Jump to content

[Solved] Ssl Replacement


Trespasser

Recommended Posts

Hello,

 

I was using Let's Encrypt certificate for my domain trespasser.eu.org hosted on Tommy. On August 10 (according to SSL data) it was replaced with cPanel (Comodo) certificate

without my permission or even notification.

 

1. So, why certificate was replaced?

2. Am I allowed to install Let's Encrypt certificate back?

3. If yes, how to prevent replacements with cPanel (Comodo) certificates in future?

 

Best regards,

Trespasser

Link to comment
Share on other sites

Was the certificate expired? If so, autossl probably replaced it with one that's not (which is the cpanel / comodo one). Autossl should not replace valid certificates it didn't issue. If it did, it might have been related to our testing of LE as an autossl provider (limit was too low, but we tried it because the comodo one was hitting what appeared to be an undocumented rate limit as people's certs expired)

 

Comodo Autossl ones issue on their own within 24 hours when you add domains or when a preexisting domain does not have/no longer has a valid certificate, and auto-renew as they approach expiration. The Comodo certs are validly signed and won't trigger security warnings, so they're just as functional as an LE cert to an end user.

 

You're more than welcome to replace the Comodo cert with an LE cert if you wish.

Link to comment
Share on other sites

You can delete the AutoSSL certificate and install your own. AutoSSL shouldn't overwrite a valid certificate.

 

It looks like your certificate was either expired already or really close.

 1:20:12 AM Checking websites for “tres000a” …
 1:20:12 AM The website “trespasser.heliohost.org”, owned by “tres000a”, has a faulty SSL certificate (OPENSSL_VERIFY:0:10:CERT_HAS_EXPIRED ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate.
 1:20:12 AM The website “trespasser.trespasser.heliohost.org”, owned by “tres000a”, has a valid SSL certificate, but additional SSL coverage may be possible for the domains “trespasser.trespasser.heliohost.org”, “mail.trespasser.eu.org”, “www.trespasser.trespasser.heliohost.org”, “cpanel.trespasser.eu.org”, “webmail.trespasser.eu.org”, and “webdisk.trespasser.eu.org”. The system will attempt to replace this certificate with one that includes these additional domains.
 1:20:13 AM The system will attempt to renew SSL certificates for the following websites:
 1:20:13 AM trespasser.heliohost.org (trespasser.heliohost.org www.trespasser.heliohost.org mail.trespasser.heliohost.org webmail.trespasser.heliohost.org cpanel.trespasser.heliohost.org webdisk.trespasser.heliohost.org)
 1:20:13 AM trespasser.trespasser.heliohost.org (trespasser.eu.org www.trespasser.eu.org mail.trespasser.eu.org webmail.trespasser.eu.org cpanel.trespasser.eu.org webdisk.trespasser.eu.org trespasser.trespasser.heliohost.org www.trespasser.trespasser.heliohost.org)
 1:20:13 AM The system has completed the AutoSSL check for “tres000a”.
Link to comment
Share on other sites

It looks like your certificate was either expired already or really close.

 

My certificate should has been valid until October 2017. However, when I tried to re-download it using acme-client, no valid certificates for my domain were found.

 

It's strange that there were no notifications from Let's Encrypt either. They always send emails before my SSL certificate expire. Maybe I should contact their support as well.

 

I renewed my Let's Encrypt certificate and installed it back without any issues.

 

If it did, it might have been related to our testing of LE as an autossl provider

 

That may be the cause. Could my certificate became invalid if you tried to generate another Let's Encrypt certificate for my domain?

Or if you tried to update certificate for webmail.trespasser.eu.org, cpanel.trespasser.eu.org, etc, while I am using SSL for trespasser.eu.org and www.trespasser.eu.org only?

 

In addition, there were .well-known/acme-challenge directories in my domain folder. But I always delete them after domain verification is completed.

Link to comment
Share on other sites

We switched back and forth between Let's Encrypt and Comodo a few times trying to get around the rate limits and trying to get AutoSSL working again. It's probably because of that, and it won't happen again unless AutoSSL breaks again and we have to fiddle with it like that.

Link to comment
Share on other sites

Krydos might be able to do that, I'm not sure.

 

As for the certificate itself, what's the reason you're adamant on using an LE cert over the just-as-functional Comodo one? Most of our users had been begging us for something automatic because they didn't like dealing with renewing them.

Link to comment
Share on other sites

As for the certificate itself, what's the reason you're adamant on using an LE cert over the just-as-functional Comodo one? Most of our users had been begging us for something automatic because they didn't like dealing with renewing them.

 

I prefer to manage everything myself. And I really want to know the reason why my certificate was replaced.

 

There may be a bug with your AutoSSL feature which you probably would like to fix.

Link to comment
Share on other sites

I thought having this setting disabled would be enough to keep your certificate from being overwritten:

autossl.png

but apprently not. Here's the log:

 1:14:51 AM Checking websites for tres000a 
 1:14:52 AM The website trespasser.trespasser.heliohost.org, owned by tres000a, has a valid SSL certificate, but additional SSL coverage may be possible for the domains trespasser.trespasser.heliohost.org, mail.trespasser.eu.org, www.trespasser.trespasser.heliohost.org, cpanel.trespasser.eu.org, webmail.trespasser.eu.org, and webdisk.trespasser.eu.org. The system will attempt to replace this certificate with one that includes these additional domains.
 1:14:52 AM The system will attempt to renew SSL certificates for the following websites:
 1:14:52 AM trespasser.trespasser.heliohost.org (trespasser.eu.org www.trespasser.eu.org mail.trespasser.eu.org webmail.trespasser.eu.org cpanel.trespasser.eu.org webdisk.trespasser.eu.org trespasser.trespasser.heliohost.org www.trespasser.trespasser.heliohost.org)
 1:14:57 AM The system has completed the AutoSSL check for tres000a.
 1:22:11 AM Polling for tres000as new certificate for trespasser.trespasser.heliohost.org (order item ID 229333119) 
 1:22:11 AM The certificate is available. The system will now attempt to install it.
 1:22:16 AM SUCCESS The certificate is now installed!
So I guess the problem is the certificates you're making don't cover all of your subdomains and cnames so AutoSSL wants to make a better certificate that will cover them all.

 

I have disabled AutoSSL on your account so it shouldn't even check again let alone try to replace anything. Let us know if it happens again.

 

By the way, you're the only person who has complained about this. AutoSSL is actually one of our biggest draws for people to create accounts on Tommy because no one except for you wants to create and install and remember to renew their own certificates. Thanks for letting us know about it though.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...