Issue SSL Not Working after Upgrade

Hi All,

I upgraded CyberPanel just now and I noticed this error in the installation logs.

ERROR: certbot 0.21.1 has requirement acme==0.21.1, but you’ll have acme 1.9.0 which is incompatible.

I then went and issue SSL for a domain and it’s not working. Looks like it’s generating a self assigned Cert with details as:

Country: Denial
Locality: Springfield
Organization: Dis
Expiration Date: 15 May 2032

How do I fix this issue with SSL?

Also, I got to know that acme.sh is using ZeroSSL now and it seems like some account creation is needed. I am happy with LetsEncrypt and don’t want to change it. Does it have to do something with this issue?

See older thread if that solution works for you.

Upgrading acme.sh didn’t work.

I saw the solution provided on CyberPanel Self-Signed Certificate issue [SOLVED] - PC✗3 but that is using ZeroSSL, I have around 8-10 websites and I don’t want to use ZeroSSL because then I will have to pay for their plan.

So, how do I fix it for LetsEncrypt?

If I run this command: /root/.acme.sh/acme.sh --set-default-ca --server letsencrypt
And then run the steps provided in the pcx3.com page, will it work?

Okay, I set the default CA to LetsEncrypt and then manually generated the Cert+Key, and then used “Add SSL” from the manage website page to fix the issue.

Now my next query is that do I need to do this manual work for every site when SSL expiry is near or now it will do automatically?

It seems you are using older version of cyberpanel and hence you are seeing ZeroSSL. Back then, for few days Cyberpanel shifted to ZeroSSL from letsencrypt and upon seeing issues surfacing, the actions were reverted. But this has been a long time now, maybe 7-8 months easily.

Try to update your cyberpanel now and see if its still zerossl.

I am on latest version and when I ran acme client, I saw that it used LetsEncrypt. But my problem is still not solved, when I try to issue SSL from UI, it says SSL issued but actually it assigns self issued SSL. As of now, using direct command worked but I would like to fix it because it’s easier to do from UI and hopefully then it will generate them automatically too.

Whether it issued a self-signed or letsencrypt ssl, the UI will mention it as successfully issued SSL (though this can be improved by changing success message for self signed and letsencrypt differently as something like “sucessfully issued self-signed SSL”)

Cyberpanel tries to issue letsencrypt SSL for the domain and if for any reason like wrong DNS, hitting rate limit, redirection loop error and for whatsoever reason it fails to issue letsencrypt SSL, it then issues self-signed SSL as alternative.

You can check the cyberpanel logs to find the reason for not able to issue SSL on your first attempt and then using SSH commands manually you were able to issue it. We cannot predict what went there in your server unless we get log data from you.

Where can I find CyberPanel logs? Will there be any specific file name for this kind of operation?

The basic logs are provided under
Logs Menu (cyberpanel main left menu) > cyberpanel logs.

The detailed logs are obtained from server side.

You can share the basic log first.

I see following lines in error-logs.txt file.

[05.18.2022_14-46-17] Failed to obtain SSL for: javastring.net and: www.javastring.net

[05.18.2022_14-46-17] Trying to obtain SSL for: javastring.net

[05.18.2022_14-46-23] Failed to obtain SSL, issuing self-signed SSL for: javastring.net

[05.18.2022_14-46-23] {‘usman@cyberpersons.com’: (554, b’5.7.1 usman@cyberpersons.com: Relay access denied’)}

[05.18.2022_14-46-23] Self signed SSL issued for javastring.net.

[05.18.2022_14-53-17] Trying to obtain SSL for: javastring.net and: www.javastring.net

[05.18.2022_14-53-17] /root/.acme.sh/acme.sh --issue -d javastring.net -d www.javastring.net --cert-file /etc/letsencrypt/live/javastring.net/cert.pem --key-file /etc/letsencrypt/live/javastring.net/privkey.pem --fullchain-file /etc/letsencrypt/live/javastring.net/fullchain.pem -w /usr/local/lsws/Example/html -k ec-256 --force --server letsencrypt

[05.18.2022_14-53-23] Failed to obtain SSL for: javastring.net and: www.javastring.net

[05.18.2022_14-53-23] Trying to obtain SSL for: javastring.net

[05.18.2022_14-53-28] Failed to obtain SSL, issuing self-signed SSL for: javastring.net

[05.18.2022_14-53-28] {‘usman@cyberpersons.com’: (554, b’5.7.1 usman@cyberpersons.com: Relay access denied’)}

[05.18.2022_14-53-29] Self signed SSL issued for javastring.net.

