ClosedCyberPanel Self-signed SSL certificate

I have just created CyberPanel and start moving my websites from my old cPanel host (also Litespeed server). However, my domains keeps getting self-signed SSL certificates. I have tried troubleshooting using this guide, but that does not solve my problem:
https://community.cyberpanel.net/t/how-to-fix-ssl-issues-in-cyberpanel/90

When I visit my domain https://www.apha.dk I get a NET::ERR_CERT_AUTHORITY_INVALID error. In the browser I can see that the certificate was given by “Dis” and in CyberPanel it says “Apha.dk has self-signed SSL”. When I go to the folder /etc/letsencrypt/live/apha.dk I can see that there is a fullchain.pem and privkey.pem file with a code inside.

My CyberPanel logfile says the following:

[12.08.2022_07-31-52] [Errno 2] No such file or directory: '/etc/letsencrypt/live/apha.dk/fullchain.pem'
[12.08.2022_07-38-28] Status Code: 200 for: http://www.apha.dk/.well-known/acme-challenge/apha.dk
[12.08.2022_07-38-28] Status Code: 200 for: http://apha.dk/.well-known/acme-challenge/apha.dk
[12.08.2022_07-38-30] /root/.acme.sh/acme.sh --issue -d apha.dk -d www.apha.dk --cert-file /etc/letsencrypt/live/apha.dk/cert.pem --key-file /etc/letsencrypt/live/apha.dk/privkey.pem --fullchain-file /etc/letsencrypt/live/apha.dk/fullchain.pem -w /usr/local/lsws/Example/html -k ec-256 --force --server letsencrypt
[12.08.2022_07-38-33] Failed to obtain SSL for: apha.dk and: www.apha.dk
[12.08.2022_07-38-33] Trying to obtain SSL for: apha.dk
[12.08.2022_07-38-34] Failed to obtain SSL, issuing self-signed SSL for: apha.dk
[12.08.2022_07-38-35] Self signed SSL issued for apha.dk.

I have Cyberpanel 2.3 build 2 installed.

Any ideas how to make CyberPanel use the Lets Encrypt certificate instead?

Hello @aphandersen Happy you are here

When you reach this part in the wiki you can skip these steps:

Then you delete all private keys and certificates for respective website from server:
…
Then run this command from [How to fix SSL issues in CyberPanel]
(https://community.cyberpanel.net/t/how-to-fix-ssl-issues-in-cyberpanel/90#debugging-with-command-line-6)

And run this script:

sh <(curl https://raw.githubusercontent.com/josephgodwinkimani/cyberpanel-mods/main/selfsigned_fixer.sh || wget -O - https://raw.githubusercontent.com/josephgodwinkimani/cyberpanel-mods/main/selfsigned_fixer.sh)

See wiki after skipping those parts and proceed to this part:

Then Go back to OLS and add the privatekey /etc/letsencrypt/live/mydomain.com/privkey.pem and fullchain /etc/letsencrypt/live/mydomain.com/fullchain.pem links to the vHost of the domain

Hi, thank you for your help However, it still didn’t work

In the OLS WebAdmin Console the Private key file and Certificate file is set to correct Lets Encrypt destinations. I runned your tool, but it didn’t change anything. I still have the selfsigned SSL certificate on apha.dk

Did you delete the values on OLS and restart lsws before you begun. And also restarted after you were done ?

1. KIndly upgrade your copy and also run wget -O - https://get.acme.sh | sh
2. Fix folder permissions for that domain How to fix SSL issues in CyberPanel - Docs - CyberPanel Community
3. Check modsecurity How to fix SSL issues in CyberPanel - Docs - CyberPanel Community
4. confirm you have the /usr/local/lsws/Example/html/.well-known/acme-challenge folder and /.well-known/acme-challenge context How to fix SSL issues in CyberPanel - Docs - CyberPanel Community
5. Delete all ssl files for alpha.dk (optional script will do this for you) and OLS records (a must)

FInally retry CyberPanel Self-signed SSL certificate - #2 by josephgodwinke

Arh missed that. I have done that now. Now Lets Encrypt is named on the certificate when I visit the website, but I still get a warning. If I look on the certificate, it doesn’t say the URL apha.dk, but instead the URL of my CyberPanel. It is also the date from yesterday when I added the domain, even though I have tried to

I have also tried from point 1-4. How do I do point 5, deleting the certificates? Is this just deleting the two .pem files?

