SOLVED AutoSSL alerts for account terminated months ago

[Metro2]

This is not another AutoSSL complaint thread. We all know very well that there have been some challenges in the past couple years and, for a many of us, simply switching from Sectigo to Let's Encrypt resolves those issues.

This is something new for me, and I'm wondering if it's happening to anyone else.

My goal for this thread is to hopefully avoid opening a ticket for the very busy cPanel support staff, and to find out if there's a simple solution that I might be overlooking, one that which maybe someone else has encountered after switching from Sectigo to Let's Encrypt.

More preface - even through the rough patches I stuck with Sectigo for a long time and was able to get by with just running /usr/local/cpanel/bin/autossl_check --all once a week, or
/usr/local/cpanel/bin/autossl_check --user={username} for those stubborn occasions, after cPanel made Let's Encrypt easier to implement right in WHM's AutoSSL management basically seamlessly, in recent months I switched over with joy! And for the most part, everything has been perfectly fine ever since!

But here is an anomaly I've just started encountering with an "account" that I terminated from my shared hosting environment, which I terminated even before switching from Sectigo to Let's Encrypt - I'm now receiving these email notices:

AutoSSL reduced SSL coverage



example.com: AutoSSL reduced SSL coverage
 

AutoSSL has successfully renewed the Domain Validated (DV) SSL certificate for “example.com”. The new certificate lacks the following domains that the previous certificate secured:

⛔ example.com (checked on Sep 19, 2023 at 2:15:19 AM UTC)

There is no recorded error on the system for “example.com”. This might mean that this domain failed DCV (Domain Control Validation) when the system requested the new certificate, but the domain has since passed DCV.

⛔ www.example.com (checked on Sep 19, 2023 at 2:15:19 AM UTC)

There is no recorded error on the system for “www.example.com”. This might mean that this domain failed DCV (Domain Control Validation) when the system requested the new certificate, but the domain has since passed DCV.

⛔ mail.example.com (checked on Sep 19, 2023 at 2:15:19 AM UTC)

There is no recorded error on the system for “mail.example.com”. This might mean that this domain failed DCV (Domain Control Validation) when the system requested the new certificate, but the domain has since passed DCV.

If these domains do not need valid SSL, then you do not need to take any further action. However, if you want AutoSSL to secure these domains, you must resolve the above problems.

The certificate is now active on the website for the following domain names:

    autodiscover.example.com
    cpanel.example.com
    cpcalendars.example.com
    cpcontacts.example.com
    ipv6.example.com
    mail.example.com
    example.com
    webdisk.example.com
    webmail.example.com
    www.example.com
    example.com ⛔
    mail.example.com ⛔
    www.example.com ⛔

NOTE: “⛔” marks domains that the newly-installed certificate does not include or secure. Visitors who access these domain names will see web browser security warnings.
The certificate has the following properties:
Expiration:     Monday, December 18, 2023 at 1:15:14 AM UTC
Domain Names:  
*.example.com
example.com
Subject:  
commonName     example.com
Issuer:  
countryName     US
organizationName     Let's Encrypt
commonName     R3

The certificate’s PEM representation is attached to this message.

Navigate to the “SSL/TLS Manager” interface if you require the private key for this certificate. The key ID for the private key is “e4axxxxxxxxxxx_xxxxxxxxxxxxxxxxxxxxxxxxxxxxx9”.

The system generated this notice on Tuesday, September 19, 2023 at 2:15:19 AM UTC.

You can disable the “AutoSSL has renewed a certificate, but the new certificate lacks at least one domain that the previous certificate secured.” type of notification through the cPanel interface: https://example.com:2083/?goto_app=ContactInfo_Change

Do not reply to this automated message.

So in essence what is happening is:

A.) Somehow AutoSSL still thinks the master domain, which has been long-since terminate even before switching to Let's Encrypt, still exists on the server.

B.) It also thinks the Addon Domain is still present on the server, which has also long-since been terminated.

Has anyone else encountered this after switching from Sectigo to Let's Encrypt in their WHM AutoSSL settings?

Grateful for any feedback, thank you.

 

[cPRex]

Hey hey! Let's start with the simple things first - does the domain/subdomain/addon domain that is listed in the email exist in the server's Apache configuration file (/etc/apache/2/conf/httpd.conf)? AutoSSL can only attempt to secure domains that are listed in a vhost, so I'm wondering if the domain just didn't get removed from Apache.

Another area to check would be /var/cpanel/userdata - a grep of that entire directory wouldn't hurt.

 

[Metro2]

@cPRex thank you. I'm not turning up in either of those, so I tried this (replacing the username / account name with example)

[/]# locate example

And this is what it returns:

[/]# locate example
/backup/.meta/example.db
/backup/2023-09-22/system/dirs/_var_cpanel/notificationsdb/example
/backup/2023-09-22/system/dirs/_var_spool_cron/example
/usr/share/cagefs-skeleton/usr/local/apache/domlogs/ftp.examplet.com.au-ftp_log.offsetftpbytes
/usr/share/cagefs-skeleton/usr/local/apache/domlogs/example-popbytes_log.bkup2
/var/cpanel/notificationsdb/example
/var/log/apache2/domlogs/ftp.examplet.com.au-ftp_log.offsetftpbytes
/var/log/apache2/domlogs/example-popbytes_log.bkup2
/var/spool/cron/example

That looks to me like cPanel Backup is still backing-up the account, which was terminated months ago.

I know I must be overlooking something, but I definitely Terminated the user's account a long time ago.

 

[cPRex]

None of those files would be enough to trigger an AutoSSL run, but it's interesting that notifications are being sent about it.

Just to confirm, and I know this sounds silly but it does happen quite a bit, are you certain the notifications are coming from this particular server? Checking the email headers would confirm the IP address or hostname that is sending the message.

Another thing to check would be to see if cPanel thinks anyone owns that domain. You can run "/scripts/whoowns domain.com" to see if that is still linked with an account somehow.

 

[Metro2]

@cPRex - I had a feeling I was overlooking something. You nailed it. I hadn't looked at the hidden email headers, and sure enough - that user had a friend/service migrate their hosting, but they never removed me from their cPanel > Preferences > Contacts. (I always add my noreply@ addy to each of my user's CP contacts, since many don't pay attention to important notices such as email quotas etc...).

Mystery solved - thank you very much for the polite hint!

 

[cPRex]

Nice! I'm glad it was that simple, and not something crazy.