Any idea what’s the issue and how to fix from this?

Login to ssh and run this command (copy paste entire code and press enter)

/root/.acme.sh/acme.sh --issue -d javastring.net -d www.javastring.net --cert-file /etc/letsencrypt/live/javastring.net/cert.pem --key-file /etc/letsencrypt/live/javastring.net/privkey.pem --fullchain-file /etc/letsencrypt/live/javastring.net/fullchain.pem -w /usr/local/lsws/Example/html -k ec-256 --force --server letsencrypt

Here you go:

[root@li1176-230 ~]#

[root@li1176-230 ~]#

[root@li1176-230 ~]# /root/.acme.sh/acme.sh --issue -d javastring.net -d www.javastring.net --cert-file /etc/letsencrypt/live/javastring.net/cert.pem --key-file /etc/letsencrypt/live/javastring.net/privkey.pem --fullchain-file /etc/letsencrypt/live/javastring.net/fullchain.pem -w /usr/local/lsws/Example/html -k ec-256 --force --server letsencrypt

[Sat May 21 09:04:26 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory

[Sat May 21 09:04:26 UTC 2022] Multi domain=‘DNS:javastring.net,DNS:www.javastring.net’

[Sat May 21 09:04:26 UTC 2022] Getting domain auth token for each domain

[Sat May 21 09:04:28 UTC 2022] Getting webroot for domain=‘javastring.net

[Sat May 21 09:04:28 UTC 2022] Getting webroot for domain=‘www.javastring.net

[Sat May 21 09:04:28 UTC 2022] javastring.net is already verified, skip http-01.

[Sat May 21 09:04:28 UTC 2022] www.javastring.net is already verified, skip http-01.

[Sat May 21 09:04:28 UTC 2022] Verify finished, start to sign.

[Sat May 21 09:04:28 UTC 2022] Lets finalize the order.

[Sat May 21 09:04:28 UTC 2022] Le_OrderFinalize=‘https://acme-v02.api.letsencrypt.org/acme/finalize/78533458/90581577406

[Sat May 21 09:04:29 UTC 2022] Downloading cert.

[Sat May 21 09:04:29 UTC 2022] Le_LinkCert=‘https://acme-v02.api.letsencrypt.org/acme/cert/03710f15024ce1b4652b7ca351a1c6919c40

[Sat May 21 09:04:29 UTC 2022] Cert success.

-----BEGIN CERTIFICATE-----

{Cert content, removed to reduce message size…}

-----END CERTIFICATE-----

[Sat May 21 09:04:29 UTC 2022] Your cert is in: /root/.acme.sh/javastring.net_ecc/javastring.net.cer

[Sat May 21 09:04:29 UTC 2022] Your cert key is in: /root/.acme.sh/javastring.net_ecc/javastring.net.key

[Sat May 21 09:04:29 UTC 2022] The intermediate CA cert is in: /root/.acme.sh/javastring.net_ecc/ca.cer

[Sat May 21 09:04:29 UTC 2022] And the full chain certs is there: /root/.acme.sh/javastring.net_ecc/fullchain.cer

[Sat May 21 09:04:29 UTC 2022] Installing cert to: /etc/letsencrypt/live/javastring.net/cert.pem

[Sat May 21 09:04:29 UTC 2022] Installing key to: /etc/letsencrypt/live/javastring.net/privkey.pem

[Sat May 21 09:04:29 UTC 2022] Installing full chain to: /etc/letsencrypt/live/javastring.net/fullchain.pem

[root@li1176-230 ~]#

So, its done now. Successfully issued SSL as per the logs you sent above.

Yes, that’s what. It’s working fine from terminal but from UI it’s failing. So, what seems to be the issue here?

Its same bro whether UI or SSH. The UI executes the same command in the server and in ssh too we do the same command.

I tried issuing cert again today and this time it worked fine. No idea what was the issue earlier but hopefully it works fine going forward, thanks for all the help and inputs.