In Progress UPS-417 AutoSSL not polling for new certs

dstana

Well-Known Member
Jul 6, 2016
104
19
68
Phoenix, AZ
cPanel Access Level
Root Administrator
AutoSSL is no longer installing new certs automatically on expired certs. If I run a manual check on individual users, it will pull and install a new cert.

When I run the check against all users, it does identify that the cert is expired but doesn't issue the cert.

The following is from a manually run check for all users on a particular domain. After this, it goes into the next domain but doesn't issue anything.

Code:
 11:59:24 AM Analyzing “domain.com” (website) …
11:59:24 AM ERROR TLS Status: Defective
ERROR Certificate expiry: 11/28/21, 12:00 AM UTC (3.79 days ago)
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
11:59:24 AM Attempting to ensure the existence of necessary CAA records …
11:59:24 AM No CAA records were created.
11:59:24 AM Verifying 8 domains’ management status …
Verifying “cPanel (powered by Sectigo)”’s authorization on 8 domains via DNS CAA records …
11:59:24 AM “webdisk.domain.com” is managed.
“cpanel.domain.com” is managed.
“mail.domain.com” is managed.
“www.domain.com” is managed.
“domain.com” is managed.
“webmail.domain.com” is managed.
“cpcontacts.domain.com” is managed.
“cpcalendars.domain.com” is managed.
All of this user’s 8 domains are managed.
CA authorized: “domain.com”
CA authorized: “mail.domain.com”
CA authorized: “www.domain.com”
CA authorized: “cpanel.domain.com”
CA authorized: “webdisk.domain.com”
CA authorized: “webmail.domain.com”
CA authorized: “cpcontacts.domain.com”
CA authorized: “cpcalendars.domain.com”
“cPanel (powered by Sectigo)” is authorized to issue certificates for 8 of this user’s 8 domains.
11:59:24 AM Performing HTTP DCV (Domain Control Validation) on 8 domains …
11:59:24 AM Local HTTP DCV OK: domain.com
Local HTTP DCV OK: www.domain.com
Local HTTP DCV OK: mail.domain.com
Local HTTP DCV OK: cpanel.domain.com
Local HTTP DCV OK: webdisk.domain.com
Local HTTP DCV OK: webmail.domain.com
Local HTTP DCV OK: cpcontacts.domain.com
Local HTTP DCV OK: cpcalendars.domain.com
11:59:24 AM No local DNS DCV is necessary.
But when I run the same thing against the individual user shortly after, it works as expected:

Code:
 12:57:50 PM AutoSSL’s configured provider is “cPanel (powered by Sectigo)”.
 This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
 Analyzing “user”’s domains …
 12:57:50 PM Analyzing “domain.com” (website) …
 12:57:50 PM ERROR TLS Status: Defective
 ERROR Certificate expiry: 11/28/21, 12:00 AM UTC (3.83 days ago)
 ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
 12:57:50 PM Attempting to ensure the existence of necessary CAA records …
 12:57:51 PM No CAA records were created.
 12:57:51 PM Verifying 8 domains’ management status …
 Verifying “cPanel (powered by Sectigo)”’s authorization on 8 domains via DNS CAA records …
 12:57:51 PM “webdisk.domain.com” is managed.
 “cpanel.domain.com” is managed.
 “mail.domain.com” is managed.
 “www.domain.com” is managed.
 “domain.com” is managed.
 “webmail.domain.com” is managed.
 “cpcontacts.domain.com” is managed.
 “cpcalendars.domain.com” is managed.
 All of this user’s 8 domains are managed.
 CA authorized: “domain.com”
 CA authorized: “www.domain.com”
 CA authorized: “cpanel.domain.com”
 CA authorized: “mail.domain.com”
 CA authorized: “cpcontacts.domain.com”
 CA authorized: “cpcalendars.domain.com”
 CA authorized: “webdisk.domain.com”
 CA authorized: “webmail.domain.com”
 “cPanel (powered by Sectigo)” is authorized to issue certificates for 8 of this user’s 8 domains.
 12:57:51 PM Performing HTTP DCV (Domain Control Validation) on 8 domains …
 12:57:53 PM Local HTTP DCV OK: domain.com
 Local HTTP DCV OK: www.domain.com
 Local HTTP DCV OK: mail.domain.com
 Local HTTP DCV OK: cpanel.domain.com
 Local HTTP DCV OK: webdisk.domain.com
 Local HTTP DCV OK: webmail.domain.com
 Local HTTP DCV OK: cpcontacts.domain.com
 Local HTTP DCV OK: cpcalendars.domain.com
 12:57:53 PM No local DNS DCV is necessary.
 12:57:53 PM Processing “user”’s local DCV results …
 12:57:53 PM Analyzing “domain.com”’s DCV results …
 12:57:53 PM AutoSSL will request a new certificate.
 12:57:53 PM The system will attempt to renew the SSL certificate for (domain.com: domain.com www.domain.com mail.domain.com webmail.domain.com cpanel.domain.com webdisk.domain.com cpcontacts.domain.com cpcalendars.domain.com).
 12:58:00 PM The cPanel Store received “domain.com”’s certificate order. (Order Item ID: 1354600783) The system will periodically poll the cPanel Store for the issued certificate and then install it after a successful retrieval.
 The system has completed “user”’s AutoSSL check.
 12:59:01 PM Polling for “user”’s new certificate for “domain.com” (order item ID “1354600783”) …
 12:59:03 PM The certificate is available.
 Installing “domain.com”’s new certificate …
 12:59:08 PM SUCCESS Success!
 

