DNSOnly SSL certs renewal problem

[Wallu]

So, because of the new (pain in the ass) changes to SSL cert renewal process, how am I supposed to renew (won't auto-renew) certs now?

Domains:
ns2.somedomain.com
cpanel.ns2.somedomain.com
cpcalendars.ns2.somedomain.com
cpcontacts.ns2.somedomain.com
mail.ns2.somedomain.com
webmail.ns2.somedomain.com
whm.ns2.somedomain.com
www.ns2.somedomain.com

Because the "system" created all those not necessary sub-domains, the certs renewal chain breaks. Only one that actually resolves from the above list, is the first one. Others are not needed on a DNSOnly.

What to do now? There is no auto-ssl config (Manage SSL Hosts) on DNSOnly, where you could EXCLUDE others, like there is on a WHM.

- Wallu

EDIT: I think this applies to WHM too. Just checked my WHM, and there are some sub-domains on the WHM cert itself, which do not resolve. For example: whm.whm06.mydomain.com and www.whm06.mydomain.com. Why would I even have these, when my WHM / host is whm06.mydomain.com?

 

[cPRex]

Hey there! The DNSOnly machine wouldn't create any DNS zones by itself, as those would all get synced from a webserver system in a normal cluster configuration.

These domains can be disabled globally on the webserver in WHM:

Service and Proxy Subdomains | cPanel & WHM Documentation

Service subdomains provide access to cPanel & WHM interfaces and services.

docs.cpanel.net

so if you don't need them that is likely the best way to take care of that.

 

[Wallu]

Hey @cPRex ..kinda double posting here ... I realized this effects not just DNSOnly, but WHM too, so posted here already.

- Wallu

 

[cPRex]

No problem - I'll reply to that larger thread :D

 

[horizon2021]

I noticed when trying to renew the hostname cert for a whm/cpanel server two days ago that even with service and proxy subdomains disabled (I don't use them and don't want them - I want all access to come over the specific firewalled port for each service) that it was trying to do dcv for those subdomains during the checkallsslcerts process, all of which subdomains failed DCV obviously except for the server hostname itself. It did successfully renew the server hostname cert though from the cpanel store after many tries.

 

[Wallu]

Yet again I have to write here, about the same SSL crap. Now, I added all my DNSOnly subdomains and sub-subs to dns, and they renewed after day or so. BUT, my whm host is not renewing, and the deadline gets closer and closer.

I have added all whm host subs and sub-subs too, but still it won't renew, and I get notifications every night about Exim, cPanel and Dovecot certs expiring in less than 30 days. My cert expires Feb 23rd, so it's getting closer.

What the hell am I supposed to do here @cPRex ? All domains in the notification e-mail resolve, every one of them, so why is it not renewing?

- Wallu

 

[cPRex]

February 23rd seems like plenty of time for the SSL to renew as hostname certificates get renewed when there are three days left:

https://support.cpanel.net/hc/en-us/articles/1500006023822-How-often-does-AutoSSL-attempt-to-renew

If you get to day 2 and that doesn't happen, put in a ticket to our team.

 

[Wallu]

Riiight, I forgot about that already

Kinda don't wanna get 90 e-mails in 30 days saying my cert is ending,.. but then again, don't wanna turn it off either,.. dilemma.

Anyways, I'll wait, and hopefully it renews. Thanks @cPRex

- Wallu

 

[Wallu]

So when is it supposed to renew @cPRex ?

Still getting this:

The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID nufg4x) The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request “POST ssl/certificate/whm-license/90-day”: We were unable to process your request. Please try again later.

..and the cert: Expires: Wednesday, February 23, 2022 at 11:59:59 PM UTC

Kinda cutting it close..

 

[cPRex]

That should definitely be renewing by now - three days is when it should start to process.

Can you submit a ticket to our team so we can take a look?

 

[Wallu]

That should definitely be renewing by now - three days is when it should start to process.

Can you submit a ticket to our team so we can take a look?

Yeah, doing it now

 

[cPRex]

If you could post the ticket number here I'll be sure to follow along on my end as well.

 

[Wallu]

#94419144 @cPRex

 

[cPRex]

Thanks for that - I'm watching that now!