"The “cPanel (powered by Sectigo)” provider cannot currently accept incoming requests."

[cPRex]

@Nathan Lyle - in my ideal world, there would be some level of automated failover between the two providers. Both providers issue DV certificates, so there would not be any difference in coverage, although Let's Encrypt does have lower limits if you have a very large number of domains on one account.

 

[Nathan Lyle]

@Nathan Lyle - in my ideal world, there would be some level of automated failover between the two providers. Both providers issue DV certificates, so there would not be any difference in coverage, although Let's Encrypt does have lower limits if you have a very large number of domains on one account.

Honestly I've just reached the point where I'm going to be recommending my clients purchase SSL certificates from another provider. This last year and a half or so has been one SSL headache after another, with sites essentially "going down" due to browser security warnings. My clients end up thinking I'm providing a crappy hosting service as a result of it. There's no notification from WHM that a certificate has gone defective or not renewed for the handful of reasons they keep seeming to. The "Auto" in AutoSSL is unfortunately a bit misleading, since it requires constant eyes-on vigilance. It's one less reason for me to use cPanel, honestly. With the increased license fees, it's not hard to imagine that I'll be looking at alternatives in the near future. The market is certainly open for a good alternative. From what I've read, small folks like myself aren't cPanel's target market anyway. As prices have gone up, the features that were the main reasons I liked using cPanel have been slowly falling apart. :-(

 

[yatesf]

@zhongshan - in version 108 we're adding default support to Let's Encrypt to work alongside Sectigo. They certificates will be issued just the same with either provider, and right now that is the best workaround. I don't have any other option available.

If I'm correct, Let's Encrypt is slightly different from Sectigo in that it does not issue a hostname certificate. Is this right?

Also, I hope there is a better future solution than just offering both providers side by side. The root issue with Sectigo is that their rate limit is being exceeded at the time when many cPanel users are requesting SSL renewals.

Can cPanel negotiate a higher rate limit with Sectigo that's congruent with it's increased number of clients querying it's service? Or could cPanel perhaps stagger the timeframes at which the majority of cPanel clients are querying Sectigo for their SSL renewals? From what I've seen, it looks like cPanel is bogging down the Sectigo rate limit by bombarding most of it's client requests around 5:45am EST.

Perhaps simply spreading out the time-frame of Sectigo SSL requests more fluidly across cPanel's client demographic will alleviate alot of the rate-limit being exceeded during a few choice/bottlenecked time-frames.

 

[Jheroen]

What now then.....

10:30:03 AM ERROR AutoSSL failed to request an SSL certificate for “xxx” because of an error: (XID qx42bq) The response to the HTTP (Hypertext Transfer Protocol) “POST” request from “https://store.cpanel.net/json-api/ssl/certificate/free” indicated an error (504, Gateway Timeout): <html><body><h1>504 Gateway Tim…

 

[cPRex]

@yatesf - you're correct that Let's Encrypt still doesn't handle the hostname certificate. We're looking into all those options you've mentioned.

@Jheroen - was that from this morning? I haven't heard of any issues on my end yet, but that doesn't mean things can't be happening.

 

[PeteS]

@yatesf - you're correct that Let's Encrypt still doesn't handle the hostname certificate. We're looking into all those options you've mentioned.

So switching to LE will handle everything except the hostname, which will continue to be "handled" through Sectigo?

Curretly all my servers are, or just fiiiiinally succeeded, negotiating a hostname cert with Sucktigo... :/ Save me a few minutes of searching and point me to the script manually to run for host certs, so I can address it on servers that are expired. Please and thank you!

Is this the thinking behind offering both side-by-side. LE for everything but hostname cert, and Sectigo still for hostname? That it will spread out the load and lessen the grief (temporarily)?

@Jheroen - was that from this morning? I haven't heard of any issues on my end yet, but that doesn't mean things can't be happening.

You're kidding, right? I see this error all-the-time! Along with "Sucktigo's too busy to care." From right now:

"10:43:49 PM ERROR AutoSSL failed to request an SSL certificate for “....com” because of an error: (XID 8wp6mp) The response to the HTTP (Hypertext Transfer Protocol) “POST” request from “https://store.cpanel.net/json-api/ssl/certificate/free” indicated an error (504, Gateway Timeout): <html><body><h1>504 Gateway Tim… "

"10:45:22 PM The “cPanel (powered by Sectigo)” provider cannot currently accept incoming requests. The system will try again later."

"10:46:10 PM The “cPanel (powered by Sectigo)” provider cannot currently accept incoming requests. The system will try again later."

"10:52:02 PM WARN (XID zdp9ra) The response to the HTTP (Hypertext Transfer Protocol) “GET” request from “https://store.cpanel.net/json-api/ssl/certificate/free/2182274429” indicated an error (504, Gateway Timeout): <html><body><h1>504 Gateway Tim… "

----

Regarding this whole issue

1- Let me tell you how for over a month (when things went to crap again, after being "ok" for a while) I have been babysitting tons of expired cert requests, repeating until they finally succeed. Grrr... what a pain! Why don't I go to LE, you ask? Last time I heard, cPanel was "addressing the issue" and I relied on that to come through... Until about a month ago, and since then have too busy to get on here and yell about it. (...and see the Sectigo dumpster fire.)

2- I can get ALL KINDS of cert notifications, EXCEPT expired certs What on earth?! Why? I went to turn that on so I could not miss an expired cert (until a client complains) but there's no such thing. Please explain this silliness! (I looked. Twice. If you show me it's there I'll apologize.

 

[PeteS]

Save me a few minutes of searching and point me to the script manually to run for host certs, so I can address it on servers that are expired. Please and thank you!

NM this one, I stumbled on it in another post, and then in my own cPanel install notes.

/usr/local/cpanel/bin/checkallsslcerts

 

[kdean]

Yeah, I'm seeing Gateway timeouts as well when manually run. Also, the usual try again later messages.

Last time I used Let's Encrypt, one thing I didn't like is if you inspected the SSL information in your browser, it exposed all sub-domains for the site that you may not want to make so easily found.

To change the time AutoSSL runs, edit the cronjob in /etc/cron.d/cpanel_autossl

Doing so as generally helped with the auto-runs, it's just manual runs or when I add a new sub-domain, that is very difficult. I've been trying for over a day now to get SSL on a new sub-domain when first setup and subsequent manual runs. Maybe the next auto run will work. Who knows anymore.

Seems that cPanel needs to pay Sectigo more since clearly they don't think they have a good enough deal at the moment to allow the bandwidth.

 

[Hueznar]

This is a nightmare:

WARN (XID ) The response to the HTTP (Hypertext Transfer Protocol) “GET” request from “https://store.cpanel.net/json-api/ssl/certificate/free/2185788000” indicated an error (503, Service Unavailable): <html><body><h1>503 Service Una…

I have dozens of problems with my hosting customers for this SSL problem.

it seems that cpanel is better at raising the price of licenses than fixing their customers' problems

 

[swbrains]

I had been having issues a while back with Sectigo errors like this (not accepting requests -- try later), but in the second half of 2022 things were fairly good. Sometimes it would fail, but then successfully issue the cert before it expired. Over the past two weeks, I've had a couple of certs that actually expired and forced me to switch temporarily to Lets Encrypt due to certs that were not able to be renewed before expiring. The problem I've had with LE -- and the reason I switched to Sectigo in the first place -- was due to hitting LE limits. I even requested an increase in my rate limit and was told it was granted, but I still experienced hitting my limit (this is for ~700 hosted accounts). So I stuck with Sectigo but now it's getting worse as certs are actually expiring before they can be renewed. My only recourse is to switch to LE temporarily, force a re-check to generate the required certs, then switch back to avoid hitting LE's rate limit.

 

[PeteS]

My only recourse is to switch to LE temporarily, force a re-check to generate the required certs, then switch back to avoid hitting LE's rate limit.

Not a bad work-around... but no work-around should be needed in the first place!

I share your frustration.

 

[swbrains]

Given that this issue has been occurring for over a couple of years with no longer term solution (and I've not heard of a definitive planned solution), one "workaround" -- in order to keep AutoSSL as a "hands-off" solution for hosting providers -- might be to add an option to AutoSSL that says "Use alternative provider if certificate expires without successful renewal". If enabled, the AutoSSL system could catch the Sectigo failures to renew, and if the cert is already expired (or will before the next renewal attempt), then issue a one-time request to the "alternate provider" (Let's Encrypt in this case) for that domain's certificate. This would occur without switching the user's primary provider setting in cPanel, so future attempts would still occur through the primary selected provider (Sectigo in these cases). But failures that would result in a loss of active SSL status for a site could "fall back" to using the other provider to ensure the site is not left without an valid, active certificate in the meantime.

 

[swbrains]

As a workaround to this issue to avoid expiring certs, I've written a Perl script that I intend to run once per day at a time that is NOT coinciding with the running of the AutoSSL check-all script. Most likely this will be a couple of hours after that check runs, but still preferably overnight when the server is least busy. The script will basically do the following:

change ssl provider to 'LetsEncrypt'
get list of all hosted accounts on server
for each account {
      get list of parked domains for account
      for each domain in parked-domain-list {
             get expiration date of certificate containing this domain
             if expiration date is less than one day away (i.e. it has likely failed recent cPanel renewal checks) {
                   initiate the AutoSSL check for that account (with Let's Encrypt as the active provider)
             }
      }
}
change ssl provider back to 'cPanel'

Since Let's Encrypt seems to be fairly reliable (but I have issues with rate limiting so I can't switch to it for all accounts every time), my hope is that this will catch the accounts that have trouble renewing in time under cPanel/Sectigo and simply do what I've been doing manually -- Going into Manage AutoSSL, switching to Let's Encrypt, running a check for that one user, then switching back to cPanel/Sectigo.