I have checked your domain its perfect except for mismatch.

Go to OLS WebAdmin COnsole under Virtual Hosts choose apha.dk confirm you have the correct paths for /etc/letsencrypt/live/apha.dk/privkey.pem and fullchain /etc/letsencrypt/live/apha.dk/fullchain.pem

The Common name: should be apha.dk and SANs: apha.dk, www.apha.dk in chained certificate

NOT Common name: panel.ansico.dk and SANs: panel.ansico.dk

I forgot to correct from mydomain.com to apha.dk in the certificate file line, I have corrected that now. But now the Dis certificate is back

Dis592×638 50.6 KB

My OLS Admin looks like this:

OLS1108×383 52.6 KB

Hello you have undone your perfect changes.

Kindly follow the instructions as written here and nowhere else (copy paste as is):

Go to OLS WebAdmin Console of your server i.e https://SERVER_URL:7080 use admin and password you chose for CyberPanel admin panel

If you cannot log in. Using SSH Terminal run adminPass add new password

Then you delete all private keys and certificates for respective website from server:

$ rm -f /etc/letsencrypt/live/apha.dk/privkey.pem && rm -f /etc/letsencrypt/live/apha.dk/fullchain.pem

Then run this command:

$ /root/.acme.sh/acme.sh --issue -d apha.dk -d www.apha.dk --cert-file /etc/letsencrypt/live/apha.dk/cert.pem --key-file /etc/letsencrypt/live/apha.dk/privkey.pem --fullchain-file /etc/letsencrypt/live/apha.dk/fullchain.pem -w /usr/local/lsws/Example/html --force --debug

Post screenshot of your terminal after above command

Go back to OLS and add the privatekey /etc/letsencrypt/live/apha.dk/privkey.pem and fullchain /etc/letsencrypt/live/apha.dk/fullchain.pem links to the vHost of the domain

Here is the output after running the code:

