Troy
June 2, 2026, 2:11am
1
My API server was having SSL validation issues so tried to reissue the cert and get the error:Ssl_Module::install(): chain not valid for certificate
It had an LE Gen Y cert before attempting to reissue, now it has no cert and I can’t seem to add one.
What led me to this was failed deletes of test accounts on other servers:
ERROR : unknown(): failed to remove site `site424': fatal(): fatal error contacting lookup API service: `Curl error: SSL certificate problem: unable to get local issuer certificate'
0. Error_Reporter::append_msg("fatal(): fatal error contacting lookup API service: `Curl error: SSL certificate problem: unable to get local issuer certificate'", ["fatal", "fatal error contacting lookup API service: `Curl error: SSL certificate problem: unable to get local issuer certificate'"], 64)
[/usr/local/apnscp/lib/error_reporter.php:1346]
1. Error_Reporter::trigger_fatal("fatal error contacting lookup API service: `Curl error: SSL certificate problem: unable to get local issuer certificate'", ["Curl error: SSL certificate problem: unable to get local issuer certificate"])
[/usr/local/apnscp/lib/log_wrapper.php:50]
2. fatal("fatal error contacting lookup API service: `%s'", "Curl error: SSL certificate problem: unable to get local issuer certificate")
[/usr/local/apnscp/lib/Auth/Lookup.php:110]
3. Auth_Lookup::request("POST", "lookup", [domain:"apiscp-int-zzdtnsvqspppbivn.test", full:true])
[/usr/local/apnscp/lib/Auth/Lookup.php:125]
4. Auth_Lookup::lookup("apiscp-int-zzdtnsvqspppbivn.test")
[/usr/local/apnscp/lib/Auth/Redirect.php:81]
5. Auth_Redirect::lookup("apiscp-int-zzdtnsvqspppbivn.test")
[/usr/local/apnscp/lib/modules/auth.php:1332]
6. Auth_Module->_delete()
[/usr/local/apnscp/lib/Util/Account/Hooks.php:140]
7. Util_Account_Hooks->_process("delete", )
[/usr/local/apnscp/lib/Util/Account/Hooks.php:50]
8. Util_Account_Hooks->run("delete")
[/usr/local/apnscp/lib/Opcenter/Account/Delete.php:208]
9. Opcenter\Account\Delete->processHooks()
[/usr/local/apnscp/lib/Opcenter/Account/Delete.php:242]
10. Opcenter\Account\Delete->exec()
[/usr/local/apnscp/bin/DeleteDomain:97]
]# cpcmd misc:cp-version
revision: e76ee459cd741e635fdc1e7ebed9efa9d2a450ed
timestamp: 1780337518
ver_maj: 3
ver_min: 2
ver_patch: 48
ver_pre: 62-ge76ee459c
dirty: false
debug: false
Reissue the certificate for the API server. This is fixed in edge in commit e76ee45 . After updating to e76ee45:
For root certificate: cpcmd letsencrypt:renewcpcmd -d siteXX letsencrypt:renew
Let’s Encrypt began issuing certificates signed by YE and YR, which aren’t present in OS CA stores. This affects additional services such as IMAP/POP3 clients which may not have the updated stores. Chrome, confusingly enough, does have these certs bundled, so the error isn’t conspicuous at first glance.
This commit also adds support for fuzzy matching, which will prefer a signing root if present. From my survey, X1/X2 are retired.
Troy
June 2, 2026, 3:22am
3
I’m on e76ee45 and this is the Log Output:
cpcmd -d site1 ssl:install "$PRIVKEY" "$LEAF" "$INTERMEDIATE"
I was able to sort the Certs into the leaf, intermediate and root and drop the root.
The certs translated to:
api.lithium.hosting (leaf), issued by Let’s Encrypt YE1Root YE (intermediate), issued by ISRG Root X2YE1 (intermediate), issued by Root YE
I can’t test for a few days until the rate limit is lifted. I can confirm the issue persists with the remote servers not able to validate the certificate.