 

[Jheroen]

So switching to LE will handle everything except the hostname, which will continue to be "handled" through Sectigo?

Curretly all my servers are, or just fiiiiinally succeeded, negotiating a hostname cert with Sucktigo... :/ Save me a few minutes of searching and point me to the script manually to run for host certs, so I can address it on servers that are expired. Please and thank you!

Is this the thinking behind offering both side-by-side. LE for everything but hostname cert, and Sectigo still for hostname? That it will spread out the load and lessen the grief (temporarily)?



You're kidding, right? I see this error all-the-time! Along with "Sucktigo's too busy to care." From right now:

"10:43:49 PM ERROR AutoSSL failed to request an SSL certificate for “....com” because of an error: (XID 8wp6mp) The response to the HTTP (Hypertext Transfer Protocol) “POST” request from “https://store.cpanel.net/json-api/ssl/certificate/free” indicated an error (504, Gateway Timeout): <html><body><h1>504 Gateway Tim… "

"10:45:22 PM The “cPanel (powered by Sectigo)” provider cannot currently accept incoming requests. The system will try again later."

"10:46:10 PM The “cPanel (powered by Sectigo)” provider cannot currently accept incoming requests. The system will try again later."

"10:52:02 PM WARN (XID zdp9ra) The response to the HTTP (Hypertext Transfer Protocol) “GET” request from “https://store.cpanel.net/json-api/ssl/certificate/free/2182274429” indicated an error (504, Gateway Timeout): <html><body><h1>504 Gateway Tim… "

----

Regarding this whole issue

1- Let me tell you how for over a month (when things went to crap again, after being "ok" for a while) I have been babysitting tons of expired cert requests, repeating until they finally succeed. Grrr... what a pain! Why don't I go to LE, you ask? Last time I heard, cPanel was "addressing the issue" and I relied on that to come through... Until about a month ago, and since then have too busy to get on here and yell about it. (...and see the Sectigo dumpster fire.)

2- I can get ALL KINDS of cert notifications, EXCEPT expired certs What on earth?! Why? I went to turn that on so I could not miss an expired cert (until a client complains) but there's no such thing. Please explain this silliness! (I looked. Twice. If you show me it's there I'll apologize.

When is this BS system fixed!!!!!!!!!!!!!!

The system will try again later means the system won't do anything other than NOT work!

 

[ITHKBO]

We received a notification from cpanel.net that there was planned maintenance last weekend for Sectigo.
I have no idea if it resolved the above as we no longer use Sectigo, Comodo for exactly the same reasons. We gave up on it about 6 months ago.
I have attached the notification below.

Further more usability score in the interface has been bumped down for Sectigo so though I can not confirm this it can be a indication that the official solution is get rid of Sectigo. Based on that the cPanel trademark has been removed.

106

vs
108

 

[PeteS]

I can report that where I am using Sectigo, it is once again working pretty well. I suspect it is a lightening of the load of time as servers switch to LE? I don't know that anything was "fixed" but it is working better and the baked in LE option is also a good thing.

 

[perplex]

@cPRex

This is absolutely ridiculous "2:07:46 AM The “Sectigo” provider cannot currently accept incoming requests. The system will try again later." When is someone going to take action and provide a fix? The cPanel Sectigo Auto-SSL service is currently NOT FIT FOR USE!

 

[slim]

Switch to lets encrypt - Its easy in the 'Manage AutoSSL' section of WHM - Just switch from Sectigo -> Lets Encrypt and your problems will be solved. It works identically and the switch over for me was seamless. SSL's are almost instant.

 

[perplex]

Switch to lets encrypt - Its easy in the 'Manage AutoSSL' section of WHM - Just switch from Sectigo -> Lets Encrypt and your problems will be solved. It works identically and the switch over for me was seamless. SSL's are almost instant.

Thanks but Lets encrypt is unable to handle the volume of domains (10,000+) I have due to their limits eg. " You can combine multiple hostnames into a single certificate, up to a limit of 100 Names per Certificate."

cPanel AutoSSL renew continues to throw a variation of crappy errors, again today "11:14:48 PM ERROR AutoSSL failed to request an SSL certificate for “example.com” because of an error: (XID pdaias) The cPanel Store returned an error (X::UnknownError) in response to the request “POST ssl/certificate/free”: Service Unavailable!"

 

[cPRex]

Yes, the one drawback with Let's Encrypt for some users is the domain limit.