1. Klantensysteem Home
  2. Kennisbank
  3. WHM
  4. Scripts
  5. The checkallsslcerts Script

Kennisbank

The checkallsslcerts Script  Print dit artikel

Overview:

The system runs the /usr/local/cpanel/bin/checkallsslcerts script during the nightly cPanel & WHM update (upcp) process. This script performs the following actions:

  • Installs a cPanel-signed hostname certificate on the server, if one does not exist.

  • Updates the SSL certificate for all cPanel & WHM services.

  • Issues a Sectigo-signed SSL certificate to replace certificates that meet any of the following conditions:

    • Maintains a weak signature algorithm.

    • Revoked.

    • The certificate does not have a Subject Alternative Name (SAN) extension.

    • The certificate does not have an Extended Key Usage (EKU) extension with the Server Authentication value.

    • Self-signed.

    • Invalid (for example, your server’s hostname must be valid and resolve in DNS).

    • Will expire soon, based on the following criteria:

      • cPanel-provided certificates that expire in less than 25 days.

      • Certificates issued by any other provider that expire in less than 3 days.

Warning:

We strongly recommend that you only run this script if cPanel Technical Support advises you to do so.

Note:

For more information about SSL certificates, read our Generate an SSL Certificate and Signing Request and Manage AutoSSL documentation.

In the past, cPanel & WHM services used a self-signed certificate. Now, all cPanel & WHM services use a cPanel-signed hostname certificate with a Sectigo trust chain. This document explains how the system installs a cPanel-signed hostname certificate and how to disable the automatic installation of a cPanel-signed hostname SSL certificate if you do not wish to use it.

What the script does

When the /usr/local/cpanel/bin/checkallsslcerts script runs, the system performs the following steps:

  1. The system creates a Domain Control Validation (DCV) file, which resembles the following example:

    4221C402112E4831C72C2E004614C47C.txt
    Note:

    • Systems that use EasyApache 3 store this file in the /usr/local/apache/htdocs/.well-known/pki-validation/ directory.

    • Systems that use EasyApache 4 store this file in the /var/www/html/.well-known/pki-validation directory.

     

  2. The system performs a DNS lookup for the hostname’s IP address on the root nameservers. To do this, it runs the following command:

    dig +trace hostname.example.com
    Note:

    • If the dig command returns multiple IP addresses, the system uses the first IP address that the command returns.

    • In this example, hostname.example.com represents the server’s hostname.

     

  3. The system uses the hostname’s IP address to confirm that it can access the Domain Control Validation (DCV) file. To do this, it runs the following command:

    curl 192.0.2.0/AFAA5C66A1EEF5812703A46C21C013B4.txt
    Note:

    In this example, 192.0.2.0 represents the primary IP address, and AFAA5C66A1EEF5812703A46C21C013B4.txt represents the DCV file.

     

  4. When the local DCV check passes, the system sends a request to the cPanel Store API for the new SSL certificate.

    • If a valid SSL certificate exists and matches the DCV file, the system does not perform any action.

    • If the system must issue a new SSL certificate, the system sends a request to Sectigo.

    • Sectigo validates the DCV file from the following IP addresses:

      1
2
3
4

      178.255.81.12
178.255.81.13
91.199.212.132
199.66.201.132
      Important:

      Sectigo uses these IP addresses to attempt to access the cPanel server. You must whitelist these IPs in the server firewall. For more information, read our How to Configure Your Firewall for cPanel & WHM Services documentation.

