The checkallsslcerts Script
Valid for versions 82 through the latest version
Last modified: April 13, 2021
We strongly recommend that you only run this script if cPanel Technical Support advises you to do so.
The system runs the
/usr/local/cpanel/bin/checkallsslcerts script during the nightly cPanel & WHM update (
upcp) process. This script performs the following actions:
Requests a Sectigo-signed SSL certificate to replace certificates that meet any of the following conditions:
It maintains a weak signature algorithm.
It has been revoked.
It does not have a Subject Alternative Name (SAN) extension.
It does not have an Extended Key Usage (EKU) extension with the Server Authentication value.
It is self-signed.
It is invalid (for example, your server’s hostname must be valid and resolve in DNS).
It will expire soon, based on the following criteria:
cPanel-provided certificates that expire in less than 25 days.
Certificates issued by any other provider that expire in less than 3 days.
Updates the SSL certificate for all cPanel & WHM services.
What the script does
/usr/local/cpanel/bin/checkallsslcerts script runs, the system performs the following steps:
The system creates a Domain Control Validation (DCV) file, which resembles the following example:
Systems that use EasyApache 4 store this file in the
The system performs a DNS lookup for the hostname’s IP address on the root nameservers.Note:
If the hostname returns multiple IP addresses, the system will use the first IP address.
The system uses the hostname’s IP address to confirm that it can access the Domain Control Validation (DCV) file.
For cPanel & WHM servers, the script uses HTTP validation of the DCV file.
For cPanel DNSOnly® servers, the script uses DNS validation against a DNS
When the local DCV check passes, the system sends a request to the cPanel Store API for the new SSL certificate.
If a valid SSL certificate exists and matches the DCV file, the system does not perform any action.
If the system must issue a new SSL certificate, the system sends a request to Sectigo.
Sectigo validates the DCV file from the following IP addresses:
1 2 3 4
220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199Important:
Sectigo uses these IP addresses to attempt to access the cPanel server. You must allow these IPs in the server firewall. For more information, read our How to Configure Your Firewall for cPanel & WHM Services documentation.
The system logs the Sectigo requests for HTTP DVC in the
/etc/apache2/logs/accessfile. It also contains user agent strings that show who accesses the DCV file. These user agent strings resemble the following examples:
cPanel user agent strings
192.0.2.0 - - [16/Jun/2016:16:16:16 -0500] "GET /4221C402112E4831C72C2E004614C47C.txt HTTP/1.1" 200 53 "-" "Cpanel-HTTP-Client/1.0" 192.0.2.0 - - [16/Jun/2016:16:16:16 -0500] "GET /4221C402112E4831C72C2E004614C47C.txt HTTP/1.1" 200 53 "-" "Cpanel-HTTP-Client/1.0"
Sectigo user agent strings
188.8.131.52 - - [16/Jun/2016:16:18:46 +0000] "GET /4F571E4CB76F46E37B8118CEA1DB42BA.txt HTTP/1.1" 200 53 "-" "SECTIGO DCV" 184.108.40.206 - - [16/May/2016:16:18:46 +0000] "GET /4F571E4CB76F46E37B8118CEA1DB42BA.txt HTTP/1.1" 200 53 "-" "SECTIGO DCV"
Run the script
We strongly recommend that you only manually run this script if cPanel Technical Support advises you to do so.
To run this script on the command line, use the following format:
Use the following options with this script:
||If the cPanel Store continues to process the hostname certificate request, then the system checks the cPanel Store again in an hour. For more information about this option, see the
||Run the script in verbose mode.||
The allow-retry options
When the system checks the cPanel Store after an hour, it runs the following command:
/usr/local/cpanel/scripts/try-later --action '/usr/local/cpanel/bin/checkallsslcerts --no-retry' --check '/bin/sh -c exit 1' –delay 60 --max-retries 1 --skip-first
If the system must retry the SSL certificate update process, it adds an entry in the
at daemon (
atd) job queue. To view, execute, or remove a job from the
atd queue, use the
/usr/local/cpanel/scripts/try-later script with one of the following options:
||Display the contents of a specific job.|
||Manually execute a queued job.|
||Manually remove a queued job.|
If this script detects errors when it runs, it sends an email to the system administrator that contains warnings about those errors.
Disable a cPanel-signed hostname certificate
To disable a cPanel-signed hostname certificate’s installation, run the following command:
To disable the automatic replacement of all expired service certificates and disable notifications about expired or expiring service certificates, run the following command: