SOLVED AutoSSL sends notification for expired domains after cPanel v70 update

[kabatak]

We have several Cpanel accounts with expired domains in our server that is not yet deleted. They are dormant for several months now with no issue with AutoSSL.

After Cpanel v70 update, AutoSSL suddenly sends email notifications with subject "AutoSSL certificate expiry..." with body along the lines of "The “cPanel” AutoSSL provider could not renew the SSL certificate..." for these expired domains.

My issue is, why AutoSSL suddenly sends renewal-failure notice for these expired domains and simply did not skip it like it used to?

Aside from expired domains, we noticed some non-expired domains also did not auto renew the AutoSSL, even after re-running AutoSSL from WHM.

Is there a new setting somewhere in WHM that could be related to this?

 

[DennisMidjord]

We can confirm this as well.
Our customer has a few hundred domains and most of them are excluded from AutoSSL. They're using SSL certificates from a third party.
Some of the subdomains, however, doesn't have SSL enabled, and it seems like the customer is receiving notifications for these. The SSL status for all of the domains that they customer was notified about is: "The installed certificate does not cover this domain. The certificate will not renew via AutoSSL because it was not issued via AutoSSL."

 

[Stefaans]

Same thing here. After the WHM update, there were hundreds of emails about expiring certificates while we have the AutoSSL featured disabled.

This reminds me of WHM/cPanel of 15 years ago when every update meant new bugs

 

[cPanelMichael]

Hello Everyone,

We do have a couple of open cases related to the delivery of AutoSSL expiry notifications in cPanel & WHM version 70, however I'll need some more information to verify if those cases are in-fact related to the issues brought up on this thread. Could anyone facing an issue with these notifications run the below commands on an affected system and post the output?

cat /usr/local/cpanel/version
whmapi1 get_autossl_metadata
whmapi1 get_tweaksetting key=notify_expiring_certificates

Additionally, please provide an example of the specific notification that was sent upon the update to cPanel & WHM 70, and if the issue relates to notifications sent to individual cPanel users, please include the output of the following command for an account that falsely received a notification:

cat /home/username/.cpanel/contactinfo

Replace references to real domain names in the output with examples (e.g. domain.tld instead of the real domain).

As far as the existing cases, CPANEL-19808 is open to ensure AutoSSL stops sending notifications about expired certificates seven days after the expiry. Case CPANEL-20411 is open to address an issue where notification contact preferences for cPanel users weren't synced correctly if /home/$user/.cpanel/contactinfo contained empty or missing values.

Thank you.

 

[Stefaans]

Thank you for looking into the issue @cPanelMicheal.

Here is the information requested:

cat /usr/local/cpanel/version
11.70.0.42

whmapi1 get_autossl_metadata
---
data:
  payload:
    clobber_externally_signed: 0
    notify_autossl_expiry: 0
    notify_autossl_expiry_coverage: 0
    notify_autossl_renewal: 0
    notify_autossl_renewal_coverage: 0
    notify_autossl_renewal_coverage_reduced: 0
    notify_autossl_renewal_uncovered_domains: 0
metadata:
  command: get_autossl_metadata
  reason: OK
  result: 1
  version: 1

whmapi1 get_tweaksetting key=notify_expiring_certificates
---
data:
  tweaksetting:
    key: notify_expiring_certificates
    value: 0
metadata:
  command: get_tweaksetting
  reason: OK
  result: 1
  version: 1

Example of email sent (note how this relates to a certificate that expired a long time ago):

clientdomain.com: The AutoSSL certificate expires on Feb 10, 2017 at 12:00:00 AM UTC. At the time of this notice, the certificate expired 460 days, 4 hours, 17 minutes, and 13 seconds ago.

AutoSSL did not renew the certificate for "clientdomain.com". You must take action to keep this site secure.
The "cPanel" AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems:
⛔ mail.clientdomain.com (checked on May 16, 2018 at 7:42:41 PM UTC)
The system queried for a temporary file at "http://mail.clientdomain.com/.well-known/pki-validation/2D73E65206DC6C4B0DFC194DDF23F866.txt", but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain "mail.clientdomain.com" resolved to an IP address "1.2.3.4" that does not exist on this server.
⛔ cpanel.clientdomain.com (checked on May 16, 2018 at 7:42:41 PM UTC)
The system queried for a temporary file at "http://cpanel.clientdomain.com/.well-known/pki-validation/36D5DC3BB2E3F8E38B5C8825AACD0CD0.txt", but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain "cpanel.clientdomain.com" resolved to an IP address "1.2.3.4" that does not exist on this server.
⛔ webmail.clientdomain.com (checked on May 16, 2018 at 7:42:41 PM UTC)
The system queried for a temporary file at "http://webmail.clientdomain.com/.well-known/pki-validation/8446BAEBA73E6B87EF79D81B17381E58.txt", but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain "webmail.clientdomain.com" resolved to an IP address "1.2.3.4" that does not exist on this server.
⛔ clientdomain.com (checked on May 16, 2018 at 7:42:41 PM UTC)
The system queried for a temporary file at "http://clientdomain.com/.well-known/pki-validation/B8414D3216CD47FCA577200820117A54.txt", but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain "clientdomain.com" resolved to an IP address "1.2.3.4" that does not exist on this server.
⛔ webdisk.clientdomain.com (checked on May 16, 2018 at 7:42:41 PM UTC)
"webdisk.clientdomain.com" does not resolve to any IPv4 addresses on the internet.
⛔ autodiscover.clientdomain.com (checked on May 16, 2018 at 7:42:41 PM UTC)
"autodiscover.clientdomain.com" does not resolve to any IPv4 addresses on the internet.
⛔ www.clientdomain.com (checked on May 16, 2018 at 7:42:41 PM UTC)
The system queried for a temporary file at "http://www.clientdomain.com/.well-known/pki-validation/AC88F3DDE0DD43CEF0A947AC9213B748.txt", but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain "www.clientdomain.com" resolved to an IP address "1.2.3.4" that does not exist on this server.
For the most current status, navigate to the "SSL/TLS Status" interface. You can also exclude domains from future renewal attempts, which would cease future notifications.
The following domains lost SSL coverage when the certificate expired:
mail.clientdomain.com
clientdomain.com
www.clientdomain.com
The certificate that is installed on this website contains the following properties:
Expiration:

