Error during secondary validation about getssl HOT 8 OPEN

Do you block access by geographic region or countries? Because Let's Encrypt recently added two additional remote validation server locations. The "secondary validation" points to a problem with one of the 4 secondary sites (the 5th validation center is in the USA)
This has been a common topic on the Let's Encrypt community forum since this change
https://community.letsencrypt.org/t/lets-encrypt-is-adding-two-new-remote-perspectives-for-domain-validation/214123

from getssl.

That was the exact problem. I have spent days trying to track this down, and there is zero chance I would ever have considered this as the issue. Thanks so much for responding!

from getssl.

That did resolve the specific error, but now I'm getting:

- The certificate could not be installed on the domain “DOMAIN.com”.
- Certificate verification failed!  The system did not find the root certificate that corresponds to the supplied Certificate Authority Bundle’s intermediate certificate. Please supply a full Certificate Authority Bundle with the root certificate included.

from getssl.

Where do you see that error?

If your last good cert was before Feb8 of this year I would guess that the system reporting the error does not have ISRG Root X1 certificate in its CA store. Is it an older system? On Feb8 the default chain from Let's Encrypt no longer includes the cross-signed DST Root CA X3 and so systems must trust ISRG Root X1.

Temporarily you can request the older "long chain" but this will soon be gone anyway. If this sounds possible see below.
https://community.letsencrypt.org/t/shortening-the-lets-encrypt-chain-of-trust/201580

from getssl.

The expired certificate was issued in January 2024.

"system reporting the error does not have ISRG Root X1 certificate in its CA store."
Is something the webhost needs to do?

Using the long chain option below didn't change the getssl output:

FULL_CHAIN_INCLUDE_ROOT="true"

That's an error from getssl. Full text below:

DOMAIN.com: remote cert expires sooner than local, attempting to upload from local
reloading SSL services
[2024-04-21 13:44:22 -0500] warn [uapi] Cpanel::Wrap::send_cpwrapd_request adminbin Cpanel/ssl/ADD: exit 5: namespace=[Cpanel] module=[ssl] function=[ADD]: raw_response=[{"mode":"full","statusmsg":"adminbin Cpanel/ssl/ADD: exit 5","status":1,"version":"2.4","data":{"message":"Certificate verification failed!  The system did not find the root certificate that corresponds to the supplied Certificate Authority Bundle’s intermediate certificate. Please supply a full Certificate Authority Bundle with the root certificate included.","statusmsg":"Certificate verification failed!  The system did not find the root certificate that corresponds to the supplied Certificate Authority Bundle’s intermediate certificate. Please supply a full Certificate Authority Bundle with the root certificate included.","action":"install","status":0,"html":"Certificate verification failed!  The system did not find the root certificate that corresponds to the supplied Certificate Authority Bundle’s intermediate certificate. Please supply a full Certificate Authority Bundle with the root certificate included."},"exit_code":1280,"error":1,"timeout":0,"action":"fetch"}]
[2024-04-21 13:44:22 -0500] warn [uapi] Cpanel::Wrap::send_cpwrapd_request error: namespace=[Cpanel] module=[ssl] function=[ADD]: statusmsg=[adminbin Cpanel/ssl/ADD: exit 5]
--- 
apiversion: 3
func: install_ssl
module: SSL
result: 
  data: 
    cert_id: DOMAIN_com_9dfc5_73007_1721488995_2cd368d44c64a395a76757dbfdce85cc
    key_id: 9dfc5_73007_5e08944e645ddef9d75418b8f918c2bb
  errors: 
    - The certificate could not be installed on the domain “DOMAIN.com”.
    - Certificate verification failed!  The system did not find the root certificate that corresponds to the supplied Certificate Authority Bundle’s intermediate certificate. Please supply a full Certificate Authority Bundle with the root certificate included.
  messages: ~
  metadata: {}

  status: 0
  warnings: ~
DOMAIN.com: certificate is valid for more than 30 days (until Jul 20 15:23:15 2024 GMT)

from getssl.

The error is coming from cPanel. I am not expert at cPanel but you could try copy/paste the cert, chain, and private key yourself into your cPanel screen. You may need to take that up with your hosting service if that fails.

The message is a little puzzling in that it suggests adding the Root certificate to the chain. I didn't think modern cPanel systems require the root cert in the chain. I might be wrong or yours might need it.

The other possibility is the script you use to update cPanel needs updating. Perhaps it is manipulating the chain.pem file wrongly now that it is shorter than before.

Maybe someone else here will be able to help. Or, try the Let's Encrypt community forum.

from getssl.

I tried copy/pasting the certs into cpanel, but it basically throws the same error.

The script being used to update cpanel is the one in the repo cpanel_cert_upload.

I'll try over in the LE forum also. Thanks again for you help here.

from getssl.

UPDATE: removing the existing chain, fullchain, and DOMAIN.com.crt files from .gettssl/DOMAIN.com resolved the issue. Not entirely sure why, but once I did that everything worked and updated cpanel.

from getssl.