[BUG] Self-Signed SSL Certs being Issued for Valid Domains due to Acme.sh Failure

[packetdog]

Hello,

We're hosting 8 sites on CyberPanel 2.3.4-dev on Ubuntu 22.04 LTS. Everything is updated. We've been experiencing sites losing their SSL certificates as acme.sh fails, and CyberPanel issues a self-signed certificate. This has been documented on the forums (here, here, here, here, here, and this list goes on...), however it was not until today that I was able to pull a log file from acme.sh to see what was happening.

The attached log has been redacted, and all instances of MYDOMAIN are actually a valid and working .com domain name. All instances of IP.IP.IP.IP refer to our public IP address for this server. At issue, in the log file attached, you will find that acme.sh pulls in the website root of /usr/local/lsws/Example/html which is of course not valid, so the challenge can't be completed. The appropriate root for this site would be /home/MYDOMAIN.com/public_html/ which exitsts and has appropriate permissions.

Additionally, manually running the ISSUE SSL command from the CyberPanel web UI corrects this issue, for a few weeks. It seems that some 10-20 days after manually renewing the certificates, the failure reoccurs, and causes a self-signed certificate to be issued. So for whatever reason this seems to break during the automation, but not when running manually from the Web UI.

My only other request related to this is: Is there a way to force CyberPanel to issue a notification if a self-signed certificate is EVER issued? I'd much rather get an email for this issue before my client notices that their site is having an issue.

LOG FILE:
acme.sh-MYDOMAIN.log

[liufunyu]

I have the same problem on Ubuntu 22.04 / Cyberpanel 2.3.3, it happens every Sunday !!!!

[JosephChuks]

I have this exact issue. Having to manually reissue SSL cert to over 150+ sites every 2 weeks (Sundays at 00:00 hours GMT) is annoying as clients wake you up with their sites showing security risk.

[berksmbl]

We are experiencing a similar issue where we already have an existing SSL certificate and we add the relevant SSL certificate to the website through CyberPanel. Everything works fine, but even though the certificate still has a long time to expire, CyberPanel replaces it with a self-signed certificate, which causes a security warning. When we manually add the same certificate again, the issue is resolved, but after a short while, the certificate is changed again automatically.

[packetdog]

FYI- The is some additional discussion about this in the CyberPanel Facebook Group at https://www.facebook.com/groups/cyberpanel/posts/3301268023518156/ and https://www.facebook.com/groups/cyberpanel/posts/3300444160267209/.

[PorkStew]

I've had the exact same issue, it seems that it's related to the update because i could issue SSL's without an issue before updates.

I've made a post on CyberPanel fourms explaining the issue.

https://community.cyberpanel.net/t/cant-issue-ssl-certs/41616

[cymode]

Same issue here since 2.3.3. re-creating SSL certs manually/via cron job via "cme.sh --renew -d domain.com --force" for dozens of domains every 2 weeks is not ideal. Cannot figure out why Cyberpanel can't issue it, not like it's a difficult command... 😅. Self-signed certificates should result in an immediate warning via e-mail in my opinion as that can be disastrous for sales and google ads budget if not caught quickly.

[cymode]

@usmannasir, I can provide access to server if it helps to troubleshoot. I've got a 5-6 unused domains that are currently still with self-signed certificate and have stayed that way for my own troubleshooting.

[jintron]

Wasted quite a bit of time trying to make sense of the SSL issue. The same issues come up, if you try to create multiple domains (incl SSL) via cyberpanel CLI on Rocky Linux 8.4.
Sometimes changing the vhost conf to reference the right path to public_html works, sometimes it doesn´t.
Sometimes fixing the folder permissions work, sometimes it doesn´t.
Sometimes an Certificate for another website (which was created earlier) is assiged to a newly created website.
Sometimes creating just the website via CLI without SSL and then issuing the Certificate via Certbot works, sometimes not.
I really tried to wrap my head around the issue and isolate the problem, but I give up.
Think the easiest fix for me (for now) is to skip this version.

[usmannasir]

@shbs9 where you able to reproduce issue on any of the mentioned users?

[usmannasir]

If any of you guys have opened ticket with server login details, feel free to mention ticket number.

[usmannasir]

PS: New webroot for latest version of CyberPanel is /usr/local/lsws/Example/html, can you guys show me your vhost conf?

[cymode]

@usmannasir what file do you want and I'll copy/paste the details, or did you just want screenshots from the OLS backend?

[liufunyu]

vhost.conf is in /usr/local/lsws/conf/vhosts/mydomain.com/vhost.conf

root@c2:/usr/local/lsws/conf/vhosts/c2.cocosuit.com# cat vhost.conf
docRoot                   $VH_ROOT/public_html
vhDomain                  $VH_NAME
vhAliases                 www.$VH_NAME
adminEmails               liufunyu000@gmail.com
enableGzip                1
enableIpGeo               1

index  {
  useServer               0
  indexFiles              index.php, index.html
}

errorlog $VH_ROOT/logs/$VH_NAME.error_log {
  useServer               0
  logLevel                WARN
  rollingSize             10M
}

accesslog $VH_ROOT/logs/$VH_NAME.access_log {
  useServer               0
  logFormat               "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i""
  logHeaders              5
  rollingSize             10M
  keepDays                10
  compressArchive         1
}

scripthandler  {
  add                     lsapi:ccoco3242 php
}

extprocessor ccoco3242 {
  type                    lsapi
  address                 UDS://tmp/lshttpd/ccoco3242.sock
  maxConns                10
  env                     LSAPI_CHILDREN=10
  initTimeout             600
  retryTimeout            0
  persistConn             1
  pcKeepAliveTimeout      1
  respBuffer              0
  autoStart               1
  path                    /usr/local/lsws/lsphp80/bin/lsphp
  extUser                 ccoco3242
  extGroup                ccoco3242
  memSoftLimit            2047M
  memHardLimit            2047M
  procSoftLimit           400
  procHardLimit           500
}

phpIniOverride  {

}

module cache {
 storagePath /usr/local/lsws/cachedata/$VH_NAME
}

rewrite  {
 enable                  1
  autoLoadHtaccess        1
}

context /.well-known/acme-challenge {
  location                /usr/local/lsws/Example/html/.well-known/acme-challenge
  allowBrowse             1

  rewrite  {

  }
  addDefaultCharset       off

  phpIniOverride  {

  }
}


vhssl  {
  keyFile                 /etc/letsencrypt/live/c2.cocosuit.com/privkey.pem
  certFile                /etc/letsencrypt/live/c2.cocosuit.com/fullchain.pem
  certChain               1
  sslProtocol             24
  enableECDHE             1
  renegProtection         1
  sslSessionCache         1
  enableSpdy              15
  enableStapling           1
  ocspRespMaxAge           86400
}