The AutoSSL certificate renewal may cause a reduction of coverage
Are you a cPanel user that has received an email with the subject “The AutoSSL certificate renewal may cause a reduction of coverage…”?
If you have then DO NOT WORRY, you’re not alone!
In cPanel version 68 a new feature was added to send email notifications to end users when an AutoSSL certificate renewal processed:
SSL and AutoSSL certificate renewal, expiry, failure, and success notifications
In cPanel & WHM version 68, by default, the system automatically sends users notifications about the status of SSL and AutoSSL certificates. These notifications include useful information and URLs users can access to correct a problem. You can enable or disable the following notifications:
In WHM’s Contact Manager interface (WHM >> Home >> Server Contacts >> Contact Manager):
- AutoSSL certificates expiring — An account’s AutoSSL certificate expires soon.
- Installation of AutoSSL certificates — AutoSSL installed an SSL certificate.
- Installation of purchased SSL certificates — The system installed SSL certificates that a user purchased through the cPanel Market.
- SSL Certificate Expiration — A service-level SSL certificate has expired.
- SSL Certificate Expires Soon — An account’s SSL certificate expires soon.
- SSL certificates expiring — An account’s SSL certificate expires soon.
In cPanel’s Contact Information interface (cPanel >> Home >> Preferences >> Contact Information):
- AutoSSL has renewed a certificate — AutoSSL successfully completed a certificate renewal.
- AutoSSL certificate expiry — An AutoSSL certificate will expire soon.
- SSL certificate expiry — A non-AutoSSL certificate will expire soon.
This new feature means that cPanel users are starting to receive emails such as the following:
The system failed to fetch the DCV (Domain Control Validation) file at “http://cpanel.domain.co.uk/.well-known/pki-validation/BC8C01969F8C44363E5026E6A260F53C.txt” because of an error: The system failed to send an HTTP (Hypertext Transfer Protocol) “GET” request to “http://cpanel.domain.co.uk/.well-known/pki-validation/BC8C01969F8C44363E5026E6A260F53C.txt” because of an error: Timed out while waiting for socket to become ready for reading
Other similar errors are also reported in the emails, such as:
The system queried for a temporary file at “http://webdisk.exampledomain.co.uk/.well-known/pki-validation/C14A94680FfdfDF1E93E14EFC.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “webdisk.exampledomain.co.uk” resolved to an IP address “1.2.3.4.5” that does not exist on this server.
Both of these errors are usually due to AutoSSL (the cPanel feature that automatically installs free Comodo or LetsEncrypt SSL certificates on domains) attempting to install certificates on cPanel related sub-domains (webdisk.domain.com or cpanel.domain.com) or on domains that don’t resolve directly to the server. An example of the latter would be when the domain is running via Cloudflare or another CDN.
If your domains resolve directly to the server then there is nothing to worry about, your SSL certificates will be automatically renewed as normal!
For the end user these emails can be both confusing and frustrating and in their infinite wisdom cPanel haven’t added an option to globally disable these emails from being sent, although this feature is planned in an upcoming cPanel v68 release.
Until then, our best advice is simply to disregard the emails.