Questions? Feedback? powered by Olark live chat software
Knowledgebase
Author Avatar

Switching SSL provider from Letsencrypt to Sectigo

Written by: on 01 October 2021 03:54 PM 01 October 2021 03:54 PM

On Sept 30 2021 there was a major issue with LetsEncrypt root certificates affecting a large number of devices for browsing and mail checking. To get around this we recommend switching from LetsEncrypt to Sectigo (cPanel provided certificates). For more information see: https://forums.cpanel.net/threads/cpanel-33077-letsencrypt-transition-to-isrgs-root-important.673981/

If there are issues with Letsencrypt SSL certificates in WHM/cPanel you can switch SSL provider to Sectigo.

To do that:

  • - Login to WHM as root
  • - Go to AutoSSL and check who is the current SSL provider
  • - If Letsencrypt is currently chosen you can switch to cPanel (powered by Sectigo) and click Save.

  • - Go to Options, scroll to the bottom and ensure the option "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates." is selected.

  • - Then click "Run AutoSSL For All Users" blue button.

  • - You can check the process in Logs tab.

If you watch the AutoSSL process in the Logs section and see something like "provider cannot currently accept incoming requests. The system will try again later" then just wait several minutes and check in AutoSSL queue is filled at "Pending Queue" section. Once domain appear in that queue the certificates for them will be issued within 15 minutes.

If at the end of the current log you see two identical lines like below:

X:YY:ZZ PM The "cPanel (powered by Sectigo)" provider cannot currently accept incoming requests. The system will try again later.
X:YY:ZZ PM The "cPanel (powered by Sectigo)" provider cannot currently accept incoming requests. The system will try again later.

It means AutoSSL is stuck. Then you need to push AutoSSL again manually (for all users or for that particular one).

Once the new certificate has been issued you should restart HTTP Server (Apache), IMAP Server and Mail Server (Exim) in WHM -> Restart Services

However, if previously issued Letsencrypt certificate is still valid AutoSSL may skip it from re-issuing procedure.

To enforce AutoSSL to issue SSL certificate from Sectigo provider:

  • - Login to WHM as root
  • - Go to "Manage SSL Hosts"
  • - Find the domain you wish to force certificate re-issue
  • - Click "Delete" against that domain to remove SSL certificate for that domain (please note that subdomains covered by the same certificate will be affected too)
  • - Then go to "AutoSSL" section and either click "Run AutoSSL For All Users" or click to "Manage Users" and click "Check" against cPanel user account.

(1 vote(s))
Helpful
Not helpful