Self-Signed Certificate after 2.3.3 Upgrade

Hello,

I’ve been using Cyberpanel for around 9 months, and have all of paid addon packs loaded. Everything has been fine, and as the version management tab shows updates are available, I take some time to update using the update script. I also update the Ubuntu Server (22.04 I believe) with all of the packages, and restart. I’ve done that at least 3 times prior to this time without issue. With the latest release I took the same steps as before and updated Cyberpanel, and Ubuntu packages, and rebooted. Sites came up fine, so I thought I was good, until today. It looks like the sites all reverted to a self signed certificate. I’m going through the process to issue new SSL certs for each, but I’m not sure why this happened, and I’m not sure if this will auto-renew. Does anyone have any ideas on what I should be checking?

Thanks,
-pd

Hello @packetdog Happy New Year

We encourage you start by looking through the forum for topics such as yours.

See this Website SSL is self-signed after every month - #2 by josephgodwinke

can you show me vhost confrigrqations?

FYI- Continuing this here: Failed to obtain SSL, issuing self-signed SSL for domain.tld - #8 by JosephChuksT

Thank you. But I have over 150 sites in my VPS.
After the recent revert of SSL certs to selfsigned, I had to re issue SSL to all the site one after the other manually.

I don’t know what causes the SSL certs to revert to selfsigned after some time (2 weeks), but I have removed the cron job that runs 12:00am: /tmp/crontab.yrbS1G/crontab

This line:
7 0 * * * “/root/.acme.sh”/acme.sh --cron --home “/root/.acme.sh” > /dev/null

Does this fix the issue or ?

I mean, that would fix the issue, but that seems to be the cron job to renew SSL certs. I don’t think that will work long term as the certificates won’t renew any longer without the cron job. Right?

I would suggest enabling logging in the account.conf file, and also redirecting that cron output to a log file as well, perhaps /root/.acme.sh/acmecron.log as opposed to /dev/null to help isolate the problem.

It should not. The renewal service should only renew certificates that have expired. thats how acme.sh works.

Ofocurse future renewals wunt work. There is something wrong somewhere but its not acme.sh. If you check their github repo no one is complaining of such issues this looks like its isolated to our cyberpanel ecosystem. Am investigating this

I can’t tell for now, so far no complaints. SSL active on all sites.

I am facing the same problem where several websites fail to renew SSL certificates every Sunday, and I have to manually reissue them. Last week, I deleted the following line from my crontab:

7 0 * * * “/root/.acme.sh”/acme.sh --cron --home “/root/.acme.sh” > /dev/null

However, the issue recurred today, and I’m not sure why. I executed the command as root and used the Vim tool to edit the crontab.
#crontab -e

My Ubuntu version is 22.04, and it was installed using Vultr’s CyberPanel one-click installation from the Marketplace.

Now, when I execute

#crontab -e

0 * * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/plogical/findBWUsage.py >/dev/null 2>&1
0 * * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/postfixSenderPolicy/client.py hourlyCleanup >/dev/null 2>&1
0 0 1 * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/postfixSenderPolicy/client.py monthlyCleanup >/dev/null 2>&1
0 2 * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/plogical/upgradeCritical.py >/dev/null 2>&1
0 2 * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/plogical/renew.py >/dev/null 2>&1
0 0 * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py Daily
0 0 * * 0 /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py Weekly

*/30 * * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py ‘30 Minutes’
0 * * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py ‘1 Hour’
0 */6 * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py ‘6 Hours’
0 */12 * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py ‘12 Hours’
0 1 * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py ‘1 Day’
0 0 */3 * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py ‘3 Days’
0 0 * * 0 /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py ‘1 Week’

/3 * * * * if ! find /home//public_html/ -maxdepth 2 -type f -newer /usr/local/lsws/cgid -name ‘.htaccess’ -exec false {} +; then systemctl restart lsws; fi
09,39 * * * * /usr/local/CyberCP/bin/cleansessions >/dev/null 2>&1
~

Can someone give me some advice? or I have to install Ubuntu 20.04 is better? Many thanks !

This exactly what has happened to me today. It occurs every 2 weeks (Sundays from 00:00hrs GMT). I’m tired of manually renewing SSL certs every 2 weeks as I have over 150 sites in my VPS.