Friday, February 10, 2017 at 12:00:00 AM UTC

Domain Names:

clientdomain.com
mail.clientdomain.com
www.clientdomain.com
Subject:

commonName 
clientdomain.com
Issuer:

countryName 
US
stateOrProvinceName 
TX
localityName 
Houston
organizationName 
cPanel, Inc.
commonName 
cPanel, Inc. Certification Authority
To upgrade to an EV or OV certificate, navigate to the "SSL/TLS Wizard" interface.
The system generated this notice on Wednesday, May 16, 2018 at 7:42:46 PM UTC.

You can disable the "AutoSSL cannot request a certificate because all of the website's domains have failed DCV (Domain Control Validation)." type of notification through the cPanel interface: https://hostname:2083/?goto_app=ContactInfo_Change
Do not reply to this automated message.

And finally:

cat /home/username/.cpanel/contactinfo
---
"email": '[email protected]'
"ip": '1.2.3.4'
"notify_account_authn_link": 1
"notify_account_authn_link_notification_disabled": 1
"notify_account_login": 0
"notify_account_login_for_known_netblock": 0
"notify_account_login_notification_disabled": 1
"notify_contact_address_change": 1
"notify_contact_address_change_notification_disabled": 1
"notify_disk_limit": 1
"notify_email_quota_limit": 1
"notify_password_change": 1
"notify_password_change_notification_disabled": 1
"origin": 'cpanel'
"pushbullet_access_token": ''
"second_email": ''

I can confirm that the AutoSSL feature has been disabled for many months; we choose to use the FleetSSL cPanel plugin instead.

 

[cPanelMichael]

Hello @Stefaans,

This doesn't look to relate to any of the existing cases that are open. Do you mind opening a support ticket using the link in my signature so we can take a closer look at your system to see what happened? You can post the ticket number here and we will link this thread to the ticket.

Thank you.

 

[Stefaans]

I have been digging further and found that the problem does not originate on our server. I now feel embarrassed for complaining!

Looking at the Exim main_log, I can see that the erroneous messages did not come from our servers but from servers that belong to other hosting providers. The affected domains were all transferred to our servers in recent months by resellers of ours, and seemingly are still set up on the previous hosting providers' servers. I suspect that said hosting providers are using the AutoSSL feature and tjat they did upgrade their cPanel/WHM to ver 70 (or maybe not) and that did trigger the flood of notifications.

My report is thus a false alarm. I apologise for unnecessarily fuelling the fire.

 

[cPanelMichael]

I have been digging further and found that the problem does not originate on our server. I now feel embarrassed for complaining!

Looking at the Exim main_log, I can see that the erroneous messages did not come from our servers but from servers that belong to other hosting providers. The affected domains were all transferred to our servers in recent months by resellers of ours, and seemingly are still set up on the previous hosting providers' servers. I suspect that said hosting providers are using the AutoSSL feature and tjat they did upgrade their cPanel/WHM to ver 70 (or maybe not) and that did trigger the flood of notifications.

My report is thus a false alarm. I apologise for unnecessarily fuelling the fire.

Hi @Stefaans,

Not a problem! I'm glad you were able to determine the source of the emails. If anyone else is facing this issue, please provide the information requested in my earlier post to this thread.

Thanks!

 

[DennisMidjord]

Hi @cPanelMichael

[root@pro5 ~]# cat /usr/local/cpanel/version
11.70.0.43

[root@pro5 ~]# whmapi1 get_autossl_metadata
---
data:
  payload:
    clobber_externally_signed: 0
    notify_autossl_expiry: 1
    notify_autossl_expiry_coverage: 1
    notify_autossl_renewal: 0
    notify_autossl_renewal_coverage: 1
    notify_autossl_renewal_coverage_reduced: 1
    notify_autossl_renewal_uncovered_domains: 1
metadata:
  command: get_autossl_metadata
  reason: OK
  result: 1
  version: 1

[root@pro5 ~]# whmapi1 get_tweaksetting key=notify_expiring_certificates
---
data:
  tweaksetting:
    key: notify_expiring_certificates
    value: 1
metadata:
  command: get_tweaksetting
  reason: OK
  result: 1
  version: 1

We're only have this issue reported by a single user, but my guess is that most users don't care.
One of the emails starts like this:

sub.domain.tld: The AutoSSL certificate expires on Apr 10, 2018 at 12:16:04
PM UTC. At the time of this notice, the certificate expired 41 days, 13 hours, 35 minutes, and 42
seconds ago.

