CertSage error: "uapi SSL install_ssl failed"

My domain is: cdn.fmic.photo

I ran this command: CertSage [ Install Certificate into cPanel ]

It produced this output: “uapi SSL install_ssl failed”

My web server is: Apache v2.4.63

The operating system my web server runs on is: linux (Kernel v4.18.0-477.13.1.lve.el7h.x86_64)

My hosting provider is: https://webtuga.pt

I can login to a root shell on my machine: No

I'm using a control panel to manage my site: cPanel v110.0.55

The version of my client is: CertSage v2.0.0

Hello!

I am having some difficulty with CertSage when it comes to the certificate installation, as reported previously by another user … "uapi SSL install_ssl failed" using CertSage

Unfortunately, I have no idea if UAPI is enabled or not, nor do I know how to enable it.

It is a shared hosting platform here in Portugal, and I am using PHP v8.4

I would appreciate any advice or guidance, so please let me know what other information is required to help me resolve the issue.

Please note that generating the certificate is successful without any issues. It is just the installation that is failing.

Welcome to the Let's Encrypt Community!

I'm the author of CertSage.

Let me take a look here...

Please note, that I manually installed the certificate afterwards. So currently, the website is using the new certificate.

I was going to recommend doing that in the meantime, so thanks.

The certificate installation looks good.

cdn.fmic.photo

www.cdn.fmic.photo

Both cdn.fmic.photo and www.cdn.fmic.photo properly redirect from their HTTP addresses to their HTTPS addresses.

I do notice that both HTTPS addresses return 403 Forbidden, but I suspect this is as intended.

I'm working on putting together a UAPI test.

Yes, the "cdn" subdomain is intended for providing file download support for my main portfolio that is on the "Adobe Portfolio" service which does not have that ability.

That will be very much appreciated, thank you!

Please try to run the following in Terminal in your cPanel then let me know the result:

uapi SSL installed_hosts

Terminal? I don't have "Terminal" under the "Advanced" tab, nor do I have SSH access.

EDIT: However, if there is a way to enable the "Terminal", then I would very much appreciate some guidance on how to do it.

Since I do not have "Terminal" nor SSH Access, I setup a cron job with the command, which then sends the results via email. The resulting output, however, has a lot of private information and certificate data, so I have redact some of it. If however, some of the redacted information is required, please let me know.

--- 
apiversion: 3
func: installed_hosts
module: SSL
result: 
  data: 
    - 
      certificate: 
        auto_ssl_provider: LetsEncrypt
        auto_ssl_provider_display_name: Let’s Encrypt™
        domains: 
          - cdn.fmic.photo
          - www.cdn.fmic.photo
        id: cdn_fmic_photo_e3e49_6d967_1751377803_bde3611e8c87eb5368a24b03512f42f2
        is_autossl: 1
        is_self_signed: 0
        issuer.commonName: R10
        issuer.organizationName: Let's Encrypt
        issuer_text: "countryName\nUS\norganizationName\nLet's Encrypt\ncommonName\nR10"
        modulus: «... redacted ...»
        modulus_length: 2048
        not_after: '1751377803'
        not_before: '1743601804'
        signature_algorithm: sha256WithRSAEncryption
        subject.commonName: cdn.fmic.photo
        subject_text: "commonName\ncdn.fmic.photo"
        validation_type: dv
      certificate_text: "-----BEGIN CERTIFICATE-----«... redacted ...»\n-----END CERTIFICATE-----"
      docroot: /home/fmicweb1/websites/cdn.fmic.photo/html
      domains: 
        - cdn.fmic.photo
      fqdns: 
        - cdn.fmic.photo
        - www.cdn.fmic.photo
      ip: 185.118.112.143
      is_primary_on_ip: 0
      mail_sni_status: 1
      needs_sni: 1
      servername: cdn.fmic.photo
    - 
«... redacted ...»

  errors: ~
  messages: ~
  metadata: 
    transformed: 1
  status: 1
  warnings: ~

EDIT: Ok, figured out for myself. It is the `` (backticks) that cause it to be executed by the shell. My apologies for my the ignorance.

Pardon my ignorance about PHP, but I am trying to understand your PHP script ...
How exactly is the $output executed by the shell?
From what I have read in the PHP manual, should it not have a "shell_exec()" somewhere in the code?
I don't get how just assigning the variable some content equates to it being executed by the shell. Is there some PHP shorthand code in there somewhere, that I am not aware and totally ignorant about?

EDIT2: Could it be that shell_exec() is disabled on my system and that is what is causing the issue, even though I don't see it in my "disabled_functions"?

I remember reading that for one user, they resorted to using popen() instead ... shell_exec is in the disabled_functions on my cPanel

For GoDaddy, I had to enable SSH access in my GoDaddy account outside of cPanel in order for the Terminal "tile" to show up inside of cPanel.

