Free CPanel SSL cert is replacing our DigiCert SSL for Dovecot every night, breaking access

[HarmlessDave]

The new free CPanel-issued SSL cert is a good idea for many people, but it is breaking our access to Dovecot for POP3/IMAP.

Friday night our DigiCert wildcard SSL cert was replaced by the CPanel cert causing connections to mail.DOMAIN.com to break.

I fixed that Saturday morning by going into CPanel and setting the Dovecot SSL cert back to our DigiCert cert, but last night CPanel changed it back again.

How can I get CPanel to stop changing the cert every night?

Unfortunately we are stuck on the old WHM version 56 until I can get the OK to migrate to a new server.

 

[HarmlessDave]

More information:

This was the information link we received in the announcement email about free CPanel-issued certs: 56 Release Notes - Version 56 Documentation - cPanel Documentation

It says only self-signed certs will be replaced, but in our case, and with an old CPanel version, it is replacing a DigiCert wildcard cert every night,

Leaseweb technical support found a way to (hopefully) disable this behavior in this CPanel document: http://documentation.cpanel.net:8090/display/76Docs/Manage+Service+SSL+Certificates

"If you create the /var/cpanel/ssl/disable_auto_hostname_certificate touch file, the system will no longer order, download, and install a free cPanel-signed hostname certificate. "

We'll find out tonight whether or not that works for us.

 

[HarmlessDave]

That did not work for us, the dovecot cert changed to the new CPanel cert again last night.

 

[cPanelLauren]

Hello,

You noted:

Friday night our DigiCert wildcard SSL cert was replaced by the CPanel cert causing connections to mail.DOMAIN.com to break.

And that you added the touchfile:

"If you create the /var/cpanel/ssl/disable_auto_hostname_certificate touch file, the system will no longer order, download, and install a free cPanel-signed hostname certificate. "

We'll find out tonight whether or not that works for us.

But that's just for hostnames, is this the hostname certificate that is being replaced or an AutoSSL certificate?

• If this is an AutoSSL certificate you should be able to go to WHM>>SSL/TLS>>Manage AutoSSL -> Options and uncheck the setting "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates."
• If this is a hostname SSL certificate and you're on v56 of cPanel WHM and that touch file is not working for you (it must be added with UID:GID of root:root) It could be related to an internal case that was opened during that time and subsequently resolved, I dug around and found a couple below:
  • Why it's getting replaced was an issue that should have been resolved in 56.0.9 with CPANEL-5841 - Wildcard certs that do not match the hostname should not be replaced
  • I found another case with a touch file that you might try? CPANEL-5951- /var/cpanel/ssl/disable_service_certificate_management disables checkallsslcerts
  • You can test this with the following:
    • Create the touch file: touch /var/cpanel/ssl/disable_service_certificate_management
    • Run the Hostname SSL check: /usr/local/cpanel/bin/checkallsslcerts --verbose
• Ultimately if all of those fail, it might be that you have to implement a different strategy for the workaround like a user agent block for the dcv check

 

[HarmlessDave]

• I found another case with a touch file that you might try? CPANEL-5951- /var/cpanel/ssl/disable_service_certificate_management disables checkallsslcerts
• You can test this with the following:
  • Create the touch file: touch /var/cpanel/ssl/disable_service_certificate_management
  • Run the Hostname SSL check: /usr/local/cpanel/bin/checkallsslcerts --verbose

Thank you for finding this, it seems to have fixed our problem!

The certificate being replaced was a plain old Thawte (now DigiCert) 2-year SSL certificate, not a LetsEncrypt type auto-renewing cert.

 

[cPanelLauren]

I'm really glad that resolved the issue!

The certificate being replaced was a plain old Thawte (now DigiCert) 2-year SSL certificate, not a LetsEncrypt type auto-renewing cert.

Right, the issue is related specifically to wildcard certificates though it is an issue that is fixed in the next version of cPanel that was released.

Unfortunately we are stuck on the old WHM version 56 until I can get the OK to migrate to a new server.

I cannot urge you enough to get off this older version, we've fixed so much and improved upon so much since then. What is keeping you on v56 exactly?

 

[HarmlessDave]

I cannot urge you enough to get off this older version, we've fixed so much and improved upon so much since then. What is keeping you on v56 exactly?

Mostly having our main web site offline for 2 - 8 hours or more while we migrate to a new server. We have customers in all time zones, using it 7 days a week so there is no good time to do this.

Our CentOS version is too old to support newer versions of CPanel so the server migration is required, and our hosting company says they also are not set up to let us keep using the same IP addresses. The server has 60 GB of data to migrate and is also our mail server.

We're considering moving the mailboxes to Exchange Online which would at least keep email working properly during the migration, but we'll still need to disable some other services used by our customers.

 

[cPanelLauren]

It shouldn't take that long to migrate as far as downtime goes but I fully understand the hesitation - would a guide to transfers minimizing downtime be helpful for you? I could try and get something written up for that.