Security certificate issue

SUBMITTED BY: Guest

DATE: Nov. 1, 2019, 9:11 a.m.

FORMAT: Text only

SIZE: 10.3 kB

Raw Download

HITS: 380

Report
  1. Security certificate issue
  2. I'm using cPanel to issue an AutoSSL for my domains. I have one domain with 159 domains parked on top of it... which is misleading, because even though I really only have around 60 parked, the system counts mail.example[1-60].com in the list.
  4. ++++++++++++++
  5. list of top cheapest host http://Listfreetop.pw
  7. Top 200 best traffic exchange sites http://Listfreetop.pw/surf
  9. free link exchange sites list http://Listfreetop.pw/links
  10. list of top ptc sites
  11. list of top ptp sites
  12. Listfreetop.pw
  13. Listfreetop.pw
  14. +++++++++++++++
  16. Awhile back I was getting an error with cPanel's default cert provider (Sectigo), so I switched it to Let's Encrypt. Which was great until Monday, when I got a warning that Let's Encrypt would only issue certs for 100 domains per account. I don't need any of them on mail.example[1-60].com, but there's no way to be selective so I have a bunch of mail certs that I don't need, and it didn't issue certs for a bunch of domains that I DO need.
  18. cPanel said that the issue with Sectigo is resolved, so I changed it back on Monday (7/29/19). But as of today, the domains that were throwing errors are still throwing errors! The AutoSSL log doesn't show any errors for them, but when I go to the site I still see:
  20. NET::ERR_CERT_COMMON_NAME_INVALID
  22. It's not my computer, I've tried from 3 computers on separate networks.
  24. When I view the certificate details, it shows:
  26. Issued by: Let's Encrypt Authority X3
  27. Valid from 7/28/2019 to 10/26/2019
  29. So a certificate exists, it's just not valid. And even though I switched to Sectigo and ran "Run AutoSSL For All Users", and the parked domains are showing up in the log with no errors... it's still trying to use an invalid certificate.
  31. Any ideas what I can do to fix it? I'm losing about $10 /day on each of these parked domains :'-(
  32. Why do you need ssl for a parked domain? Do you know for sure that you wouldn't get any hits if they are just http? What sort of content does it have that you are getting revenue from it?
  33. I have a series of domains parked on top of my main account, then in PHP I check to see what domain they're viewing and then show content specific for that domain.
  35. Adsense shows how much is generated for each domain, so I can see how much I'm losing from it.
  37. These have been fine under HTTPS ever since Google "recommended" that we all change everything over, it's only in the last couple weeks that the AutoSSL in cPanel went wonky.
  38. i would open a web hosting support ticket.
  39. I did, but it's Softlayer... they used to rock, but now it's a joke. I'll probably get a reply sometime tomorrow with a copy-and-paste canned response that does no good; I'll reply, and then get another canned reply on Friday.
  41. I tried to post on the cPanel support forum last night, but their forum is "down for maintenance". So I'm more or less stranded without any help.
  42. How much time passed between the two changes? Could this be a matter of "wait and see"? (or wait and expire, or wait and see what the heck is happening when a site changes certificates that "quick"?)
  43. ss&c hosting
  44. surfmore.eu
  45. ultratechhost.com
  46. surf2succeed.com
  47. hosting prices
  48. q-rich domain
  49. bitcoinfaucet.tk
  50. www.sprizclix.com
  51. v web hosting
  52. adsmedia.fr
  53. supernaturalhits.com
  55. Sometimes we move too fast --- and it takes time (months even) for things to get back to normal.
  57. Never been in this myself, but isn't there a way to RESCIND a cert from your end? I don't mean from cpanel, I mean directly as the holder of the cert? If all of that is done by your host, you will have to use the host to resolve it. In future, pay the freight for your own cert in future (ie, not free).
  58. How much time passed between the two changes? Could this be a matter of "wait and see"? (or wait and expire, or wait and see what the heck is happening when a site changes certificates that "quick"?)
  60. I discovered the problem on 7/28, and changed the certificate provider early on 7/29. I ran the AutoSSL script so it SHOULD have worked immediately, but even if not then AutoSSL with cPanel runs every 24 hours. So, in theory, it's never supposed to be more than 24 hours.
  62. I see in the log that it ran without errors, though, so I don't know what's up. And I honestly can't afford to wait and see... it's not only the daily money being lost, but any of my users that came daily are going to quickly forget and move on to somewhere else! So this has potential long term fallout :-(
  64. Never been in this myself, but isn't there a way to RESCIND a cert from your end? I don't mean from cpanel, I mean directly as the holder of the cert?
  66. Not that I've been able to find. You would THINK there would be, but I can't find it... I was kinda hoping someone here could tell me how! LOL
  68. If all of that is done by your host, you will have to use the host to resolve it.
  70. It's all supposed to be automated with cPanel, and this is my first time dealing with any bugs from it. I submitted a ticket with Softlayer, but SURPRISE! No reply yet... :'-(
