AutoSSL cron run time(s)

[swbrains]

When I view /etc/cron.d/cpanel_autossl, it shows:
57 0 * * * root /usr/local/cpanel/bin/autossl_check --all

And when I go into WHM->Manage AutoSSL, I see this message:
This system’s next regular AutoSSL check will occur at 1:57 AM.
Since I'm in ET zone and the server is in CT zone, I assume that makes sense.

But when I view the AutoSSL Log file list, I see the following dates/times:

Why would the AutoSSL check be running at 6:25 AM when it's scheduled to run at 1:57 ET? I thought perhaps it might be the ending time shown in the log list, but when I view a log file, the first line shows the time as 6:25 AM:
6:25:01 AM AutoSSL’s configured provider is “cPanel (powered by Sectigo)”.
and the last line shows a time of 6:34 AM.

So it does indeed seem like it is starting at 6:25 AM every morning according to the log. Can someone help clarify the difference between the cron time and the log time for me? Is the log above based on a different cron entry than the one I was looking at?

Thanks!

 

[cPRex]

Hey there! That's interesting - can you let me know what version of cPanel you're using? I just checked a version 108 system and the cron is every 3 hours:

12    2,5,8,11,14,17,20,23    *    *    *    root    /usr/local/cpanel/bin/autossl_check --all

and the logs in the WHM interface match those times well.

If you check one of those logs, does it show a reason for the delay? I'm afraid I don't have a good explanation for that behavior on my end, so if you can't find anything it would be best to make a ticket.

 

[swbrains]

Thanks -- it's version 106.0.14

I couldn't find any information in the logs about a delay or reason. The most recent ones starting at 6:25 AM say this:

Log for the AutoSSL run for all users: Friday, February 3, 2023 6:25:01 AM GMT-0500 (cPanel (powered by Sectigo))
6:25:01 AM AutoSSL’s configured provider is “cPanel (powered by Sectigo)”.
This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
Looking for potential NAT (Network Address Translation) problems …
6:25:01 AM This server does not use NAT.
6:25:01 AM AutoSSL will verify 406 users’ TLS status and DCV (Domain Control Validation) at a time.
Analyzing 406 users …

Oddly, I noticed the log for yesterday says it did run at 1:57 AM. Then this morning it ran at 1:53 AM and it now says the next check will occur at 1:53 AM.

 

[swbrains]

Hi @cPRex, I have opened a support request for this issue to help clarify why the AutoSSL check is running at different times and why its cron file is being updated based on the last run time. Thanks!

 

[cPRex]

Can you post the ticket number so I can follow along with that?

 

[swbrains]

Here you go: https://support.cpanel.net/hc/en-us/requests/94529178
Thanks!

 

[cPRex]

Thanks for that - I'm following along with that on my end now.

 

[swbrains]

According to technical support, the AutoSSL process may change the cron time for subsequent runs in order to avoid having multiple cPanel servers all hitting the AutoSSL servers simultaneously and causing rate limit issues.

 

[cPRex]

I did see the reply to that ticket, and that's something I wasn't aware of. It turns out we can stagger the crons a bit to help with the AutoSSL load on the provider's side.

 

[swbrains]

Makes sense. I'm just wondering now how I can run my own script to issue LE certs to all the Sectigo failures that aren't going to renew in time without coinciding with the system's AutoSSL check. If the system check ran at a consistent time I could easily just cron mine for several hours later, but now I almost need to detect if the system's check is running and then try again later. Is there some mechanism to determine if the system's AutoSSL check is actively running that I could look for in my script?

 

[cPRex]

The process on our end is still the same - /usr/local/cpanel/bin/autossl_check. If you see an "autossl" process that would be enough to detect that something is happening.

 

[swbrains]

Thanks! Do you know if there is a cPanel API to get a list of running processes (or check if a process is running)?

 

[cPRex]

Not that I know of - I'd just use good ol' "ps aux"

 

[swbrains]

Ok thanks -- I can do that!