The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED Auto SSL check, .htaccess, html code in error_log

Discussion in 'Security' started by bloatedstoat, May 22, 2017.

Tags:
  1. bloatedstoat

    bloatedstoat Well-Known Member

    Joined:
    Jun 14, 2012
    Messages:
    98
    Likes Received:
    8
    Trophy Points:
    8
    Location:
    Victoria, Australia
    cPanel Access Level:
    Root Administrator
    Hello,

    When the auto_ssl check feature runs we see the entire html content of the checked website's index page in /usr/local/cpanel/logs/error_log.

    Code:
    [2017-05-23 02:46:24 +1000] warn [autossl_check] XID msy4r8: expected "PRzM1XibvHUSt6OolQi6lJJjOPmoocM4lvMXc23Pf_xG8rxS9LNnKgWLbfIvc7zX"  from "http://www.ourdomain.com/83AE6615768A10553BE43D6A3FCC8E8B.txt", received
       
    "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head> ........ "
    
    I suspect this is likely due to the following rewrite in our .htaccess file:

    Code:
    <Files .htaccess>
    deny from all
    </Files>
    RewriteEngine on
    RewriteCond $1 !^(index\.php|js|css|images|cgi-bin|robots\.txt)
    RewriteRule ^(.*)$ /index.php/$1 [L]
    
    From what I've read the .htaccess file is modified prior to the check, however in some cases domains on our server consistently produce the above.

    Anything we can do to address this ourselves?

    [Edit: We are running cPanel & WHM 64.0 (build 22) CloudLinux]

    Thanks.
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,405
    Likes Received:
    53
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    You have to make sure that the TXT file should be accessible through web browser and then only the AutoSSL will verify the existence of account on the server to generate the SSL request.
    ourdomain.com/83AE6615768A10553BE43D6A3FCC8E8B.txt

    If you are not able to browse the above URL with txt extension, then you have to check what rule of in the .htaccess if causing it to not work..
     
    #2 24x7server, May 23, 2017
    Last edited by a moderator: May 24, 2017
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,094
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It's the redirect of the TXT files that is resulting in the AutoSSL validation error. Does your website utilize .txt files, or are you able to remove that file extension from your rewrite rule?

    Thank you.
     
  4. bloatedstoat

    bloatedstoat Well-Known Member

    Joined:
    Jun 14, 2012
    Messages:
    98
    Likes Received:
    8
    Trophy Points:
    8
    Location:
    Victoria, Australia
    cPanel Access Level:
    Root Administrator
    Thanks Michael, as I understand it when a visitor hits this website the .htaccess rules only allow access to the index.php file, js, css, images and cgi-bin directories and the robots.txt file.

    Anything other than that and the index page is shown. One would under normal circumstances expect a 404 but in this scenario the html output of the index page is served up and that's what is appearing in the logs as the error.

    Code:
    RewriteEngine on
    RewriteCond $1 !^(index\.php|js|css|images|cgi-bin|robots\.txt)
    RewriteRule ^(.*)$ /index.php/$1 [L]
    
    If the .txt file that the Auto SSL feature checks was static we could amend this user's .htaccess file to allow access thus:

    Code:
    RewriteEngine on
    RewriteCond $1 !^(index\.php|js|css|images|cgi-bin|robots\.txt|83AE6615768A10553BE43D6A3FCC8E8B\.txt)
    RewriteRule ^(.*)$ /index.php/$1 [L]
    
    The check would then serve up the file and the contents could be verified - but it isn't, it's dynamic.

    Any other workaround?

    Thanks.
     
  5. bloatedstoat

    bloatedstoat Well-Known Member

    Joined:
    Jun 14, 2012
    Messages:
    98
    Likes Received:
    8
    Trophy Points:
    8
    Location:
    Victoria, Australia
    cPanel Access Level:
    Root Administrator
    Hello again, so this has escalated slightly.

    We're now trying to set up an SSL certificate for a website for our client via "Purchase and Install an SSL certificate" in WHM.

