Browser certificate error during initial installation (first WHM login)

[wildman]

When installing cPanel, it's recommended to include an FQDN as the hostname to avoid using the cprapid domain. After setting my hostname (as an example, host.example.tld) and running the installation script, I receive successful output which includes instructions to navigate to the WHM panel in the browser (using the one-time autologin url, my FQDN hostname, or the IP address.

The problem is that all modern browser display a certificate warning that you cannot bypass (even using the "Advanced" options). How does one overcome this? What are the steps to take to prevent this from happening in future cPanel deployments?

Edit: Errors:

• Chrome: NET::ERR_CERT_AUTHORITY_INVALID
• Firefox: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

As background, my FQDN does have associated A and AAAA DNS records and was resolving to the correct IP addresses prior to running the installation script. Also, running `/usr/local/cpanel/bin/checkallsslcerts` (after the installation script finishes) returns a success for the FQDN but failures for all of the subdomains (www, whm, mail, etc) and then returns the following message when attempting to request a certificate from "cpStore":

The cPanel Store returned an error (X::Item::Validation) in response to the request “POST ssl/certificate/whm-license/90-day”: No valid, active license found for the origin IP.

I understand that I'll need to obtain a license, but that is one of the first steps upon logging in to the WHM interface for the first time. Is one way around this to manually log in to the cPanel store, obtain a license, and then rerun the certificate script? I can troubleshoot further, but wondering what the best practice is here.

 

[cPRex]

Hey there! I don't think there's a way to overcome this - we can only issue the certificates so quickly. And yes, you would have to get a license, but were you not automatically issued a trial license? If that doesn't happen, you can always contact our Customer Service team at [email protected] to get one issued if you weren't ready to purchase, but normally those happen automatically if the IP hasn't been previously licensed.

 

[wildman]

Hey there! I don't think there's a way to overcome this - we can only issue the certificates so quickly. And yes, you would have to get a license, but were you not automatically issued a trial license? If that doesn't happen, you can always contact our Customer Service team at [email protected] to get one issued if you weren't ready to purchase, but normally those happen automatically if the IP hasn't been previously licensed.

Thanks for the reply! In my experience, a trial license is typically generated after logging into WHM for the first time and running through the initial setup. A user won't be able to run through that process since they can't log in to WHM with the certificate issue and since a valid certificate can't be generated without a license, we're stuck in a loop.

 

[wildman]

Is there a way to generate a trial license without logging in to WHM? When I log in to the cPanel store, I don't see an option to create a trial license (only purchase a license). Since I'm just running through tests at the moment for documentation purposes, I shouldn't need to purchase a license.

 

[cPRex]

The trial is unrelated to the WHM setup. The only way to get one is to contact our Customer Service team directly so they can set that up for you. Those licenses are good for 15 days.

 

[wildman]

The trial is unrelated to the WHM setup. The only way to get one is to contact our Customer Service team directly so they can set that up for you. Those licenses are good for 15 days.

When I have previously tested WHM/cPanel, a trial license can be obtained when logging into WHM for the first time. Is this only possible if someone previously has contacted customer service directly to set up the ability to obtain trial licenses?

Regardless, trial license or not, there should be a way to generate a valid certificate for the system's FQDN hostname so that a user can log into WHM for the initial set up (and beyond). As of right now, when configuring a system with an FQDN (as recommended in the instructions to bypass the need for a temporary cprapid domain), the only way to sort out this certificate issue is to perform the following steps. If you have any insight into shortening or automating this process, I'm all ears!

1. Log into the cPanel store and obtain a license (or transfer an existing license) for the new system's IP addresss
2. Log into the new system's shell and run `/usr/local/cpanel/cpkeyclt` to install the license
3. Run `/usr/local/cpanel/bin/checkallsslcerts` to obtain the IP addresses. This may take some time after obtaining the license to work correctly (or is just unreliable) as it failed multiple times with the error `(X::TemporarilyUnavailable)`. The third time running the command after successfully validating the license worked.

After running through that process, I'm not able to log in to WHM without issue.

 

[wildman]

I guess one way to sort this is to set up the license or trial and assign it to the system's IP address prior to running the installation script. Not ideal, especially since obtaining a license is a feature of the WHM initial set up (which can't be accessed until you obtain a license). I believe this should be filed as a bug report (either documentation-wise or product-wise).

 

[cPRex]

I think there is some misunderstanding about the process.

The cprapid domain is specifically designed to ensure that users don't need to have their hostname preconfigured in order to access the server securely, to work around the new browser requirements that you've run into.

The trial license doesn't have anything to do with the initial setup process - it happens during the installation. If it didn't, you wouldn't be able to login to WHM at all as the license is required to get to those pages.