DEBUG : api.lithium.hosting already resolved by http
INFO : Downloaded missing chain `http://ye2.i.lencr.org/'
INFO : Downloaded missing chain `http://ye.i.lencr.org/'
DEBUG : api.lithium.hosting already resolved by http
ERROR : Ssl_Module::install(): chain not valid for certificate
0B. Error_Reporter::add_error("chain not valid for certificate", )
[/usr/local/apnscp/lib/log_wrapper.php:72]
1B. error("chain not valid for certificate")
[/usr/local/apnscp/lib/modules/ssl.php:253]
2B. Ssl_Module->install("-----BEGIN PRIVATE KEY-----[REDACTED]-----END PRIVATE KEY-----", "-----BEGIN CERTIFICATE-----MIIDlTCCAxugAwIBAgISBU6R6uitOOxvYYPXI6TJLankMAoGCCqGSM49BAMDMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQDEwNZRTIwHhcNMjYwNjAyMDA1NTA2WhcNMjYwODMxMDA1NTA1WjAeMRwwGgYDVQQDExNhcGkubGl0aGl1bS5ob3N0aW5nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEh4spYTUc6DmLtLQw9W+ZSTNomQ2k7dHqkIzwW3iN32/uVCoG7oJZmTO+GHR94x+I6L/8XJHF8oO4EaL4qCmD4aOCAiIwggIeMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTFCz33IZd7G/oydmRdhtks5pt/AzAfBgNVHSMEGDAWgBS5WfKOzyLwhtM3SP92FBi6gthVhzAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAKGF2h0dHA6Ly95ZTIuaS5sZW5jci5vcmcvMB4GA1UdEQQXMBWCE2FwaS5saXRoaXVtLmhvc3RpbmcwEwYDVR0gBAwwCjAIBgZngQwBAgEwLwYDVR0fBCgwJjAkoCKgIIYeaHR0cDovL3llMi5jLmxlbmNyLm9yZy8xMDEuY3JsMIIBDAYKKwYBBAHWeQIEAgSB/QSB+gD4AHUA1219ENGn9XfCx+lf1wC/+YLJM1pl4dCzAXMXwMjFaXcAAAGehglMugAABAMARjBEAiASLCUw93hbWm00VkChs2rlT6jmO6OxjdaHanwpbOGbYAIgGva7KlQ/RLVzdNjuoRZn9rCm6qfhFPadu2Z75vIvxGwAfwBGr4Y9Oz7ln6V33qgkXTaw2e0ioiP0YXdBIpRS7pVQXwAAAZ6GCU1qAAgAAAUACEooSwQDAEgwRgIhAJlICunUXU9vlsjDg3fxiLOoQddA6JPRgvVbJe+j+a7RAiEA+hA2+n8USf3VcHoicvQ8+G5NJhwXvb0X/NOvgMortiEwCgYIKoZIzj0EAwMDaAAwZQIxANkkLpGSoqBLenKii1SPrWrJfqm3R9h3ECF0dtHdSWhC5IHu7rg3iixfoHPAceuwpAIwHaL9GbPRrMe6emXCJXuQrOm+0eubBDznNqBD9wmd9I85kO3X31tEtEe6fpE6yAt3-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----MIICpjCCAiugAwIBAgIRAIchZfw0tuX7qK3Vs3BftTowCgYIKoZIzj0EAwMwTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDIwHhcNMjYwNTEzMDAwMDAwWhcNMzIwOTAyMjM1OTU5WjAuMQswCQYDVQQGEwJVUzENMAsGA1UEChMESVNSRzEQMA4GA1UEAxMHUm9vdCBZRTB2MBAGByqGSM49AgEGBSuBBAAiA2IABDwS/6vhrcVqcbBo+wgdI3fwn9x7DNJJOY/lTOti0vkwuRN87RhEhTH17E7XyFjWsPYhIPt/wzOqxTd2b+4ZJNy9ID04YywF9U5zasDVyGSNErVNtz8uSGh5izW87j77GaOB6zCB6DAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUo8gmWo6hTNA1Y/ybI8g6rlbzT1YwHwYDVR0jBBgwFoAUfEKWrt5LSDv6kviejM9ti6lyN5UwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAChhZodHRwOi8veDIuaS5sZW5jci5vcmcvMBMGA1UdIAQMMAowCAYGZ4EMAQIBMCcGA1UdHwQgMB4wHKAaoBiGFmh0dHA6Ly94Mi5jLmxlbmNyLm9yZy8wCgYIKoZIzj0EAwMDaQAwZgIxAMU19WCtmxVND8UHBZRoma49Z7jPs64Dma0eTu1OChVbB/2J7GV3nvYKAx54uk1G9QIxAO0miLVJu8PLNiXXXkiE/gsK3CTRTF/aeo4bMX42Zw40csRU6AC26hSW1/IWaas6dg==-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIICjDCCAhGgAwIBAgIQTfOxXdbAeExQfNN7WObxFTAKBggqhkjOPQQDAzAuMQswCQYDVQQGEwJVUzENMAsGA1UEChMESVNSRzEQMA4GA1UEAxMHUm9vdCBZRTAeFw0yNTA5MDMwMDAwMDBaFw0yODA5MDIyMzU5NTlaMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQDEwNZRTIwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARxmrQzkdbEEL3MqXt3dJQttYc47axkdDTHud5TPqM2z5uSD5cmk0WrHlWXvnlvqBLqiB34kluxIbmMyAiq3/YD6e80/vV259K8XQIdjFXloYOa0mIU71f7HQ09PvYDlw+jge4wgeswDgYDVR0PAQH/BAQDAgGGMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFLlZ8o7PIvCG0zdI/3YUGLqC2FWHMB8GA1UdIwQYMBaAFKPIJlqOoUzQNWP8myPIOq5W809WMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAoYWaHR0cDovL3llLmkubGVuY3Iub3JnLzATBgNVHSAEDDAKMAgGBmeBDAECATAnBgNVHR8EIDAeMBygGqAYhhZodHRwOi8veWUuYy5sZW5jci5vcmcvMAoGCCqGSM49BAMDA2kAMGYCMQDIcnw5dcZLN9ffynXnnkLD/itSJEycJPb3sRkzeqBowup7vOsAwaqoCnNn/jh9wycCMQCJM6CPlaOC4pQYYbJtVPYbDKrIb2EKk5NpOpE6/XttQYZV/3gilB9l+Cc/DOVwmyg=-----END CERTIFICATE-----")
[/usr/local/apnscp/lib/Module/Skeleton/Standard.php:146]
3B. Module\Skeleton\Standard->_invoke("install", ["-----BEGIN PRIVATE KEY-----[REDACTED]-----END PRIVATE KEY-----", "-----BEGIN CERTIFICATE-----MIIDlTCCAxugAwIBAgISBU6R6uitOOxvYYPXI6TJLankMAoGCCqGSM49BAMDMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQDEwNZRTIwHhcNMjYwNjAyMDA1NTA2WhcNMjYwODMxMDA1NTA1WjAeMRwwGgYDVQQDExNhcGkubGl0aGl1bS5ob3N0aW5nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEh4spYTUc6DmLtLQw9W+ZSTNomQ2k7dHqkIzwW3iN32/uVCoG7oJZmTO+GHR94x+I6L/8XJHF8oO4EaL4qCmD4aOCAiIwggIeMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTFCz33IZd7G/oydmRdhtks5pt/AzAfBgNVHSMEGDAWgBS5WfKOzyLwhtM3SP92FBi6gthVhzAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAKGF2h0dHA6Ly95ZTIuaS5sZW5jci5vcmcvMB4GA1UdEQQXMBWCE2FwaS5saXRoaXVtLmhvc3RpbmcwEwYDVR0gBAwwCjAIBgZngQwBAgEwLwYDVR0fBCgwJjAkoCKgIIYeaHR0cDovL3llMi5jLmxlbmNyLm9yZy8xMDEuY3JsMIIBDAYKKwYBBAHWeQIEAgSB/QSB+gD4AHUA1219ENGn9XfCx+lf1wC/+YLJM1pl4dCzAXMXwMjFaXcAAAGehglMugAABAMARjBEAiASLCUw93hbWm00VkChs2rlT6jmO6OxjdaHanwpbOGbYAIgGva7KlQ/RLVzdNjuoRZn9rCm6qfhFPadu2Z75vIvxGwAfwBGr4Y9Oz7ln6V33qgkXTaw2e0ioiP0YXdBIpRS7pVQXwAAAZ6GCU1qAAgAAAUACEooSwQDAEgwRgIhAJlICunUXU9vlsjDg3fxiLOoQddA6JPRgvVbJe+j+a7RAiEA+hA2+n8USf3VcHoicvQ8+G5NJhwXvb0X/NOvgMortiEwCgYIKoZIzj0EAwMDaAAwZQIxANkkLpGSoqBLenKii1SPrWrJfqm3R9h3ECF0dtHdSWhC5IHu7rg3iixfoHPAceuwpAIwHaL9GbPRrMe6emXCJXuQrOm+0eubBDznNqBD9wmd9I85kO3X31tEtEe6fpE6yAt3-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----MIICpjCCAiugAwIBAgIRAIchZfw0tuX7qK3Vs3BftTowCgYIKoZIzj0EAwMwTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDIwHhcNMjYwNTEzMDAwMDAwWhcNMzIwOTAyMjM1OTU5WjAuMQswCQYDVQQGEwJVUzENMAsGA1UEChMESVNSRzEQMA4GA1UEAxMHUm9vdCBZRTB2MBAGByqGSM49AgEGBSuBBAAiA2IABDwS/6vhrcVqcbBo+wgdI3fwn9x7DNJJOY/lTOti0vkwuRN87RhEhTH17E7XyFjWsPYhIPt/wzOqxTd2b+4ZJNy9ID04YywF9U5zasDVyGSNErVNtz8uSGh5izW87j77GaOB6zCB6DAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUo8gmWo6hTNA1Y/ybI8g6rlbzT1YwHwYDVR0jBBgwFoAUfEKWrt5LSDv6kviejM9ti6lyN5UwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAChhZodHRwOi8veDIuaS5sZW5jci5vcmcvMBMGA1UdIAQMMAowCAYGZ4EMAQIBMCcGA1UdHwQgMB4wHKAaoBiGFmh0dHA6Ly94Mi5jLmxlbmNyLm9yZy8wCgYIKoZIzj0EAwMDaQAwZgIxAMU19WCtmxVND8UHBZRoma49Z7jPs64Dma0eTu1OChVbB/2J7GV3nvYKAx54uk1G9QIxAO0miLVJu8PLNiXXXkiE/gsK3CTRTF/aeo4bMX42Zw40csRU6AC26hSW1/IWaas6dg==-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIICjDCCAhGgAwIBAgIQTfOxXdbAeExQfNN7WObxFTAKBggqhkjOPQQDAzAuMQswCQYDVQQGEwJVUzENMAsGA1UEChMESVNSRzEQMA4GA1UEAxMHUm9vdCBZRTAeFw0yNTA5MDMwMDAwMDBaFw0yODA5MDIyMzU5NTlaMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQDEwNZRTIwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARxmrQzkdbEEL3MqXt3dJQttYc47axkdDTHud5TPqM2z5uSD5cmk0WrHlWXvnlvqBLqiB34kluxIbmMyAiq3/YD6e80/vV259K8XQIdjFXloYOa0mIU71f7HQ09PvYDlw+jge4wgeswDgYDVR0PAQH/BAQDAgGGMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFLlZ8o7PIvCG0zdI/3YUGLqC2FWHMB8GA1UdIwQYMBaAFKPIJlqOoUzQNWP8myPIOq5W809WMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAoYWaHR0cDovL3llLmkubGVuY3Iub3JnLzATBgNVHSAEDDAKMAgGBmeBDAECATAnBgNVHR8EIDAeMBygGqAYhhZodHRwOi8veWUuYy5sZW5jci5vcmcvMAoGCCqGSM49BAMDA2kAMGYCMQDIcnw5dcZLN9ffynXnnkLD/itSJEycJPb3sRkzeqBowup7vOsAwaqoCnNn/jh9wycCMQCJM6CPlaOC4pQYYbJtVPYbDKrIb2EKk5NpOpE6/XttQYZV/3gilB9l+Cc/DOVwmyg=-----END CERTIFICATE-----"])
[/usr/local/apnscp/lib/apnscpfunction.php:996]
4B. apnscpFunctionInterceptor->call("ssl_install", ["-----BEGIN PRIVATE KEY-----[REDACTED]-----END PRIVATE KEY-----", "-----BEGIN CERTIFICATE-----MIIDlTCCAxugAwIBAgISBU6R6uitOOxvYYPXI6TJLankMAoGCCqGSM49BAMDMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQDEwNZRTIwHhcNMjYwNjAyMDA1NTA2WhcNMjYwODMxMDA1NTA1WjAeMRwwGgYDVQQDExNhcGkubGl0aGl1bS5ob3N0aW5nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEh4spYTUc6DmLtLQw9W+ZSTNomQ2k7dHqkIzwW3iN32/uVCoG7oJZmTO+GHR94x+I6L/8XJHF8oO4EaL4qCmD4aOCAiIwggIeMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTFCz33IZd7G/oydmRdhtks5pt/AzAfBgNVHSMEGDAWgBS5WfKOzyLwhtM3SP92FBi6gthVhzAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAKGF2h0dHA6Ly95ZTIuaS5sZW5jci5vcmcvMB4GA1UdEQQXMBWCE2FwaS5saXRoaXVtLmhvc3RpbmcwEwYDVR0gBAwwCjAIBgZngQwBAgEwLwYDVR0fBCgwJjAkoCKgIIYeaHR0cDovL3llMi5jLmxlbmNyLm9yZy8xMDEuY3JsMIIBDAYKKwYBBAHWeQIEAgSB/QSB+gD4AHUA1219ENGn9XfCx+lf1wC/+YLJM1pl4dCzAXMXwMjFaXcAAAGehglMugAABAMARjBEAiASLCUw93hbWm00VkChs2rlT6jmO6OxjdaHanwpbOGbYAIgGva7KlQ/RLVzdNjuoRZn9rCm6qfhFPadu2Z75vIvxGwAfwBGr4Y9Oz7ln6V33qgkXTaw2e0ioiP0YXdBIpRS7pVQXwAAAZ6GCU1qAAgAAAUACEooSwQDAEgwRgIhAJlICunUXU9vlsjDg3fxiLOoQddA6JPRgvVbJe+j+a7RAiEA+hA2+n8USf3VcHoicvQ8+G5NJhwXvb0X/NOvgMortiEwCgYIKoZIzj0EAwMDaAAwZQIxANkkLpGSoqBLenKii1SPrWrJfqm3R9h3ECF0dtHdSWhC5IHu7rg3iixfoHPAceuwpAIwHaL9GbPRrMe6emXCJXuQrOm+0eubBDznNqBD9wmd9I85kO3X31tEtEe6fpE6yAt3-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----MIICpjCCAiugAwIBAgIRAIchZfw0tuX7qK3Vs3BftTowCgYIKoZIzj0EAwMwTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDIwHhcNMjYwNTEzMDAwMDAwWhcNMzIwOTAyMjM1OTU5WjAuMQswCQYDVQQGEwJVUzENMAsGA1UEChMESVNSRzEQMA4GA1UEAxMHUm9vdCBZRTB2MBAGByqGSM49AgEGBSuBBAAiA2IABDwS/6vhrcVqcbBo+wgdI3fwn9x7DNJJOY/lTOti0vkwuRN87RhEhTH17E7XyFjWsPYhIPt/wzOqxTd2b+4ZJNy9ID04YywF9U5zasDVyGSNErVNtz8uSGh5izW87j77GaOB6zCB6DAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUo8gmWo6hTNA1Y/ybI8g6rlbzT1YwHwYDVR0jBBgwFoAUfEKWrt5LSDv6kviejM9ti6lyN5UwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAChhZodHRwOi8veDIuaS5sZW5jci5vcmcvMBMGA1UdIAQMMAowCAYGZ4EMAQIBMCcGA1UdHwQgMB4wHKAaoBiGFmh0dHA6Ly94Mi5jLmxlbmNyLm9yZy8wCgYIKoZIzj0EAwMDaQAwZgIxAMU19WCtmxVND8UHBZRoma49Z7jPs64Dma0eTu1OChVbB/2J7GV3nvYKAx54uk1G9QIxAO0miLVJu8PLNiXXXkiE/gsK3CTRTF/aeo4bMX42Zw40csRU6AC26hSW1/IWaas6dg==-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIICjDCCAhGgAwIBAgIQTfOxXdbAeExQfNN7WObxFTAKBggqhkjOPQQDAzAuMQswCQYDVQQGEwJVUzENMAsGA1UEChMESVNSRzEQMA4GA1UEAxMHUm9vdCBZRTAeFw0yNTA5MDMwMDAwMDBaFw0yODA5MDIyMzU5NTlaMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQDEwNZRTIwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARxmrQzkdbEEL3MqXt3dJQttYc47axkdDTHud5TPqM2z5uSD5cmk0WrHlWXvnlvqBLqiB34kluxIbmMyAiq3/YD6e80/vV259K8XQIdjFXloYOa0mIU71f7HQ09PvYDlw+jge4wgeswDgYDVR0PAQH/BAQDAgGGMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFLlZ8o7PIvCG0zdI/3YUGLqC2FWHMB8GA1UdIwQYMBaAFKPIJlqOoUzQNWP8myPIOq5W809WMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAoYWaHR0cDovL3llLmkubGVuY3Iub3JnLzATBgNVHSAEDDAKMAgGBmeBDAECATAnBgNVHR8EIDAeMBygGqAYhhZodHRwOi8veWUuYy5sZW5jci5vcmcvMAoGCCqGSM49BAMDA2kAMGYCMQDIcnw5dcZLN9ffynXnnkLD/itSJEycJPb3sRkzeqBowup7vOsAwaqoCnNn/jh9wycCMQCJM6CPlaOC4pQYYbJtVPYbDKrIb2EKk5NpOpE6/XttQYZV/3gilB9l+Cc/DOVwmyg=-----END CERTIFICATE-----"])
[/usr/local/apnscp/lib/apnscpFunctionInterceptorTrait.php:34]
5B. Module\Skeleton\Standard->__call("ssl_install", ["-----BEGIN PRIVATE KEY-----[REDACTED]-----END PRIVATE KEY-----", "-----BEGIN CERTIFICATE-----MIIDlTCCAxugAwIBAgISBU6R6uitOOxvYYPXI6TJLankMAoGCCqGSM49BAMDMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQDEwNZRTIwHhcNMjYwNjAyMDA1NTA2WhcNMjYwODMxMDA1NTA1WjAeMRwwGgYDVQQDExNhcGkubGl0aGl1bS5ob3N0aW5nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEh4spYTUc6DmLtLQw9W+ZSTNomQ2k7dHqkIzwW3iN32/uVCoG7oJZmTO+GHR94x+I6L/8XJHF8oO4EaL4qCmD4aOCAiIwggIeMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTFCz33IZd7G/oydmRdhtks5pt/AzAfBgNVHSMEGDAWgBS5WfKOzyLwhtM3SP92FBi6gthVhzAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAKGF2h0dHA6Ly95ZTIuaS5sZW5jci5vcmcvMB4GA1UdEQQXMBWCE2FwaS5saXRoaXVtLmhvc3RpbmcwEwYDVR0gBAwwCjAIBgZngQwBAgEwLwYDVR0fBCgwJjAkoCKgIIYeaHR0cDovL3llMi5jLmxlbmNyLm9yZy8xMDEuY3JsMIIBDAYKKwYBBAHWeQIEAgSB/QSB+gD4AHUA1219ENGn9XfCx+lf1wC/+YLJM1pl4dCzAXMXwMjFaXcAAAGehglMugAABAMARjBEAiASLCUw93hbWm00VkChs2rlT6jmO6OxjdaHanwpbOGbYAIgGva7KlQ/RLVzdNjuoRZn9rCm6qfhFPadu2Z75vIvxGwAfwBGr4Y9Oz7ln6V33qgkXTaw2e0ioiP0YXdBIpRS7pVQXwAAAZ6GCU1qAAgAAAUACEooSwQDAEgwRgIhAJlICunUXU9vlsjDg3fxiLOoQddA6JPRgvVbJe+j+a7RAiEA+hA2+n8USf3VcHoicvQ8+G5NJhwXvb0X/NOvgMortiEwCgYIKoZIzj0EAwMDaAAwZQIxANkkLpGSoqBLenKii1SPrWrJfqm3R9h3ECF0dtHdSWhC5IHu7rg3iixfoHPAceuwpAIwHaL9GbPRrMe6emXCJXuQrOm+0eubBDznNqBD9wmd9I85kO3X31tEtEe6fpE6yAt3-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----MIICpjCCAiugAwIBAgIRAIchZfw0tuX7qK3Vs3BftTowCgYIKoZIzj0EAwMwTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDIwHhcNMjYwNTEzMDAwMDAwWhcNMzIwOTAyMjM1OTU5WjAuMQswCQYDVQQGEwJVUzENMAsGA1UEChMESVNSRzEQMA4GA1UEAxMHUm9vdCBZRTB2MBAGByqGSM49AgEGBSuBBAAiA2IABDwS/6vhrcVqcbBo+wgdI3fwn9x7DNJJOY/lTOti0vkwuRN87RhEhTH17E7XyFjWsPYhIPt/wzOqxTd2b+4ZJNy9ID04YywF9U5zasDVyGSNErVNtz8uSGh5izW87j77GaOB6zCB6DAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUo8gmWo6hTNA1Y/ybI8g6rlbzT1YwHwYDVR0jBBgwFoAUfEKWrt5LSDv6kviejM9ti6lyN5UwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAChhZodHRwOi8veDIuaS5sZW5jci5vcmcvMBMGA1UdIAQMMAowCAYGZ4EMAQIBMCcGA1UdHwQgMB4wHKAaoBiGFmh0dHA6Ly94Mi5jLmxlbmNyLm9yZy8wCgYIKoZIzj0EAwMDaQAwZgIxAMU19WCtmxVND8UHBZRoma49Z7jPs64Dma0eTu1OChVbB/2J7GV3nvYKAx54uk1G9QIxAO0miLVJu8PLNiXXXkiE/gsK3CTRTF/aeo4bMX42Zw40csRU6AC26hSW1/IWaas6dg==-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIICjDCCAhGgAwIBAgIQTfOxXdbAeExQfNN7WObxFTAKBggqhkjOPQQDAzAuMQswCQYDVQQGEwJVUzENMAsGA1UEChMESVNSRzEQMA4GA1UEAxMHUm9vdCBZRTAeFw0yNTA5MDMwMDAwMDBaFw0yODA5MDIyMzU5NTlaMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQDEwNZRTIwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARxmrQzkdbEEL3MqXt3dJQttYc47axkdDTHud5TPqM2z5uSD5cmk0WrHlWXvnlvqBLqiB34kluxIbmMyAiq3/YD6e80/vV259K8XQIdjFXloYOa0mIU71f7HQ09PvYDlw+jge4wgeswDgYDVR0PAQH/BAQDAgGGMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFLlZ8o7PIvCG0zdI/3YUGLqC2FWHMB8GA1UdIwQYMBaAFKPIJlqOoUzQNWP8myPIOq5W809WMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAoYWaHR0cDovL3llLmkubGVuY3Iub3JnLzATBgNVHSAEDDAKMAgGBmeBDAECATAnBgNVHR8EIDAeMBygGqAYhhZodHRwOi8veWUuYy5sZW5jci5vcmcvMAoGCCqGSM49BAMDA2kAMGYCMQDIcnw5dcZLN9ffynXnnkLD/itSJEycJPb3sRkzeqBowup7vOsAwaqoCnNn/jh9wycCMQCJM6CPlaOC4pQYYbJtVPYbDKrIb2EKk5NpOpE6/XttQYZV/3gilB9l+Cc/DOVwmyg=-----END CERTIFICATE-----"])
[/usr/local/apnscp/lib/modules/letsencrypt.php:462]
6B. Letsencrypt_Module->_moveCertificates("site1")
[/usr/local/apnscp/lib/modules/letsencrypt.php:408]
7B. Letsencrypt_Module->request(["api.lithium.hosting"], false, false)
[/usr/local/apnscp/lib/Module/Skeleton/Standard.php:146]
8B. Module\Skeleton\Standard->_invoke("request", [["api.lithium.hosting"], false, null])
[/usr/local/apnscp/lib/apnscpfunction.php:996]
9B. apnscpFunctionInterceptor->call("letsencrypt_request", [["api.lithium.hosting"], false, null])
[/usr/local/apnscp/lib/lservicelib.pht:1187]
10B. ListenerService\Daemon->process_backend_data("")
[/usr/local/apnscp/lib/lservicelib.pht:1104]
11B. ListenerService\Daemon->client_processing_loop()
[/usr/local/apnscp/lib/lservicelib.pht:1060]
12B. ListenerService\Daemon->spawn()
[/usr/local/apnscp/lib/lservicelib.pht:903]
13B. ListenerService\Daemon->findWorker(3828)
[/usr/local/apnscp/lib/lservicelib.pht:1413]
14B. ListenerService\Daemon->dispatch(Socket)
[/usr/local/apnscp/lib/lservicelib.pht:1285]
15B. ListenerService\Daemon->master()
[/usr/local/apnscp/lib/lservicelib.pht:1233]
16B. ListenerService\Daemon->create_master_socket_server()
[/usr/local/apnscp/lib/lservicelib.pht:328]
17B. ListenerService\Daemon->start()
[/usr/local/apnscp/lib/lservicelib.pht:170]
18B. ListenerService\Daemon->__construct()
[/usr/local/apnscp/lib/lservicelib.pht:1466]
19B. ListenerService\Daemon::init()
[/usr/local/apnscp/lib/lservice.php:28]
[Tue Jun 02 02:04:05 2026] [last message repeated 96 times]
Mine crashed and website still shows invalid certificate…
[root@web5 ~]# env DEBUG=1 cpcmd -d domain2.it letsencrypt:request '[*.domain1,domain1.it,*.domain2.it,domain2.it]'
DEBUG : *.domain1.it already resolved by dns
DEBUG : *.domain2.it already resolved by dns
DEBUG : domain1.it already resolved by http
DEBUG : domain2.it already resolved by http
0. Error_Reporter::get_debug_bt()
[/usr/local/apnscp/lib/error_reporter.php:857]
1. Error_Reporter::print_debug_bt()
[/usr/local/apnscp/lib/datastream.php:422]
...