That solution is quite brilliant.

While I doubt you have much to worry about based on my knowledge of the type of information issued by that command, I understand your concern and respect your wish for privacy. Honestly, I just wanted to see if the command would work at all.

No worries. PHP has some odd syntax at points. While I am a firm believer in the KISS principle, sometimes things aren't always clear.

As a test, you could try changing this line:

$output = `uapi SSL install_ssl domain=$domain cert=$cert key=$key --output=json`;

to look like this:

$output = `uapi SSL installed_hosts > output.txt`;

then see what, if anything, shows up in an output.txt inside the directory where certsage.php is located. Many things are possible at this point and your conclusion may be correct. Given the skills you have demonstrated, you may just be able to run the installation uapi command yourself using a cron job every month or so and create the cron job yourself to just hit certsage.php with curl every day or two (per what you see on line 950 of certsage.php).

CertSage tries to renew your certificate every time it runs "without a command" (meaning when you or anything/anyone just loads certsage.php without POST data submitted from hitting a button). Thus, when any search bot (or curl cron job or whatever) loads certsage.php, as long as there's an autorenew.txt file located in the CertSage data directory with only the word "yes" in it, CertSage will check if the cert in its CertSage data directory should be renewed and, if so, CertSage will attempt to acquire and install a replacement certificate using the same acquisition and installation functions as though you were hitting those buttons yourself. Granted, if you cron jobbed the cert installation, you could effectively remove line 1018 from certsage.php to skip the installation step during auto renewal and let your cron job installation handle it on its next pass when it picks up the renewed cert. Note that the toggle to force HTTPS on line 936 only needs to happen once and I think you've already got that covered from what I've seen using redirect-checker.org.

I'm hoping your uapi is just behaving differently, but still working. If not, the plan I've outlined above will put you on the path to automatic renewals. The only missing piece is pulling the certificate contents from a file into the uapi install command, but that shouldn't be too difficult to work out should it be needed. I'll help with this of course.

In case you can't tell, I see great possibility in the brilliance of using cron jobs to bypass hosting providers' limitations on running commands in PHP. It's a pattern that makes for simple yet robust solutions.

Yes, it executed and output the same content the the "cronjob" test did. So, that confirms that the shell is being executed.

So, next I uninstalled the current certificate, and restored the previous one, before proceeding with the following code change in your PHP script ...

$output = `uapi SSL install_ssl domain=$domain cert=$cert key=$key --output=json > output.txt`;

... and the resulting content of the "output.txt" file was as follows (after "beautifying" it) ...

{
  "apiversion": 3,
  "module": "SSL",
  "func": "install_ssl",
  "result": {
    "status": 1,
    "messages": [
      "The certificate was successfully installed on the domain “cdn.fmic.photo”."
    ],
    "metadata": {},
    "data": {
      "servername": "cdn.fmic.photo",
      "message": "The SSL certificate is now installed onto the domain “cdn.fmic.photo” using the IP address “185.118.112.143”.\nThe existing virtual host was updated with the new certificate. Apache is restarting in the background.\n",
      "cert_id": "cdn_fmic_photo_e3e49_6d967_1751377803_bde3611e8c87eb5368a24b03512f42f2",
      "action": "update",
      "warning_domains": [],
      "key_id": "e3e49_6d967_f5f802757e874433b6799b867d1be909",
      "domain": "cdn.fmic.photo",
      "ip": "185.118.112.143",
      "statusmsg": "The SSL certificate is now installed onto the domain “cdn.fmic.photo” using the IP address “185.118.112.143”.\nThe existing virtual host was updated with the new certificate. Apache is restarting in the background.\n",
      "status": 1,
      "html": "<br>The SSL certificate is now installed onto the domain “cdn.fmic.photo” using the IP address “185.118.112.143”.\n<br />\nThe existing virtual host was updated with the new certificate.<br />Apache is restarting in the background.",
      "aliases": "",
      "extra_certificate_domains": [
        "www.cdn.fmic.photo"
      ],
      "user": "fmicweb1",
      "working_domains": [
        "cdn.fmic.photo"
      ]
    },
    "errors": [
      "The event UAPI::SSL::install_ssl was handled successfully."
    ],
    "warnings": null
  }
}

This means that it is installing the certificate, but somehow the output is not being send back to the PHP script (at least that is my understanding), as it is still reporting the error: uapi SSL install_ssl failed

Do you perhaps have some idea of what may be causing the issue as initially reported?

Yes, I have already been looking into that possibility, and also studying some pure "bash" based ACME clients as well, to see if I can craft a solution for myself (e.g. acme.sh)

Given that the installation is working, I recommend simply removing the output checks (lines 933, 934, 941, 942) then running the installation using the button again. Check your cron jobs afterwards to see if CertSage created a new one. I think this will be by far the simplest solution and puts you right on track without the more complex approach I mentioned above.