We also require a license, trial or not, in order to issue the hostname certificate. If we didn't, we'd just be giving out free SSLs to servers that weren't connected to the cPanel network, which would tarnish our SSL reputation.

Your plan of changing the hostname to your custom solution will only work if you can also preconfigure the DNS for the hostname to resolve to your server. If not, it's best to let the cprapid hostname stay in place until you get the server configured.

 

[wildman]

Appreciate your time and responses here!

The trial license doesn't have anything to do with the initial setup process - it happens during the installation. If it didn't, you wouldn't be able to login to WHM at all as the license is required to get to those pages.

Here's the process that currently works for me. The dozen or so times that I've installed cPanel without first purchasing a license on the cPanel store and without specifying an FQDN as the hostname, here's been the behavior:

1. I spin up a new instance on Ubuntu 20.04
2. I run the installation script. This outputs the URLs I can use to access the WHM panel. This is the "installation".
3. I navigate to one of those URLs. The initial WHM setup appears. This is the start of the "initial setup process".
4. I accept the legal agreements
5. The license screen appears with a message similar to "Get Started with a Free cPanel Trial!".
6. Using the on-screen prompts, I log in to the cPanel store to activate my free trial license. This is outlined here: How to Sign Up for a Trial License | cPanel & WHM Documentation
7. I can continue with initial name server set up and proceed to the main WHM interface.

Now I'm trying to set the hostname in advance as per the system requirements (under Networking requirements > Hostname). Here's been the behavior:

1. I spin up a new instance on Ubuntu 20.04
2. I set the hostname to a FQDN (using hostnamectl) and also configure DNS records to point to the new server's IP address. Before proceeding, I wait for the FQDN to resolve to that IP address.
3. I run WHM/cPanel's installation script. This outputs the URLs I can use to access the WHM panel.
4. I navigate to one of those URLs, but I can't access it due to the previously mentioned certificate errors.

I'm stuck here. I can't create a free trial automatically through the store.cpanel.com site unless I navigate there through the WHM intial set up. I can't log in to WHM due to the cerficate issue. I can't generate new certificates through cPanel without a license. But I can't obtain a free trial license automatically through the store.cpanel.com site unless I navigate there through the WHM intial set up. And the loop continues.

The cprapid domain is specifically designed to ensure that users don't need to have their hostname preconfigured in order to access the server securely, to work around the new browser requirements that you've run into.

If cPanel doesn't recommend setting the hostname first (along with the DNS records of course), I can continue using the cprapid domain. To avoid confusion over this domain and for a cleaner installation without using temporary domains, I would prefer to not use the cprapid domain altogether. But if this is not possible with a free trial (as it appears to be at the moment), I can nix this and move on. Though, if that's the case, the folks maintaining your documentation need to update the Networking requirements > Hostname section to warn folks that to do what is recommended (setting the hostname to an FQDN), users need to log in to the cPanel store and purchase a license (or contact cPanel for a trial license), assign the license to their server IP, all before running the installation script. If they don't do this, they'll need to obtain a license and run the previously mentioned commands (outlined above in a prior post) to activate the license and generate a certificate before they can log in to WHM.

 

[cPRex]

Let me do some testing with this and I'll get back to you in a bit!

 

[cPRex]

Okay, I have some answers, but I'm not entirely happy with them. I'm going to see if I can speak with some of the AutoSSL team tomorrow to see if we have a better plan moving forward. Once I do that, I'll post some official details.

 

[cPRex]

Alright, I have some actual thoughts about this now.

I did some testing on my end and confirmed that your initial findings are correct. The problem is that we can't run AutoSSL until the license is in place, but that happens too late in the installation process, leading to the catch-22 situation you've described.

What needs to happen NOW - in order for the SSL to get created as part of the installation process, you'd need to pre-configure the hostname and the supporting DNS for it, AND also have a license, either purchased or trial, in place before the installation starts. If those things happen, the URL will work and the SSL will be in place by the time the installation completes.

What's going to happen in the FUTURE - the short version is we're going to fix this, because this just isn't a good user experience. We plan to make some changes to the AutoSSL system that will get the certificate for the hostname installed earlier in the installation process. I'm not certain when these changes will be implemented, but it's part of some larger work that will likely see an announcement of some sort.

I hope that's helpful, even though the current answer is "it's not ideal"

 

[wildman]

This is helpful. Thanks for verifying the behavior and confirming the workaround. Also appreciate you working with your team on fixing this. For now, setting the hostname before-hand won't work for us with the current behavior, so we'll not follow the instructions in Networking requirements > Hostname and will instead allow cPanel to create a temporary FQDN for us on the cprapid.com domain.

Hope this thread helps clarify things for others until a fix is implemented.