So, I was playing around with cPanel’s new SSL cert thing at WHM -> Home -> SSL/TLS -> Manage Auto SSL in v58
Want the details?
I just so happened to have a few sites with expired SSL certs and then some certs about to expire. So, this new free SSL thing is cool, right? Easily install/update SSL certs on domains for free? It’s a bit futzier than that.
First of all, if there’s either a valid or expired cert on a domain, the tool won’t do anything. A while ago, I set up a cPanel account for my old college boyfriend and then put a Let’s Encrypt cert on it (which was expired, cause whatever, Michael). He set up a half assed WordPress site. Whatever, Michael, I’ve known you 20 years and you still can’t finish anything.
Anyway, check this out for an expired cert in the Manage Auto SSL log when I first tried it:
Log for the AutoSSL run for “michael”: Monday, August 29, 2016 7:35:26 PM GMT-0500 (cPanel (powered by Comodo)) 12:35:26 AM This system has AutoSSL set to use “cPanel (powered by Comodo)”. 12:35:26 AM Checking websites for “michael” … 12:35:26 AM The website “exboyfriend.net”, owned by “michael”, has a faulty SSL certificate (OPENSSL_VERIFY:0:10:CERT_HAS_EXPIRED ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). 12:35:26 AM WARN The domain “exboyfriend.net” has failed domain control validation (The system failed to fetch the <abbr title="Domain Control Validation">DCV</abbr> file at “<a href="http://exboyfriend.net/11423.BIN_AUTOSSL_CHECK_PL__.jpIg1_D_Rv25T3QX.tmp">http://exboyfriend.net/11423.BIN_AUTOSSL_CHECK_PL__.jpIg1_D_Rv25T3QX.tmp</a>” because of an error: The system failed to send an <abbr title="Hypertext Transfer Protocol">HTTP</abbr> “GET” request to “http://exboyfriend.net/11423.BIN_AUTOSSL_CHECK_PL__.jpIg1_D_Rv25T3QX.tmp” because of an error: SSL connection failed for exboyfriend.net: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed .). at bin/autossl_check.pl line 449. 12:35:26 AM WARN The domain “www.exboyfriend.net” has failed domain control validation (The system failed to fetch the <abbr title="Domain Control Validation">DCV</abbr> file at “<a href="http://www.exboyfriend.net/11423.BIN_AUTOSSL_CHECK_PL__.lD5RPw1r9BIK0pvz.tmp">http://www.exboyfriend.net/11423.BIN_AUTOSSL_CHECK_PL__.lD5RPw1r9BIK0pvz.tmp</a>” because of an error: The system failed to send an <abbr title="Hypertext Transfer Protocol">HTTP</abbr> “GET” request to “http://www.exboyfriend.net/11423.BIN_AUTOSSL_CHECK_PL__.lD5RPw1r9BIK0pvz.tmp” because of an error: SSL connection failed for exboyfriend.net: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed .). at bin/autossl_check.pl line 449. 12:35:26 AM The system has completed the AutoSSL check for “michael”. 12:35:26 AM The system has finished checking 1 user.
But just delete the expired cert, right? Well, the .htaccess forces SSL, so domain validation fails.
What I ended up having to do was this:
root@miss [/home/michael]# mv public_html public_html.bak root@miss [/home/michael]# mkdir public_html root@miss [/home/michael]# chown michael:nobody public_html root@miss [/home/michael]# echo "Did the Auto SSL thing" Did the Auto SSL thing root@miss [/home/michael]# rm -rf public_html root@miss [/home/michael]# mv public_html.bak/ public_html
And then cPanel pulled in the new cert from Comodo.
Log for the AutoSSL run for “michael”: Monday, August 29, 2016 7:37:03 PM GMT-0500 (cPanel (powered by Comodo)) 12:37:03 AM This system has AutoSSL set to use “cPanel (powered by Comodo)”. 12:37:03 AM Checking websites for “michael” … 12:37:04 AM The website “exboyfriend.net”, owned by “michael”, has a faulty SSL certificate (OPENSSL_VERIFY:0:10:CERT_HAS_EXPIRED ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). 12:37:04 AM The system will attempt to renew SSL certificates for the following websites: 12:37:04 AM exboyfriend.net (exboyfriend.net www.exboyfriend.net) 12:37:11 AM The system has completed the AutoSSL check for “michael”. 12:37:11 AM The system has finished checking 1 user
I tested this with a Joomla site on my server with an expired SSL cert and had to do the same thing.
I tested with a plain html site and got away with deleting the expired cert and then renaming .htaccess to .htaccess.bak (which was forcing SSL) and then this tool worked.
If there’s not an existing cert (expired or otherwise), then there shouldn’t be an issue. But, here’s what the workflow is looking like as far as general implementation if there *are* existing certs. To keep the futzing to a minimum with CMS installations.
- Delete all certs on any domains associated with the cPanel account (expired or otherwise) in WHM -> Home »SSL/TLS »Manage SSL Hosts
- mv the public_html dirs to something else and create empty public_html dirs (remember to chown them to user:nobody). This is for all the sites in a cPanel acct. If they have more than one addon domain or subdomain in the cPanel acct, um, NO.
- Request the cert in WHM -> Home »SSL/TLS »Manage AutoSSL and check the log to see if there were any errors
- Delete the empty public_html dir and then put the real public_html back
The cert generation process doesn’t take very long, but while the empty public_html dir is up, visitors will see the empty dir (or a 403 forbidden if directory indexing is disabled).
Anyway, this is what I encountered while testing the free SSL certs on my server. If anyone has a better way to do this, please let me know.
Hi, just a quick thank you! This worked for me.