed “user”’s AutoSSL check.
 12:59:01 PM Polling for “user”’s new certificate for “domain.com” (order item ID “1354600783”) …
 12:59:03 PM The certificate is available.
 Installing “domain.com”’s new certificate …
 12:59:08 PM SUCCESS Success!

 

[cPanelAnthony]

This sounds like an issue we are actively working on and is known. Does the following article help?

 

[dstana]

This sounds like an issue we are actively working on and is known. Does the following article help?

Not even remotely close. That says the certificates are renewing 3 days before expiration.

This issue is certificates not renewing at all, if you look in that log you can see the cert that was renewed was already expired.

 ERROR Certificate expiry: 11/28/21, 12:00 AM UTC (3.83 days ago)

 

[cPanelAnthony]

Not even remotely close. That says the certificates are renewing 3 days before expiration.

This issue is certificates not renewing at all, if you look in that log you can see the cert that was renewed was already expired.

 ERROR Certificate expiry: 11/28/21, 12:00 AM UTC (3.83 days ago)

My apologies. Could you open a support ticket using the link in my signature so we can investigate further? Please provide me with the ticket ID once you do so.

 

[dstana]

My apologies. Could you open a support ticket using the link in my signature so we can investigate further? Please provide me with the ticket ID once you do so.

Ticket submitted

 

[dstana]

For the record, this was resolved with 100.0.5 that hit today.

 

[cPanelAnthony]

For the record, this was resolved with 100.0.5 that hit today.

I'm happy to hear it! Thank you for the confirmation.

 

[Kailash1]

This is not resolved 100% in 100.0.5. It is still failing to pull or renew all SSL certificates. Is anybody else facing the same issue?

 

[kevinlevin]

Same here, on a server running 100.0.5 and using cpanel powered by Sectigo - SSL cannot be renewed for clients.

 

[Reado]

Same here - new server, new SSL certificate. Running 100.0.5 but AutoSSL is only creating self-signed certificates but never actually polling for cPanel-signed certificates. When I run the check SSL certificates script, it hangs for what feels like a minute before completing but not actually installing any certificates!

We have a 15-day migration license at the moment but unable to migrate anything without working SSL certificates.

 

[cPanelAnthony]

Today Sectigo is undergoing maintenance on their systems which has led to delays in certificates being issued. We have more information and you can follow the page for updates about this here:

Why are SSL certificates issued by Sectigo being delayed?

 

[nlaruelle]

Thanks @cPanelAnthony.

Upgrading cPanel to 100.5 without reboot and doing the commands in these posts help me out :

- https://support.cpanel.net/hc/en-us...ates-are-renewed-three-days-before-expiration
- https://support.cpanel.net/hc/en-us/articles/4413896704791

I hope this help the community.

 

[4u123]

Yes we are having this problem too - even on 100.5

When you view the daily AutoSSL log for all users you will see that it identifies the certificate needs renewing but after it has checked DCV it does not say the following...

" AutoSSL will request a new certificate. "

That process is missing from the daily checks and certificates are not being renewed. If you run a check manually on a user - at the same point in the log you see the additional line " AutoSSL will request a new certificate. " and immediately the certs go into pending queue.

 

[cPanelAnthony]

Yes we are having this problem too - even on 100.5

When you view the daily AutoSSL log for all users you will see that it identifies the certificate needs renewing but after it has checked DCV it does not say the following...

" AutoSSL will request a new certificate. "

That process is missing from the daily checks and certificates are not being renewed. If you run a check manually on a user - at the same point in the log you see the additional line " AutoSSL will request a new certificate. " and immediately the certs go into pending queue.

Would you be able to open a ticket using the link in my signature? This would warrant a further look if still an issue.

 

[Benjamin D.]

Same issue here, ever since on v100.0.5 a few domains SSL certs are past expiration and many are expiring soon. Please help

 

[cPanelAnthony]

Same issue here, ever since on v100.0.5 a few domains SSL certs are past expiration and many are expiring soon. Please help

Hello! Please see my above response; a ticket would be needed.

 

[InterServed]

This helped us solve this problem on quite a few cPanel servers. This will reset and issue new certificates that covers the server hostname and services like ftp,exim,dovecot,cpanel

for service in ftp exim dovecot cpanel ; do whmapi1 reset_service_ssl_certificate service=$service ; done ; /scripts/restartsrv_ftpd ; /scripts/restartsrv_dovecot ; /scripts/restartsrv_exim ; /scripts/restartsrv_cpsrvd ; /usr/local/cpanel/bin/checkallsslcerts --verbose --allow-retry ; /usr/local/cpanel/bin/checkallsslcerts --allow-retry