    1) Select "Purchase and Install an SSL Certificate" in WHM
    2) Select domain name - ourdomain.com.
    3) Button appears with "Go to CPanel", once clicked "Continue as User and Purchase SSL" certificate mini-modal appears.
    4) Click on that and new window opens with list of options of which domains and sub-domains to secure.
    5) Check option for base domain ourdomain.com.
    6) Alert modal appears with:
    Code:
    Resolution Failed “The system queried for a temporary file at “http://ourdomain.com/339BBA831B4EB219229185BB254A34A1.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.”
    
    The check is hunting for the temp text file 339BBA831B4EB219229185BB254A34A1.txt and getting a 404 because of the .htaccess rules. I tried adding the following to the .htaccess file but it still fails:

    Code:
    <FilesMatch "\.(txt)$">
      Order Deny,Allow
      Allow from all
    </FilesMatch>
    If I totally remove the following from the .htaccess I can get it to find the temp text file but the issue will remain with the auto-ssl check once it's placed back in, without the lines below the website never goes to any other page other than the index.

    Code:
    RewriteEngine on
    RewriteCond $1 !^(index\.php|js|media|images|css|fonts|sitemap\.xml|robots\.txt|favicon\.ico)
    RewriteRule ^(.*)$ /index.php/$1 [L]
    
    Cheers.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,094
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here and we will update this thread with the outcome.

    Thank you.
     
  7. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,405
    Likes Received:
    53
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    This is how the AutoSSL works, it places a txt file in the document root and then send in the certificate request to the CA and then CA validates it through this txt file and then it issues a certificate..

    Whenever you want to issue a certificate, make sure the txt file it is going to place must be accessible over the browser and if does not, SSL will not be validated and issued..
    ourdomain.com/339BBA831B4EB219229185BB254A34A1.txt

    If the htaccess rules restricts it, you should alter it and make sure the txt file is able to be seen, whatever it may have is created..
     
    #7 24x7server, Jun 2, 2017
    Last edited by a moderator: Jun 2, 2017
  8. bloatedstoat

    bloatedstoat Well-Known Member

    Joined:
    Jun 14, 2012
    Messages:
    98
    Likes Received:
    8
    Trophy Points:
    8
    Location:
    Victoria, Australia
    cPanel Access Level:
    Root Administrator
    Support ticket opened: 8565865
     
  9. bloatedstoat

    bloatedstoat Well-Known Member

    Joined:
    Jun 14, 2012
    Messages:
    98
    Likes Received:
    8
    Trophy Points:
    8
    Location:
    Victoria, Australia
    cPanel Access Level:
    Root Administrator
    Brian Dial of cPanel support sorted this out with the addition of two lines in the .htaccess file.

    Changed this:

    Code:
    RewriteEngine on
    RewriteCond $1 !^(index\.php|js|media|images|css|fonts|sitemap\.xml|robots\.txt|favicon\.ico)
    RewriteRule ^(.*)$ /index.php/$1 [L]
    
    to this:

    Code:
    RewriteEngine on
    RewriteCond $1 !^(index\.php|js|media|images|css|fonts|sitemap\.xml|robots\.txt|favicon\.ico)
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^(.*)$ /index.php/$1 [L]
    
    If we still see the errors post-update of the .htaccess when Auto-SSL runs again I'll let you know, but if all is well others may find this solution helpful.
     
    cPanelMichael likes this.
  10. bloatedstoat

    bloatedstoat Well-Known Member

    Joined:
    Jun 14, 2012
    Messages:
    98
    Likes Received:
    8
    Trophy Points:
    8
    Location:
    Victoria, Australia
    cPanel Access Level:
    Root Administrator
    One final thing with this.
    There is no issue with the fix for sites hosted on our servers, seems to be working as hoped for.
    However; in some circumstances we only host email accounts on our servers with websites hosted remotely with other companies.
    The Auto-SSL check is checking websites that are not hosted with us and causing errors to be logged on our server.
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,094
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    You can disable the AutoSSL feature for these accounts by editing the feature list associated with the packages assigned to these accounts, or by manually disabling AutoSSL for each account that's not hosted on the cPanel server via "WHM >> Manage AutoSSL".

    Thank you.
     
    bloatedstoat likes this.
Loading...

Share This Page