As @Stefaans reported, this is long overdue (and these emails are in fact sent from our own servers - just checked). The domain has even been excluded from AutoSSL.

As you can see, all notifications from AutoSSL has been disabled for the user reporting the issue:

[root@pro5 ~]# cat /home/<user>/.cpanel/contactinfo
---
"email": '[email protected]'
"ip": '<masked>'
"notify_account_authn_link": 1
"notify_account_authn_link_notification_disabled": 1
"notify_account_login": 0
"notify_account_login_for_known_netblock": 0
"notify_account_login_notification_disabled": 0
"notify_autossl_expiry": 0
"notify_autossl_expiry_coverage": 0
"notify_autossl_renewal_coverage": 0
"notify_autossl_renewal_coverage_reduced": 0
"notify_autossl_renewal_uncovered_domains": 0
"notify_bandwidth_limit": 1
"notify_contact_address_change": 1
"notify_contact_address_change_notification_disabled": 1
"notify_disk_limit": 1
"notify_email_quota_limit": 1
"notify_password_change": 1
"notify_password_change_notification_disabled": 1
"notify_ssl_expiry": 1
"notify_twofactorauth_change": 1
"notify_twofactorauth_change_notification_disabled": 1
"origin": 'cpanel'
"pushbullet_access_token": ''
"second_email": ''

I guess this is related to case CPANEL-20411?

 

[cPanelMichael]

Hi @DennisMidjord,

Thank you for providing the the additional details. Can you also run the below command and let us know the output?

grep notify /var/cpanel/users/username

Replace username with the cPanel user that received the AutoSSL notification.

Thank you.

 

[DennisMidjord]

Sure:

[root@pro5 ~]# grep notify /var/cpanel/users/<username>
notify_account_authn_link=1
notify_account_authn_link_notification_disabled=1
notify_account_login=0
notify_account_login_for_known_netblock=0
notify_account_login_notification_disabled=0
notify_autossl_expiry=0
notify_autossl_expiry_coverage=0
notify_autossl_renewal=
notify_autossl_renewal_coverage=0
notify_autossl_renewal_coverage_reduced=0
notify_autossl_renewal_uncovered_domains=0
notify_bandwidth_limit=1
notify_contact_address_change=1
notify_contact_address_change_notification_disabled=1
notify_disk_limit=1
notify_email_quota_limit=1
notify_password_change=1
notify_password_change_notification_disabled=1
notify_ssl_expiry=1
notify_twofactorauth_change=1
notify_twofactorauth_change_notification_disabled=1

I see that the value for AutoSSL renewal is missing. Is that the problem?

 

[cPanelMichael]

I see that the value for AutoSSL renewal is missing. Is that the problem?

Hello @DennisMidjord,

That's correct, and it explains why the notification was sent. You should be able to solve the issue disabling that notification type and clicking Save in cPanel >> Contact Manager for the account.

Internal cases CPANEL-20411 and CPANEL-20412 will address the overall issue of this occurring. I'll update this thread again once these cases are published.

Thank you.

 

[cPanelMichael]

Hello,

cPanel & WHM version 70.0.44 is now published to the CURRENT release tier and includes the following cases:

Fixed case CPANEL-19808: AutoSSL runs will no longer continue notifying beyond seven days post-expiry.
Fixed case CPANEL-20411: Cpuser notification preferences now are populated if empty.
Fixed case CPANEL-20412: Make contactinfo->cpuser sync not clobber existing cpuser setting.

I'll update this thread again once this build is published to the RELEASE tier.

Thank you.

 

[cPanelMichael]

Hello,

cPanel & WHM Version 70.0.44 is now published to the RELEASE tier.

Thank you.

 

[DennisMidjord]

Shouldn't the following be populated as well? notify_autossl_renewal=
I've just checked, and it looks like that for all users.

 

[cPanelMichael]

Shouldn't the following be populated as well? notify_autossl_renewal=

Hello @DennisMidjord,

The notify_autossl_renewal entry is only populated in /var/cpanel/users/$username when it's synced from /home/username/.cpanel/contactinfo.

Could you open a support ticket so we can take a closer look at an affected system and see why that entry isn't populated in the .contactinfo files for the users on your system? You can post the ticket number here and I'll link this thread to the ticket.

Thank you.

 

[ttt111888]

Hello there, is AutoSSL in cpanel necessary? I have been received the expired messages yesterday. How to renew or do I need to renew?

Issuer:

countryName US organizationName Let's Encrypt commonName Let's Encrypt Authority X3