Failed to obtain SSL, issuing self-signed SSL for domain.tld

JosephChuksT · March 19, 2023, 5:06pm

I don’t know if anyone has experienced this issue I keep having. I have over 150 sites in my VPS and I use latest Cyberpanel (2.3). Exactly 2 weeks ago, I woke up to series of emails concerning the SSL of the websites in my server (Failed to obtain SSL, issuing self-signed SSL for domain.tld).

All websites reverted to self-signed SSL and was giving browser warnings. I tried using the ISSUE SSL option which didn’t work immediately but worked after about 5hours. I had to ISSUE SSL manually on all 150 websites.

Same thing happened today again and I’m issuing SSL one after the other as i’m posting this.

Please what is the cause of the problem and how can I stop it?

josephgodwinke · March 19, 2023, 5:24pm

Hello @JosephChuksT

Which server os is this ?
Are you running latest copy of cyberpanel ? Upgrade to see if issue goes away

JosephChuksT · March 19, 2023, 6:06pm

I’m running Ubuntu 20.04
Cyberpanel 2.3

JosephChuksT · March 19, 2023, 6:09pm

I had this issue exactly 2 weeks today. The SSL on all sites reverts to selfsigned leaving me with issuing them all over again manually.

Right now I’m even searching for a way to automate the SSL installation.

josephgodwinke · March 19, 2023, 6:19pm

This is unusual. Do you have other technologies that issue ssl on the server still ?

JosephChuksT · March 19, 2023, 6:26pm

No I dont have any other. I’ll like to enable auto SSL installation on any website that has self signed.

i.e A Cron job to check sites with selfsigned SSL and then issue let’s encrypt automatically. This will help me 1

josephgodwinke · March 19, 2023, 6:29pm

Kindly look at this How to fix SSL issues in CyberPanel

See if it helps your issue. Revert back here after you try

Note: you can try and manually renew ssl certificates with debugging option ON to see any issues GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol

You can also send notifications every night when the renew cronjob runs notify · acmesh-official/acme.sh Wiki · GitHub

JosephChuksT · March 19, 2023, 7:21pm

I’ve looked into all your suggestions and I can’t find any issue. All the ssl certs are stored correctly at /etc/letsencrypt/live

I can copy each and install on the respective website or clicking the ISSUE SSL and it will issue.
But after 2 weeks from now, they’ll all likely revert to selfsigned and I’ll do this procedure again.

I’m thinking maybe there’s a cron job that is running the whole SSL process and that causes it to revert to selfsigned.

So I’m asking now if there’s a way I can set up a cron task to check websites with selfsigned, if there is, issue the letsencrypt ssl at /etc/letsencrypt/live on them automatically without me clicking the ISSUE SSL button all the time. Please

packetdog · March 20, 2023, 7:37pm

I encounted this issue as well (posted about it here: Self-Signed Certificate after 2.3.3 Upgrade - #3 by shoaibkk) and did the manual SSL renew to fix it. Looks like on 03/18/2023 these certs renewed again (very fast since they’re good for 90 days) and it’s interesting. Some sites got the self-signed certificate, and some got valid let’s encrypt certificates.

Can you point me to the logs for this? I’d love to attach them to hopefully help get to the bottom of this.

EDIT: I just edited the ~/.acme.sh/account.conf file and enabled logging. I’ll need to set up log rotation, but hopefully next time this happens I’ll have some actionable logs. The acme.sh script in the directory is v3.0.6 which seems to be the current one on Github. Going into the SSL menu, selecting the site, and clicking Issue SSL resolves the issue.

Interestingly, like 3 of the 9 sites I manage had the renewal complete successfully. The rest dropped back to self signed, and not because they were due for renewal. I literally went through this around 3 weeks ago. Very strange.

ikk157 · March 24, 2023, 2:17pm

I am having the same issue.

I was originally on Ubuntu 20.04 and everything worked fine.

However, I recently installed 22.04 (fresh install) and installed cyberpanel again (v2.3.3) and restored my websites from backup. Their original let’s encrypt certificate (which was part of the backup) worked fine.