dstana

Well-Known Member
Jul 6, 2016
104
19
68
Phoenix, AZ
cPanel Access Level
Root Administrator
This sounds like an issue we are actively working on and is known. Does the following article help?
Not even remotely close. That says the certificates are renewing 3 days before expiration.

This issue is certificates not renewing at all, if you look in that log you can see the cert that was renewed was already expired.

Code:
 ERROR Certificate expiry: 11/28/21, 12:00 AM UTC (3.83 days ago)
 

cPanelAnthony

Administrator
Staff member
Oct 18, 2021
975
95
103
Houston, TX
cPanel Access Level
Root Administrator
Not even remotely close. That says the certificates are renewing 3 days before expiration.

This issue is certificates not renewing at all, if you look in that log you can see the cert that was renewed was already expired.

Code:
 ERROR Certificate expiry: 11/28/21, 12:00 AM UTC (3.83 days ago)
My apologies. Could you open a support ticket using the link in my signature so we can investigate further? Please provide me with the ticket ID once you do so.
 

Reado

Well-Known Member
Sep 8, 2009
229
8
68
United Kingdom
cPanel Access Level
Root Administrator
Same here - new server, new SSL certificate. Running 100.0.5 but AutoSSL is only creating self-signed certificates but never actually polling for cPanel-signed certificates. When I run the check SSL certificates script, it hangs for what feels like a minute before completing but not actually installing any certificates!

We have a 15-day migration license at the moment but unable to migrate anything without working SSL certificates.
 

4u123

Well-Known Member
PartnerNOC
Jan 2, 2006
940
23
168
Yes we are having this problem too - even on 100.5

When you view the daily AutoSSL log for all users you will see that it identifies the certificate needs renewing but after it has checked DCV it does not say the following...

" AutoSSL will request a new certificate. "

That process is missing from the daily checks and certificates are not being renewed. If you run a check manually on a user - at the same point in the log you see the additional line " AutoSSL will request a new certificate. " and immediately the certs go into pending queue.
 

cPanelAnthony

Administrator
Staff member
Oct 18, 2021
975
95
103
Houston, TX
cPanel Access Level
Root Administrator
Yes we are having this problem too - even on 100.5

When you view the daily AutoSSL log for all users you will see that it identifies the certificate needs renewing but after it has checked DCV it does not say the following...

" AutoSSL will request a new certificate. "

That process is missing from the daily checks and certificates are not being renewed. If you run a check manually on a user - at the same point in the log you see the additional line " AutoSSL will request a new certificate. " and immediately the certs go into pending queue.
Would you be able to open a ticket using the link in my signature? This would warrant a further look if still an issue.
 

InterServed

Well-Known Member
Jul 10, 2007
269
15
68
cPanel Access Level
DataCenter Provider
This helped us solve this problem on quite a few cPanel servers. This will reset and issue new certificates that covers the server hostname and services like ftp,exim,dovecot,cpanel

Code:
for service in ftp exim dovecot cpanel ; do whmapi1 reset_service_ssl_certificate service=$service ; done ; /scripts/restartsrv_ftpd ; /scripts/restartsrv_dovecot ; /scripts/restartsrv_exim ; /scripts/restartsrv_cpsrvd ; /usr/local/cpanel/bin/checkallsslcerts --verbose --allow-retry ; /usr/local/cpanel/bin/checkallsslcerts --allow-retry
 
  • Like
Reactions: cPanelAnthony