The checkallsslcerts Script

ssl whmadvanced

Valid for versions 118 through the latest version

Version:

Overview

Warning:

We strongly recommend that you only run this script if cPanel Technical Support advises you to do so.

The system runs the /usr/local/cpanel/bin/checkallsslcerts script in the following situations:

During the nightly cPanel & WHM update (upcp) process.
When you purchase or add a cPanel & WHM license.

This script performs the following actions:

Requests a SSL certificate to replace certificates that meet any of the following conditions:
- It maintains a weak signature algorithm.
- It has been revoked.
- It does not have a Subject Alternative Name (SAN) extension.
- It does not have an Extended Key Usage (EKU) extension with the Server Authentication value.
- It is self-signed.
- It is invalid (for example, your server’s hostname must be valid and resolve in DNS).
- It will expire soon.
Updates the SSL certificate for all cPanel & WHM services.
Note:
- If any of the above is not true, the system installs a self-signed SSL certificate instead.
- For more information about SSL certificates, read our Generate an SSL Certificate and Signing Request and Manage AutoSSL documentation.

Run the script

Remember:

We strongly recommend that you only manually run this script if cPanel Technical Support advises you to do so.

To run this script on the command line, use the following format:

/usr/local/cpanel/bin/checkallsslcerts [options]

Options

Use the following options with this script:

Options	Description	Example
`--allow-retry`	If the cPanel Store continues to process the hostname certificate request, then the system checks the cPanel Store again in an hour. For more information about this option, see the `allow-retry` options section below.	`--allow-retry`
`--verbose`	Run the script in verbose mode.	`--verbose`

The allow-retry options

When the system checks the cPanel Store after an hour, it runs the following command:

/usr/local/cpanel/scripts/try-later --action '/usr/local/cpanel/bin/checkallsslcerts --no-retry' --check '/bin/sh -c exit 1' –delay 60 --max-retries 1 --skip-first

If the system must retry the SSL certificate update process, it adds an entry in the at daemon (atd) job queue. To view, execute, or remove a job from the atd queue, use the /usr/local/cpanel/scripts/try-later script with one of the following options:

Option	Description
`atq`	List all `at` queue jobs.
`at -c #`	Display the contents of a specific job.
`at -c # \| sh`	Manually execute a queued job.
`atrm #`	Manually remove a queued job.

Output

If this script detects errors when it runs, it sends an email to the system administrator that contains warnings about those errors.

Disable an automatic hostname certificate

To disable an automatic hostname certificate’s installation, run the following command:

touch /var/cpanel/ssl/disable_auto_hostname_certificate

To disable the automatic replacement of all expired service certificates and disable notifications about expired or expiring service certificates, run the following command:

touch /var/cpanel/ssl/disable_service_certificate_management