However, when it came time to renew the certificate, it failed to do so and reverted to a self-signed certificate. I tried issuing ssl certificates to my websites manually on cyberpanel, to no avail.

I’ve also tried all of the suggestions above also to no avail.

The cyberpanel log shows the following:

[03.24.2023_14-00-24] /root/.acme.sh/acme.sh --issue -d mydomain.com -d www.mydomain.com --cert-file /etc/letsencrypt/live/mydomain.com/cert.pem --key-file /etc/letsencrypt/live/mydomain.com/privkey.pem --fullchain-file /etc/letsencrypt/live/mydomain.com/fullchain.pem -w /usr/local/lsws/Example/html -k ec-256 --force --server letsencrypt

[03.24.2023_14-00-30] Failed to obtain SSL for: mydomain.com and: www.mydomain.com

[03.24.2023_14-00-30] Trying to obtain SSL for: mydomain.com

[03.24.2023_14-00-35] Failed to obtain SSL, issuing self-signed SSL for: mydomain.com

[03.24.2023_14-00-36] Self signed SSL issued for mydomain.com.

[03.24.2023_14-02-27] Status Code: 404 for: http://www.mydomain.com/.well-known/acme-challenge/mydomain.com. Error:
404 Not Found

404

Not Found

The resource requested could not be found on this server!

Proudly powered by LiteSpeed Web Server
Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.

I genuinely dont know what to do.

It’s either a bug with v2.3.3 or a bug with the Ubuntu 22 support (the latter is unlikely as the OP is on 20). As everything worked fine prior to the update, and nothing was changed prior to the update, this only broke after the update.

josephgodwinke · March 24, 2023, 2:22pm

The issue seems to be associated with ubuntu 22 and centos versions only. Ubuntu 20 is most stable version currently. I can attest to this 100%

ikk157 · March 24, 2023, 2:24pm

Ah I see. So in this case is it planned for a future cyberpanel update to fix this issue?

Or is my best bet to just go back to 20 and stay there?

Thanks!

josephgodwinke · March 24, 2023, 2:30pm

Its best if you open an issue on GitHub as you can see no issues have been opened so far Issues · usmannasir/cyberpanel · GitHub

In such cases any seasoned developer would assume this as a case by case issue not necessary a code issue. However considering its prevalent on Ubuntu 22 and CentOs 7 or 8 I would recommend you open an issue so that the involved persons can test accordingly. As far as me testing I would never test centos 7 or 8 or ubuntu 22 for cyberpanel.

iron.br · March 27, 2023, 2:10pm

There were several similar problems here. I noticed that… the ssl is renewed much before the 90 days, that is, with 2 or 3 days of use, the certificate is already renewed and in some cases it does not renew, causing the error, I also did not find the solution at the time.

Mick · March 28, 2023, 11:59am

I presume I have the same issue in that SSL certificates keep failing for me on my websites.

I don’t know enough to tell you any more than that, but frequently I am told my website is unavailable and upon checking it’s an SSL issue. I renew manually and all ok, but only for a while.

How best to proceed?

Thank you.

packetdog · March 31, 2023, 2:07pm

I believe this was a bug released in the 2.3.3 branch. I’ve just opened a Github issue for this, here: Self-Signed SSL Certs being Issued for Valid Domains due to Acme.sh Failure · Issue #1044 · usmannasir/cyberpanel · GitHub. Please add any additional context there so the developers can fix this.

Thanks,
-pd

belat · March 31, 2023, 2:22pm

Thank you all very much for your input and experiences in resolving this situation with ssl certificates.

For now, I commented out the suggested cron lines to prevent the problem from occurring.

I am understanding that this only occurs with the latest version 2.3.3. If so, which version is safe to downgrade?

I use:
Ubuntu 20.04
Cyberpanel 2.3

Mick · April 12, 2023, 10:33am

I’m following the GitHub thread posted by @packetdog. Disappointing there isn’t more urgency…

packetdog · April 12, 2023, 11:21am

Isn’t that the truth? I don’t think the developers understand they’re about to blow up all the success they’ve acheived with CyberPanel thus far over a silly but VERY IMPACTFUL bug… and it feels like it’s not even being worked on.