       

  5. The system logs the Sectigo requests in the /etc/apache2/logs/access file. It also contains user agent strings that show who accesses the DCV file. These user agent strings resemble the following examples:

    • cPanel user agent strings

      1
2

      192.0.2.0 - - [16/Jun/2016:16:16:16 -0500]  "GET /4221C402112E4831C72C2E004614C47C.txt HTTP/1.1" 200 53  "-" "Cpanel-HTTP-Client/1.0"
192.0.2.0 - - [16/Jun/2016:16:16:16 -0500]  "GET /4221C402112E4831C72C2E004614C47C.txt HTTP/1.1" 200 53  "-" "Cpanel-HTTP-Client/1.0"

       

    • Sectigo user agent strings

      1
2

      199.66.201.132 - - [16/Jun/2016:16:18:46 +0000]  "GET /4F571E4CB76F46E37B8118CEA1DB42BA.txt HTTP/1.1" 200 53  "-" "SECTIGO DCV"
199.66.201.132 - - [16/May/2016:16:18:46 +0000]  "GET /4F571E4CB76F46E37B8118CEA1DB42BA.txt HTTP/1.1" 200 53  "-" "SECTIGO DCV"

       

Run the script

Remember:

We strongly recommend that you only manually run this script if cPanel Technical Support advises you to do so.

To run this script on the command line, use the following format:

/usr/local/cpanel/bin/checkallsslcerts [--verbose] [--allow-retry]

Options

Use the following options with this script:

Options Description Example
--verbose Adjusts output to include messages that resemble the following:
  • The system will attempt to replace the self-signed certificate for the cpanel service with a signed certificate from the cPanel Store.
  • The system will attempt to replace the self-signed certificate for the dovecot service with a signed certificate from the cPanel Store.
  • The system will attempt to replace the self-signed certificate for the exim service with a signed certificate from the cPanel Store.
  • The system will attempt to replace the self-signed certificate for the ftp service with a signed certificate from the cPanel Store.
 /usr/local/cpanel/bin/checkallsslcerts --verbose
--allow-retry If the cPanel Store continues the hostname certificate request, then the system checks the cPanel Store again in an hour. To do this, it runs the following command: /usr/local/cpanel/scripts/try-later --action '/usr/local/cpanel/bin/checkallsslcerts --no-retry' --check '/bin/sh -c exit 1' –delay 60 --max-retries 1 --skip-first ItemTwo

The allow-retry options

If the system must retry the SSL certificate update process, an entry will appear in the at daemon ( atd ) job queue.

To view, execute, or remove a job, the /usr/local/cpanel/scripts/try-later command runs with one of the following arguments:

Argument Description
atq Views queue at jobs.
at -c # Views contents of a specific job number.
at -c # | sh Manually executes a job.
atrm # Manually removes a job.

Output

If this script detects errors when it runs, it sends an email to the system administrator that contains warnings about those errors.

Disable a cPanel-signed hostname certificate

To disable a cPanel-signed hostname certificate’s installation, run the following command:

touch /var/cpanel/ssl/disable_auto_hostname_certificate

To disable the automatic replacement of all expired service certificates and disable notifications about expired or expiring service certificates, run the following command:

touch /var/cpanel/ssl/disable_service_certificate_management

Was dit antwoord nuttig?

Gerelateerde artikelen

WHM Scripts
Overview: The cPanel & WHM installation process adds important scripts to your server’s...
The dbmaptool Script
Overview: You can use the /usr/local/cpanel/bin/dbmaptool script to grant ownership of databases...
The servers_queue Script
Overview: This script allows you to manage the task queue system. The task queue system allows...
The auto-adjust-mysql-limits Script
Overview: The /usr/local/cpanel/scripts/auto-adjust-mysql-limits script updates MySQL®...
The autossl_check Script
Overview: The /usr/local/cpanel/bin/autossl_check script allows you to manually check the SSL...

  Tag Cloud

iPhone Android Phone Mobile Installatron Backup Clone Import Server Application uninstall Upgrade Edit View Introduction Backups word press wordpress staging dev site development site wp dev environment gmail mail client databases phpmyadmin ftp notepad++ host record host file windows mac weebly #gmail #email google e-mail

  Ondersteuning

Mijn Support Tickets Nieuws & Aankondigingen Kennisbank Downloads Netwerk status Maak een helpticket aan