Auto renewal not working after server [cPanel] upgrade

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: govast.com

I ran this command: I used Cpanel

It produced this output: NA

My web server is (include version): https://vm323.fcomet.com:2087/

The operating system my web server runs on is (include version): CentOS v7.9.2009 STANDARD kvm

cPanel Version. [106.0.11]

My hosting provider, if applicable, is: Fastcomet.com

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): ?

I no longer receive emails saying that the certificate is up for renewal. Nothing. It expires and my customers get irritated. Please help.

Welcome to the community @vastdesign

I checked the certs for both domains you showed and both have a long time remaining before expiry. They would not normally be auto-renewed unless you have setup your renewal to be unusually early (not recommended). And, neither is close enough to expiry to have received a warning email.

Can you explain more about the problem?

Specifically, I used the SSL Checker tool in links I include
cert for govast.com has 55 days before expiry (link here)

cert for vm323.fcomet.com at port 2087 has 37 days remaining (link here)

Further, the vm323.fcomet.com cert is issued by cPanel not Let's Encrypt

7 Likes

Hi. Thanks for the quick reply. I had to manually renew the domain. Also, myultrasoundtutor.com had to be manually renewed this morning. It had expired and we didnt know until a customer visited the site.

Joel Perrego

Which one? Because neither domain in your first post is using a cert that was issued recently

What method do you use to get/renew certs? cPanel?

Looking at crt.sh history (link here) for myultrasoundtutor it looks like your renewal in Oct was not on schedule either. What changed between the Jul cert and Oct one?

6 Likes

I use cpanel to reinstall or renew. The only thing that changed was that fastcomet upgraded our server. Thats when it started failing renewals.

Joel Perrego

You should ask fastcomet about these failures. Something in your cPanel setup has gone wrong. Another volunteer with more experience in cPanel might give you suggestions on just what to ask them about. There is nothing more I can offer given the info you have provided.

7 Likes

Hi Mike I asked our host about the issue and this is their reply:

Unfortunately, the automatic renewal of the Let's Encrypt SSL certificates is not handled directly by us, and is instead handled by said third-party service. Unfortunately, we do not have any means of communicating with this third-party service, nor can we guarantee that the SSL certificates will renew properly. We do not have access to their logs either, to find out why the failures are occurring. I can see how this explanation is not the most satisfactory one, but I hope for your understanding on this matter.

If this issue was something we had direct control over, or any means of remedying, we would have done something about it already. This is not something we want our customers to experience at all.

Also, what is happening right now may be a temporary occurrence. Our other suggestion here would be to renew all the Let's Encrypt certificates you use, so that all of their renewals come at the same time in three months. You should not experience any issues then, and even if you do I see that you do not have many domains which use Let's Encrypt, so manual renewal would be the best way to ensure the domains are secured and renew them manually in order to skip any interruptions with your websites.

Any ideas on how we fix auto renewal?

2 Likes

Without a cause, no.

Their explanation with regard to not having access to the Let's Encrypt (LE) log files is inadequate: with ACME there's always a server (LE) and a client, in this case something that's running at your hosting providers server. This ACME client also generates a log file and that log file is the first and utmost important item to check to see where things are going awry.

Another thing not correct is the notion that "automatic renewal" is handled by the "third-party service" (LE): this is factually incorrect (from my point of view with a certain interpretation of the word "handled"): the ACME client initiates a renewal from the ACME server. LE will let any certificate expire if it's not renewed at the request of the ACME client. In fact, a renewal is nothing more than a brand new certificate with just the same set of hostnames as a previously issued certificate. In any case, renewal is NOT initiated by the "third-party service" and is, in fact, handled by your hosting providers ACME client.

It sounds like you've had contact with someone from your hosting provider lacking proficient knowledge of the ACME process and has therefore helped you inadequately IMO. If I were you, I would not be as understanding with their explanation as requested by your hosting provider. They should be more helpful.

8 Likes

Whomever has root access to the server should be able to:

  • view the logs
  • troubleshoot the problem
  • manage the certificate renewal process [client]
  • create a scheduled task to automate renewals
7 Likes