  72. In future, pay the freight for your own cert in future (ie, not free).
  74. If only it were that simple! Revenue is seriously less than 1/4 of what it was 2 years ago, even though traffic is booming. RapidSSL is the cheapest provider I know at $15.95 /each, but that's $1,000 /year I just don't have to spend on something that supposedly helps with Google in some unknown way and might make things marginally faster... ?
  75. You do not mention whether you have checked that the common name matches the hostname.
  77. I assume the problem is revoking through cPanel, because revoking with certbot is documented?
  78. I have no clue what either of those sentences mean, @graeme_p! LOL
  80. I didn't change anything on my end other than switching from Sectigo to Let's Encrypt and then back again, so I don't know why any of the names wouldn't match. How do I find out?
  82. I don't know what "certbot" is, but I haven't found a way to revoke and reissue the certs through cPanel.
  83. If you look at the certificate details you should see a field called "common name". This should match your domain name.
  85. certbot is Letsecrypts own software for getting certificates. I have only used it on VPSs running a single site and I imagine using it for a large number of domains might be a pain. I do have to do something similar soon (lots of domains in cPanel) but in that case we only really need the certificates on a few of the domains.
  86. Let's Encrypt would only issue certs for 100 domains per account
  88. I've never come across this issue (although I have fewer than 100 certs)- the only thing I found was a limit of 100 names per certificate. It seems like there is some setting that you have that is specifying separate certificates for each sub-domain (like mail.example.com). Maybe the setting is trying to include all the domains on the same certificate?
  90. I do everything directly on my servers, so I don't know about cPanel configurations. In my case, I explicitly specify the domain names of the certs to renew. (Or rather, the renew command automatically checks what's up for renewal). Also in my case, each domain/sub-domain has its own cert.
  91. I wanted to let you guys and gals know that I've gotten it resolved, and I wanted to post some details for future readers.
  93. First off, Softlayer was NO help. I submitted a ticket for assistance at 9:37pm on 7/31/19, but have not yet had a reply. They used to be great when they were The Planet, and were OK after Softlayer took over. Now IBM has taken over, and their support is worthless.
  95. But I digress.
  97. Last night, in WHM I went to Manage SSL Hosts and deleted the host account that's giving me trouble. This deleted the certificates for all of my parked domains. Then I went to Manage AutoSSL > Manage Users, found the account name, and clicked "Check [example]".
  99. The system ran for a minute before giving the following message:
  101. Checking websites for “example” …
  102. 4:02:09 AM Analyzing “example.com” …
  103. 4:02:09 AM ERROR TLS Status: Defective
  104. ERROR Defect: NO_SSL: No SSL certificate is installed.
  107. But then at the end it gave:
  109. The provider “cPanel (powered by Sectigo)”’s AutoSSL queue already contains a certificate request for “example”’s website “example.com”. The request’s start time is Jul 29, 2019, 9:09:45 PM UTC, and its last poll time is Aug 2, 2019, 9:02:03 PM UTC.
  110. 3:18:54 AM The system has completed the AutoSSL check for “example”.
  113. So for whatever reason, the system thought that the certificate existed, when it did not! I waited for about 2 hours, and there were no further updates and the certificate wasn't working.
  115. Then I noticed that when I viewed one of my sites and got a certificate error, it said that a certificate existed but that it was for another account on my server. That's when I saw that Manage SSL Hosts had listed that account as "Primary" (presumably because, alphabetically, it was the first on the list of accounts).
  117. So I then deleted THAT host, too, and then went back to Manage Users and clicked for it to check both accounts; the one I've been working with all along, and the one that had formerly been listed as the Primary.
  119. Within a few minutes, the log file showed that a new certificate was being installed for both accounts. And within about 10 minutes, all of my accounts were working perfectly again :-D
  121. So I THINK that the key notes here were:
  123. - Go to Manage SSL Hosts and delete the host
  125. - Go to Manage AutoSSL > Manage Users and click "Check [account name]" to get it to reinstall. If it's going to work then it should be reinstalled within 5-10 minutes, max
  127. - If the system thinks that another account's certificate matches the one you deleted and isn't installing the new one, then deleting that host and clicking to reinstall it MAY help. At least, it worked for me.
  128. @csdude55 ... Thanks for the update! Too frequently folks forget to share any resolutions on the forum. Appreciate the report!
  129. You have no idea how many times this forum has saved my butt! LOL We all have a responsibility to help one another out when we can. 10 minutes to post that before I went to bed might save someone else several hours, even DAYS of work in the future... trust me, I know!
comments powered by Disqus