FATAL : fatal(): `ssl_install': crash or other nasty error detected
0. Error_Reporter::trigger_fatal("`ssl_install': crash or other nasty error detected", ["ssl_install"])
[/usr/local/apnscp/lib/log_wrapper.php:50]
1. fatal("`%s': crash or other nasty error detected", "ssl_install")
[/usr/local/apnscp/lib/datastream.php:426]
[root@web5 ~]# cpcmd misc:cp-version
revision: daed3b8350b3ae48d5899d298a3c7d5439b05198
timestamp: 1753317801
ver_maj: 3
ver_min: 2
ver_patch: 48
ver_pre: ''
dirty: false
debug: false
What’s the proper way to upcp now with mikeroetgers private stuff?
What’s reported in storage/logs/start.log?
There’s just a lot of these for me:
[Tue Jun 02 15:43:32 2026] WARN: cron problem on `Cgroup_Module': Opcenter\System\Cgroup\BaseController::readCounter(): Return value must be of type string, false returned
#0 /usr/local/apnscp/lib/Opcenter/System/Cgroup/v2/Controller.php(41): Opcenter\System\Cgroup\BaseController->readCounter('/sys/fs/cgroup/...', 'peak')
#1 /usr/local/apnscp/lib/Opcenter/System/Cgroup/Controllers/Memory.php(86): Opcenter\System\Cgroup\v2\Controller->readCounter('/sys/fs/cgroup/...', 'peak')
#2 /usr/local/apnscp/lib/Opcenter/System/Cgroup/BaseController.php(434): Opcenter\System\Cgroup\Controllers\Memory->readCounter('/sys/fs/cgroup/...', 'peak')
#3 /usr/local/apnscp/lib/Opcenter/System/Cgroup/v2/Controllers/Memory.php(59): Opcenter\System\Cgroup\BaseController->read('memory.peak', 'peak')
#4 /usr/local/apnscp/lib/Opcenter/System/Cgroup/BaseController.php(371): Opcenter\System\Cgroup\v2\Controllers\Memory->read('memory.peak', 'peak')
#5 /usr/local/apnscp/lib/Opcenter/System/Cgroup/Controllers/Memory.php(96): Opcenter\System\Cgroup\BaseController->readMetrics(Array)
#6 /usr/local/apnscp/lib/modules/cgroup.php(521): Opcenter\System\Cgroup\Controllers\Memory->readMetrics(Array)
#7 /usr/local/apnscp/lib/lservicelib.pht(723): Cgroup_Module->_cron(Object(Cronus))
#8 /usr/local/apnscp/lib/lservicelib.pht(488): ListenerService\Daemon->do_cron()
#9 /usr/local/apnscp/lib/lservicelib.pht(317): ListenerService\Daemon->initHousekeeper()
#10 /usr/local/apnscp/lib/lservicelib.pht(170): ListenerService\Daemon->start()
#11 /usr/local/apnscp/lib/lservicelib.pht(1466): ListenerService\Daemon->__construct()
#12 /usr/local/apnscp/lib/lservice.php(28): ListenerService\Daemon::init()
#13 {main}
[root@web5 ~]# grep -m1 -B20 ssl /usr/local/apnscp/storage/logs/start.log
#10 /usr/local/apnscp/lib/lservicelib.pht(1466): ListenerService\Daemon->__construct()
#11 /usr/local/apnscp/lib/lservice.php(28): ListenerService\Daemon::init()
#12 {main}
DEBUG : SUCCESS! SSL challenge response: domain2.it (http) - VALID
[Tue Jun 02 00:29:41 2026] [last message repeated 3599 times]
[Tue Jun 02 00:29:41 2026] EXCEPTION: Class "MikeRoetgers\DependencyGraph\DependencyManager" not found
[/usr/local/apnscp/lib/Opcenter/Service/ModulePriority.php:77]
0B. Opcenter\Service\ModulePriority->score()
[/usr/local/apnscp/lib/Opcenter/Service/ModulePriority.php:57]
1B. Opcenter\Service\ModulePriority->sort()
[/usr/local/apnscp/lib/Opcenter/Service/ModulePriority.php:46]
2B. Opcenter\Service\ModulePriority::prioritize(["aliases", "auth", "bandwidth", "billing", "crontab", "dns", "files", "ftp", "ipinfo", "ipinfo6", ])
[/usr/local/apnscp/lib/Opcenter/SiteConfiguration.php:400]
3B. Opcenter\SiteConfiguration::prioritizeAllModules()
[/usr/local/apnscp/lib/Util/Account/Hooks.php:79]
4B. Util_Account_Hooks->_process("reload", ["letsencrypt"])
[/usr/local/apnscp/lib/Util/Account/Hooks.php:50]
5B. Util_Account_Hooks->run("reload", ["letsencrypt"])
[/usr/local/apnscp/lib/modules/ssl.php:338]
That reference was kicked out 5 months ago .