root@ansicoCyberPanel:~# rm -f /etc/letsencrypt/live/apha.dk/privkey.pem && rm -f /etc/letsencrypt/live/apha.dk/fullchain.pem
root@ansicoCyberPanel:~# /root/.acme.sh/acme.sh --issue -d apha.dk -d www.apha.dk --cert-file /etc/letsencrypt/live/apha.dk/cert.pem --key-file /etc/letsencrypt/live/apha.dk/privkey.pem --fullchain-file /etc/letsencrypt/live/apha.dk/fullchain.pem -w /usr/local/lsws/Example/html --force --debug
[Thu 08 Dec 2022 12:23:39 PM UTC] Lets find script dir.
[Thu 08 Dec 2022 12:23:39 PM UTC] _SCRIPT_='/root/.acme.sh/acme.sh'
[Thu 08 Dec 2022 12:23:39 PM UTC] _script='/root/.acme.sh/acme.sh'
[Thu 08 Dec 2022 12:23:39 PM UTC] _script_home='/root/.acme.sh'
[Thu 08 Dec 2022 12:23:39 PM UTC] Using config home:/root/.acme.sh
https://github.com/acmesh-official/acme.sh
v3.0.5
[Thu 08 Dec 2022 12:23:39 PM UTC] Running cmd: issue
[Thu 08 Dec 2022 12:23:39 PM UTC] _main_domain='apha.dk'
[Thu 08 Dec 2022 12:23:39 PM UTC] _alt_domains='www.apha.dk'
[Thu 08 Dec 2022 12:23:39 PM UTC] Using config home:/root/.acme.sh
[Thu 08 Dec 2022 12:23:39 PM UTC] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
[Thu 08 Dec 2022 12:23:39 PM UTC] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Thu 08 Dec 2022 12:23:39 PM UTC] DOMAIN_PATH='/root/.acme.sh/apha.dk'
[Thu 08 Dec 2022 12:23:39 PM UTC] Le_NextRenewTime
[Thu 08 Dec 2022 12:23:39 PM UTC] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Thu 08 Dec 2022 12:23:39 PM UTC] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Thu 08 Dec 2022 12:23:39 PM UTC] GET
[Thu 08 Dec 2022 12:23:39 PM UTC] url='https://acme-v02.api.letsencrypt.org/directory'
[Thu 08 Dec 2022 12:23:39 PM UTC] timeout=
[Thu 08 Dec 2022 12:23:39 PM UTC] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Thu 08 Dec 2022 12:23:39 PM UTC] ret='0'
[Thu 08 Dec 2022 12:23:39 PM UTC] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Thu 08 Dec 2022 12:23:39 PM UTC] ACME_NEW_AUTHZ
[Thu 08 Dec 2022 12:23:39 PM UTC] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Thu 08 Dec 2022 12:23:39 PM UTC] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Thu 08 Dec 2022 12:23:39 PM UTC] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Thu 08 Dec 2022 12:23:39 PM UTC] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf'
[Thu 08 Dec 2022 12:23:40 PM UTC] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Thu 08 Dec 2022 12:23:40 PM UTC] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Thu 08 Dec 2022 12:23:40 PM UTC] _on_before_issue
[Thu 08 Dec 2022 12:23:40 PM UTC] _chk_main_domain='apha.dk'
[Thu 08 Dec 2022 12:23:40 PM UTC] _chk_alt_domains='www.apha.dk'
[Thu 08 Dec 2022 12:23:40 PM UTC] Le_LocalAddress
[Thu 08 Dec 2022 12:23:40 PM UTC] d='apha.dk'
[Thu 08 Dec 2022 12:23:40 PM UTC] Check for domain='apha.dk'
[Thu 08 Dec 2022 12:23:40 PM UTC] _currentRoot='/usr/local/lsws/Example/html'
[Thu 08 Dec 2022 12:23:40 PM UTC] d='www.apha.dk'
[Thu 08 Dec 2022 12:23:40 PM UTC] Check for domain='www.apha.dk'
[Thu 08 Dec 2022 12:23:40 PM UTC] _currentRoot='/usr/local/lsws/Example/html'
[Thu 08 Dec 2022 12:23:40 PM UTC] d
[Thu 08 Dec 2022 12:23:40 PM UTC] _saved_account_key_hash is not changed, skip register account.
[Thu 08 Dec 2022 12:23:40 PM UTC] Read key length:2048
[Thu 08 Dec 2022 12:23:40 PM UTC] _createcsr
[Thu 08 Dec 2022 12:23:40 PM UTC] Multi domain='DNS:apha.dk,DNS:www.apha.dk'
[Thu 08 Dec 2022 12:23:40 PM UTC] Getting domain auth token for each domain
[Thu 08 Dec 2022 12:23:40 PM UTC] d='www.apha.dk'
[Thu 08 Dec 2022 12:23:40 PM UTC] d
[Thu 08 Dec 2022 12:23:40 PM UTC] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Thu 08 Dec 2022 12:23:40 PM UTC] payload='{"identifiers": [{"type":"dns","value":"apha.dk"},{"type":"dns","value":"www.apha.dk"}]}'
[Thu 08 Dec 2022 12:23:40 PM UTC] RSA key
[Thu 08 Dec 2022 12:23:40 PM UTC] HEAD
[Thu 08 Dec 2022 12:23:40 PM UTC] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Thu 08 Dec 2022 12:23:40 PM UTC] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g  -I  '
[Thu 08 Dec 2022 12:23:40 PM UTC] _ret='0'
[Thu 08 Dec 2022 12:23:40 PM UTC] POST
[Thu 08 Dec 2022 12:23:40 PM UTC] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Thu 08 Dec 2022 12:23:40 PM UTC] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Thu 08 Dec 2022 12:23:41 PM UTC] _ret='0'
[Thu 08 Dec 2022 12:23:41 PM UTC] code='429'
[Thu 08 Dec 2022 12:23:41 PM UTC] Le_LinkOrder
[Thu 08 Dec 2022 12:23:41 PM UTC] Le_OrderFinalize
[Thu 08 Dec 2022 12:23:41 PM UTC] Create new order error. Le_OrderFinalize not found. {
  "type": "urn:ietf:params:acme:error:rateLimited",
  "detail": "Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: apha.dk,www.apha.dk, retry after 2022-12-09T05:34:48Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/",
  "status": 429
}
[Thu 08 Dec 2022 12:23:41 PM UTC] pid
[Thu 08 Dec 2022 12:23:41 PM UTC] No need to restore nginx, skip.
[Thu 08 Dec 2022 12:23:41 PM UTC] _clearupdns
[Thu 08 Dec 2022 12:23:41 PM UTC] dns_entries
[Thu 08 Dec 2022 12:23:41 PM UTC] skip dns.
[Thu 08 Dec 2022 12:23:41 PM UTC] _on_issue_err
[Thu 08 Dec 2022 12:23:41 PM UTC] Please add '--debug' or '--log' to check more details.
[Thu 08 Dec 2022 12:23:41 PM UTC] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Thu 08 Dec 2022 12:23:41 PM UTC] Diagnosis versions: 
openssl:openssl
OpenSSL 1.1.1f  31 Mar 2020
apache:
apache doesn't exist.
nginx:
nginx doesn't exist.
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.7.3.3 on Oct 26 2019 17:42:04
   running on Linux version #123-Ubuntu SMP Fri Apr 8 09:10:54 UTC 2022, release 5.4.0-109-generic, machine x86_64
features:
  #define WITH_STDIO 1
  #define WITH_FDNUM 1
  #define WITH_FILE 1
  #define WITH_CREAT 1
  #define WITH_GOPEN 1
  #define WITH_TERMIOS 1
  #define WITH_PIPE 1
  #define WITH_UNIX 1
  #define WITH_ABSTRACT_UNIXSOCKET 1
  #define WITH_IP4 1
  #define WITH_IP6 1
  #define WITH_RAWIP 1
  #define WITH_GENERICSOCKET 1
  #define WITH_INTERFACE 1
  #define WITH_TCP 1
  #define WITH_UDP 1
  #define WITH_SCTP 1
  #define WITH_LISTEN 1
  #define WITH_SOCKS4 1
  #define WITH_SOCKS4A 1
  #define WITH_PROXY 1
  #define WITH_SYSTEM 1
  #define WITH_EXEC 1
  #undef WITH_READLINE
  #define WITH_TUN 1
  #define WITH_PTY 1
  #define WITH_OPENSSL 1
  #undef WITH_FIPS
  #define WITH_LIBWRAP 1
  #define WITH_SYCLS 1
  #define WITH_FILAN 1
  #define WITH_RETRY 1
  #define WITH_MSGLEVEL 0 /*debug*/

And here is a screenshot of OLS admin after adding the file paths again:

OLS21141×408 53.2 KB

Check your DNS records. YOu do not have rDNS PTR record. Go to your digital ocean dashboard and create one for your server

DO you have hostname certificate?

• https://159.223.208.216/ No certificate.
Certificate error: RemoteCertificateNameMismatch

What are rDNS PTR records used for? Isn’t that only for secure mail, because I use Sendgrid af mailrelay, so they should handle that part.

Yes I have a hostname certificate on the subdomain that I use to access the panel.

Unfortunately I can see that I have now tried to renew the Lets Encrypt certificate 5 times, and unfortunately deleted the old ones, so I guess I have to wait a week before I try again

Just a follow up on this, since I have now found a solution that works for me. I first created a free ZeroSSL certificate on zerossl.com. The content of the files certificate, ca_bundle and private I pasted in the fields at Add SSL in CyberPanel. The ZeroSSL certificate was installed instead. After that I go back to CyberPanel and issued a new Lets Encrypt certificate, and this time it was installed perfectly and overwrite the ZeroSSL certificate.

Did you solve your issue?

Yes I did