Welcome to WebmasterWorld Guest from 18.232.171.18

Forum Moderators: phranque

Security certificate issue

     
7:28 pm on Jul 31, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Mar 15, 2013
posts: 1148
votes: 116


I'm using cPanel to issue an AutoSSL for my domains. I have one domain with 159 domains parked on top of it... which is misleading, because even though I really only have around 60 parked, the system counts mail.example[1-60].com in the list.

Awhile back I was getting an error with cPanel's default cert provider (Sectigo), so I switched it to Let's Encrypt. Which was great until Monday, when I got a warning that Let's Encrypt would only issue certs for 100 domains per account. I don't need any of them on mail.example[1-60].com, but there's no way to be selective so I have a bunch of mail certs that I don't need, and it didn't issue certs for a bunch of domains that I DO need.

cPanel said that the issue with Sectigo is resolved, so I changed it back on Monday (7/29/19). But as of today, the domains that were throwing errors are still throwing errors! The AutoSSL log doesn't show any errors for them, but when I go to the site I still see:

NET::ERR_CERT_COMMON_NAME_INVALID

It's not my computer, I've tried from 3 computers on separate networks.

When I view the certificate details, it shows:

Issued by: Let's Encrypt Authority X3
Valid from 7/28/2019 to 10/26/2019

So a certificate exists, it's just not valid. And even though I switched to Sectigo and ran "Run AutoSSL For All Users", and the parked domains are showing up in the log with no errors... it's still trying to use an invalid certificate.

Any ideas what I can do to fix it? I'm losing about $10 /day on each of these parked domains :'-(
1:13 am on Aug 1, 2019 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Sept 8, 2016
posts:95
votes: 0


Why do you need ssl for a parked domain? Do you know for sure that you wouldn't get any hits if they are just http? What sort of content does it have that you are getting revenue from it?
1:20 am on Aug 1, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Mar 15, 2013
posts: 1148
votes: 116


I have a series of domains parked on top of my main account, then in PHP I check to see what domain they're viewing and then show content specific for that domain.

Adsense shows how much is generated for each domain, so I can see how much I'm losing from it.

These have been fine under HTTPS ever since Google "recommended" that we all change everything over, it's only in the last couple weeks that the AutoSSL in cPanel went wonky.
1:47 am on Aug 1, 2019 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:11771
votes: 225


i would open a web hosting support ticket.
2:05 am on Aug 1, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Mar 15, 2013
posts: 1148
votes: 116


I did, but it's Softlayer... they used to rock, but now it's a joke. I'll probably get a reply sometime tomorrow with a copy-and-paste canned response that does no good; I'll reply, and then get another canned reply on Friday.

I tried to post on the cPanel support forum last night, but their forum is "down for maintenance". So I'm more or less stranded without any help.
6:28 am on Aug 1, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10136
votes: 1010


How much time passed between the two changes? Could this be a matter of "wait and see"? (or wait and expire, or wait and see what the heck is happening when a site changes certificates that "quick"?)

Sometimes we move too fast --- and it takes time (months even) for things to get back to normal.

Never been in this myself, but isn't there a way to RESCIND a cert from your end? I don't mean from cpanel, I mean directly as the holder of the cert? If all of that is done by your host, you will have to use the host to resolve it. In future, pay the freight for your own cert in future (ie, not free).
7:49 am on Aug 1, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Mar 15, 2013
posts: 1148
votes: 116


How much time passed between the two changes? Could this be a matter of "wait and see"? (or wait and expire, or wait and see what the heck is happening when a site changes certificates that "quick"?)

I discovered the problem on 7/28, and changed the certificate provider early on 7/29. I ran the AutoSSL script so it SHOULD have worked immediately, but even if not then AutoSSL with cPanel runs every 24 hours. So, in theory, it's never supposed to be more than 24 hours.

I see in the log that it ran without errors, though, so I don't know what's up. And I honestly can't afford to wait and see... it's not only the daily money being lost, but any of my users that came daily are going to quickly forget and move on to somewhere else! So this has potential long term fallout :-(

Never been in this myself, but isn't there a way to RESCIND a cert from your end? I don't mean from cpanel, I mean directly as the holder of the cert?

Not that I've been able to find. You would THINK there would be, but I can't find it... I was kinda hoping someone here could tell me how! LOL

If all of that is done by your host, you will have to use the host to resolve it.

It's all supposed to be automated with cPanel, and this is my first time dealing with any bugs from it. I submitted a ticket with Softlayer, but SURPRISE! No reply yet... :'-(

In future, pay the freight for your own cert in future (ie, not free).

If only it were that simple! Revenue is seriously less than 1/4 of what it was 2 years ago, even though traffic is booming. RapidSSL is the cheapest provider I know at $15.95 /each, but that's $1,000 /year I just don't have to spend on something that supposedly helps with Google in some unknown way and might make things marginally faster... ?
8:14 am on Aug 1, 2019 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member graeme_p is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2980
votes: 201


You do not mention whether you have checked that the common name matches the hostname.

I assume the problem is revoking through cPanel, because revoking with certbot is documented?
8:18 am on Aug 1, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Mar 15, 2013
posts: 1148
votes: 116


I have no clue what either of those sentences mean, @graeme_p! LOL

I didn't change anything on my end other than switching from Sectigo to Let's Encrypt and then back again, so I don't know why any of the names wouldn't match. How do I find out?

I don't know what "certbot" is, but I haven't found a way to revoke and reissue the certs through cPanel.
8:56 am on Aug 1, 2019 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member graeme_p is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts: 2980
votes: 201


If you look at the certificate details you should see a field called "common name". This should match your domain name.

certbot is Letsecrypts own software for getting certificates. I have only used it on VPSs running a single site and I imagine using it for a large number of domains might be a pain. I do have to do something similar soon (lots of domains in cPanel) but in that case we only really need the certificates on a few of the domains.
5:00 pm on Aug 1, 2019 (gmt 0)

Moderator from US 

WebmasterWorld Administrator lifeinasia is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 10, 2005
posts:5844
votes: 190


Let's Encrypt would only issue certs for 100 domains per account

I've never come across this issue (although I have fewer than 100 certs)- the only thing I found was a limit of 100 names per certificate. It seems like there is some setting that you have that is specifying separate certificates for each sub-domain (like mail.example.com). Maybe the setting is trying to include all the domains on the same certificate?

I do everything directly on my servers, so I don't know about cPanel configurations. In my case, I explicitly specify the domain names of the certs to renew. (Or rather, the renew command automatically checks what's up for renewal). Also in my case, each domain/sub-domain has its own cert.
8:16 am on Aug 4, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Mar 15, 2013
posts: 1148
votes: 116


I wanted to let you guys and gals know that I've gotten it resolved, and I wanted to post some details for future readers.

First off, Softlayer was NO help. I submitted a ticket for assistance at 9:37pm on 7/31/19, but have not yet had a reply. They used to be great when they were The Planet, and were OK after Softlayer took over. Now IBM has taken over, and their support is worthless.

But I digress.

Last night, in WHM I went to Manage SSL Hosts and deleted the host account that's giving me trouble. This deleted the certificates for all of my parked domains. Then I went to Manage AutoSSL > Manage Users, found the account name, and clicked "Check [example]".

The system ran for a minute before giving the following message:

Checking websites for “example” …
4:02:09 AM Analyzing “example.com” …
4:02:09 AM ERROR TLS Status: Defective
ERROR Defect: NO_SSL: No SSL certificate is installed.


But then at the end it gave:

The provider “cPanel (powered by Sectigo)”’s AutoSSL queue already contains a certificate request for “example”’s website “example.com”. The request’s start time is Jul 29, 2019, 9:09:45 PM UTC, and its last poll time is Aug 2, 2019, 9:02:03 PM UTC.
3:18:54 AM The system has completed the AutoSSL check for “example”.


So for whatever reason, the system thought that the certificate existed, when it did not! I waited for about 2 hours, and there were no further updates and the certificate wasn't working.

Then I noticed that when I viewed one of my sites and got a certificate error, it said that a certificate existed but that it was for another account on my server. That's when I saw that Manage SSL Hosts had listed that account as "Primary" (presumably because, alphabetically, it was the first on the list of accounts).

So I then deleted THAT host, too, and then went back to Manage Users and clicked for it to check both accounts; the one I've been working with all along, and the one that had formerly been listed as the Primary.

Within a few minutes, the log file showed that a new certificate was being installed for both accounts. And within about 10 minutes, all of my accounts were working perfectly again :-D

So I THINK that the key notes here were:

- Go to Manage SSL Hosts and delete the host

- Go to Manage AutoSSL > Manage Users and click "Check [account name]" to get it to reinstall. If it's going to work then it should be reinstalled within 5-10 minutes, max

- If the system thinks that another account's certificate matches the one you deleted and isn't installing the new one, then deleting that host and clicking to reinstall it MAY help. At least, it worked for me.
3:24 am on Aug 5, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10136
votes: 1010


@csdude55 ... Thanks for the update! Too frequently folks forget to share any resolutions on the forum. Appreciate the report!
6:59 am on Aug 5, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Mar 15, 2013
posts: 1148
votes: 116


You have no idea how many times this forum has saved my butt! LOL We all have a responsibility to help one another out when we can. 10 minutes to post that before I went to bed might save someone else several hours, even DAYS of work in the future... trust me, I know!
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members