Hop on edge.
cpcmd scope:set cp.update-policy edge-major
upcp
1 Like
Troy
June 2, 2026, 2:17pm
8
I’m on edge and still have this SSL issue with servers talking to the API with a Gen Y cert. is there a fix coming for that? Build in trust or ignore the chain issue?
Mine also logged like:
INFO : Downloaded missing chain `http://ye2.i.lencr.org/'
INFO : Downloaded missing chain `http://ye.i.lencr.org/'
...
ERROR : DataStream::pipeline(): Ssl_Module::install(): chain not valid for certificate
0. Error_Reporter::merge_buffer([[message:"Ssl_Module::install(): chain not valid for certificate", severity:16, caller:"Ssl_Module::install", bt:" 0B. Error_Reporter::add_error("chain not valid for certificate", ) [/usr/local/apnscp/lib/log_wrapper.php:72] 1B. error("chain not valid for certificate") [/usr/local/apnscp/lib/modules/ssl.php:253]
1. ...
...
MESSAGE SUMMARY
Reporter level: ERROR
ERROR: DataStream::pipeline(): Ssl_Module::install(): chain not valid for certificate
API server needs to send “Root YE” cross-signed certificate in addition to the intermediate YE1 certificate. This PEM is:
-----BEGIN CERTIFICATE-----
MIICpjCCAiugAwIBAgIRAIchZfw0tuX7qK3Vs3BftTowCgYIKoZIzj0EAwMwTzEL
MAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNo
IEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDIwHhcNMjYwNTEzMDAwMDAwWhcN
MzIwOTAyMjM1OTU5WjAuMQswCQYDVQQGEwJVUzENMAsGA1UEChMESVNSRzEQMA4G
A1UEAxMHUm9vdCBZRTB2MBAGByqGSM49AgEGBSuBBAAiA2IABDwS/6vhrcVqcbBo
+wgdI3fwn9x7DNJJOY/lTOti0vkwuRN87RhEhTH17E7XyFjWsPYhIPt/wzOqxTd2
b+4ZJNy9ID04YywF9U5zasDVyGSNErVNtz8uSGh5izW87j77GaOB6zCB6DAOBgNV
HQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQUo8gmWo6hTNA1Y/ybI8g6rlbzT1YwHwYDVR0jBBgwFoAUfEKW
rt5LSDv6kviejM9ti6lyN5UwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAChhZo
dHRwOi8veDIuaS5sZW5jci5vcmcvMBMGA1UdIAQMMAowCAYGZ4EMAQIBMCcGA1Ud
HwQgMB4wHKAaoBiGFmh0dHA6Ly94Mi5jLmxlbmNyLm9yZy8wCgYIKoZIzj0EAwMD
aQAwZgIxAMU19WCtmxVND8UHBZRoma49Z7jPs64Dma0eTu1OChVbB/2J7GV3nvYK
Ax54uk1G9QIxAO0miLVJu8PLNiXXXkiE/gsK3CTRTF/aeo4bMX42Zw40csRU6AC2
6hSW1/IWaas6dg==
-----END CERTIFICATE-----
If that’s not in the bundle, you will encounter SSL verification errors for any client that connects to the server. This should be fixed in full now with the latest release I just shipped. cpcmd letsencrypt:renew to perform a reissue… if you get any errors on unknown authority then the bundle lacks the above-noted parent.
Fixed in edge. Give it another go.
1 Like
One follow-on for anyone whose certs were already issued from the Gen-Y hierarchy (anything issued after the May-13 default-profile switch): letsencrypt:renew refuses them, so the fixed chain never gets applied. On a site whose installed cert is YE1/YE2/YR2:
# cpcmd -d <site> letsencrypt:renew
WARNING: Module\Support\Letsencrypt::getSanFromCertificate(): Rejecting certificate.
Authority fingerprint `BB:20:CA:47:0B:FE:D7:E5:9C:F9:8F:09:2A:A3:8C:37:45:B1:BC:D8'
does not match acceptable values
WARNING: Letsencrypt_Module::renew(): Certificate is not Let's Encrypt
getSanFromCertificate() reads the current cert to recover its SAN set, but the authority-fingerprint allowlist it validates against doesn’t include the Gen-Y intermediates — so renew decides the cert “is not Let’s Encrypt” and aborts. It works fine for hosts whose existing cert is still pre-Gen-Y (E-/R-series); it only trips when the installed cert is itself already Gen-Y.
Workaround: issue a fresh order instead of renewing — it bypasses the renew-side authority check and pulls the corrected chain:
cpcmd -d <site> letsencrypt:request '[example.com,*.example.com]'
# panel / server cert:
cpcmd letsencrypt:request '[<hostname>]'
1 Like
I’ve added support for direct reissue of any certificates issued by YE1 that lack the YR cross-sign certificate.
Run upcp then cpcmd -d siteXX letsencrypt:renew for any affected account.