Hello @josephgodwinke, I just experienced same problem today: SSL certs got reverted to Self signed and I have to go through the stress of re issuing ssl certs manually for over 100 domains in my VPS this morning.

So it seems removing the cron task: 7 0 * * * “/root/.acme.sh”/acme.sh --cron --home “/root/.acme.sh” > /dev/null didn’t work.

What do you suggest I do?

Hello @JosephChuksT @liufunyu @packetdog

You need to remove these cronjobs:

## This checks and renews ssl for domains and child domains
0 2 * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/plogical/renew.py >/dev/null 2>&1
## This runs the shell script implementing ACME client protocol
7 0 * * * “/root/.acme.sh”/acme.sh --cron --home “/root/.acme.sh” > /dev/null

Ok, thank you very much.
Hopefully this works but I’ll know in 2 weeks time.

Thanks again!

Remove this line 0 2 * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/plogical/renew.py >/dev/null 2>&1 as suggested by @josephgodwinke

Thank you all very much, I will delete these two lines, and I will reissue SSL after 89 days manually …
Maybe it will be fixed at that time. ^_^"

## This checks and renews ssl for domains and child domains
0 2 * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/plogical/renew.py >/dev/null 2>&1
## This runs the shell script implementing ACME client protocol
7 0 * * * “/root/.acme.sh”/acme.sh --cron --home “/root/.acme.sh” > /dev/null

Oh, My!
It happened again today!
But I have been removed those two lines 5 days ago!
How about you guys?

I think I should change to Ubuntu20.04 & Cyberpanel 2.3.2 >___<

It happened again today!
Over 150 sites all reverts to self-signed.

This is becoming something else!
I have to be awake every Sunday at 00:00hours just to manually reissue the SSL certs whet they revert to self-signed else I get complaints from my clients.

I updated to the latest Cyberpanel and it seemed the two lines I deleted came back.

## This checks and renews ssl for domains and child domains
0 2 * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/plogical/renew.py >/dev/null 2>&1
## This runs the shell script implementing ACME client protocol
7 0 * * * “/root/.acme.sh”/acme.sh --cron --home “/root/.acme.sh” > /dev/null

I have removed them and also commented line 17 on /etc/cron.d/certbot

# 0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

Hope it works cos I’m tired of manually reissuing SSL every Sunday!

This happened AGAIN to me, and I did remove those lines from crontab. I really don’t have time to move all my sites, but I’m losing thousands because it keeps taking my stores offline… and this is making customers think “it’s a virus, don’t go there!” because of all the ssl warnings and such. What else could be causing this?

This is my crontab. Any ideas on what is reverting my certs back to self-signed?

0 * * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/plogical/findBWUsage.py >/dev/null 2>&1
0 * * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/postfixSenderPolicy/client.py hourlyCleanup >/dev/null 2>&1
0 0 1 * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/postfixSenderPolicy/client.py monthlyCleanup >/dev/null 2>&1
0 2 * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/plogical/upgradeCritical.py >/dev/null 2>&1
0 0 * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py Daily
0 0 * * 0 /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py Weekly
*/3 * * * * if ! find /home/*/public_html/ -maxdepth 2 -type f -newer /usr/local/lsws/cgid -name '.htaccess' -exec false {} +; then systemctl restart lsws; fi
09,39 * * * * /usr/local/CyberCP/bin/cleansessions >/dev/null 2>&1

Yup, we have an idea of why it’s happening. See here: [BUG] Self-Signed SSL Certs being Issued for Valid Domains due to Acme.sh Failure · Issue #1044 · usmannasir/cyberpanel · GitHub

Unfortunately I’m not a developer, I don’t know how to trace down how the changes from 2.3.2 to 2.3.3 are related.

If you haven’t already, please add your sentiments to the Github issue.

@JosephChuksT How certbot installed automatically, cyberpanel use acme.sh?

The best solution is, remove the code which is issuing self-signed SSL from cyberpanel repo. Which is useless.

If someone need self-signed SSL, he can generate it manually and add it via cyberpanel UI,
The same was suggested by me many time but developer need this feature even it’s creating lot of issues.

Also many times I found SSL renew automatically but web server not reloaded hence sites getting SSL expire error in browser.

until issue is fixed use bash script to renew multiple domain ssl at same time also validate existing ones and setup certbot to auto renew

This is very helpful. Thanks. /s