Jun 172016
 

tl;dr

  • When cPanel starts up, if it doesn’t have a valid SSL (now valid properly signed SSL) it reissues it’s own SSL, or panics if it cannot.
  • cPanel is now requiring a valid hostname check (similar to Let’s Encrypt) as a part of that check.
  • Therefore, a server’s hostname now has to point at the server or cPanel not start.
  • You will receive an email every day if the hostname doesn’t line up.
  • You’ve have to touch a file to disable this, and then run the script and then it should be set.

Due to cPanel’s recent change to their self-signed SSL’s, hostnames are required to have DNS entries. If this is not in place, they will not get a valid SSL and therefore cPanel will start and cpsrvd will immediately fail. To correct this we basically need to fix the DNS entry for the server’s hostname and then run

/usr/local/cpanel/bin/checkallsslcerts

Error from the /usr/local/cpanel/logs/error_log:

cpsrvd: Setting up native SSL support ... Could not load ssl libraries or certificate from /var/cpanel/ssl/cpanel/ at cpsrvd.pl line 554.
[[email protected]] cpanel:/usr/local/cpanel/bin/checkallsslcerts
The system failed to acquire a signed certificate from the cPanel Store because of an error: (XID y4txyq) “host.domain.com” does not resolve to any IPv4 addresses on the internet.

Updating DNS for the hostname and then running the check again will resolve the issue. If you do not have access to the customer’s DNS, this will require them to modify the DNS entries at the registrar and cPanel/WHM will remain down until that change is made.

Additionally, this may be a concern when DNS can not change (or should not be changed for some reason). When this is the case, you can skip the cPanel signed SSL. If you touch this file,

/var/cpanel/ssl/disable_auto_hostname_certificate

the system will no longer order, download, and install a free cPanel-signed hostname certificate.
https://documentation.cpanel.net/display/ALD/Manage+>Service+SSL+Certificates has more information on this. After touching this file, you can run a

/usr/local/cpanel/bin/checkallsslcerts

for a selfsigned ssl on the services.

p.s. You must restart Cpanel after updating the SSL Certs.

Share This!