SOLVED Auto SSL check, .htaccess, html code in error_log

Hello,

When the auto_ssl check feature runs we see the entire html content of the checked website's index page in /usr/local/cpanel/logs/error_log.

Code:

[2017-05-23 02:46:24 +1000] warn [autossl_check] XID msy4r8: expected "PRzM1XibvHUSt6OolQi6lJJjOPmoocM4lvMXc23Pf_xG8rxS9LNnKgWLbfIvc7zX"  from "http://www.ourdomain.com/83AE6615768A10553BE43D6A3FCC8E8B.txt", received
   
"<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head> ........ "

I suspect this is likely due to the following rewrite in our .htaccess file:

Code:

<Files .htaccess>
deny from all
</Files>
RewriteEngine on
RewriteCond $1 !^(index\.php|js|css|images|cgi-bin|robots\.txt)
RewriteRule ^(.*)$ /index.php/$1 [L]

From what I've read the .htaccess file is modified prior to the check, however in some cases domains on our server consistently produce the above.

Anything we can do to address this ourselves?

[Edit: We are running cPanel & WHM 64.0 (build 22) CloudLinux]

Thanks.

 

Thanks Michael, as I understand it when a visitor hits this website the .htaccess rules only allow access to the index.php file, js, css, images and cgi-bin directories and the robots.txt file.

Anything other than that and the index page is shown. One would under normal circumstances expect a 404 but in this scenario the html output of the index page is served up and that's what is appearing in the logs as the error.

Code:

RewriteEngine on
RewriteCond $1 !^(index\.php|js|css|images|cgi-bin|robots\.txt)
RewriteRule ^(.*)$ /index.php/$1 [L]

If the .txt file that the Auto SSL feature checks was static we could amend this user's .htaccess file to allow access thus:

Code:

RewriteEngine on
RewriteCond $1 !^(index\.php|js|css|images|cgi-bin|robots\.txt|83AE6615768A10553BE43D6A3FCC8E8B\.txt)
RewriteRule ^(.*)$ /index.php/$1 [L]

The check would then serve up the file and the contents could be verified - but it isn't, it's dynamic.

Any other workaround?

Thanks.

 

Hello again, so this has escalated slightly.

We're now trying to set up an SSL certificate for a website for our client via "Purchase and Install an SSL certificate" in WHM.

1) Select "Purchase and Install an SSL Certificate" in WHM
2) Select domain name - ourdomain.com.
3) Button appears with "Go to CPanel", once clicked "Continue as User and Purchase SSL" certificate mini-modal appears.
4) Click on that and new window opens with list of options of which domains and sub-domains to secure.
5) Check option for base domain ourdomain.com.
6) Alert modal appears with:

Code:

Resolution Failed “The system queried for a temporary file at “http://ourdomain.com/339BBA831B4EB219229185BB254A34A1.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.”

The check is hunting for the temp text file 339BBA831B4EB219229185BB254A34A1.txt and getting a 404 because of the .htaccess rules. I tried adding the following to the .htaccess file but it still fails:

Code:

<FilesMatch "\.(txt)$">
  Order Deny,Allow
  Allow from all
</FilesMatch>

If I totally remove the following from the .htaccess I can get it to find the temp text file but the issue will remain with the auto-ssl check once it's placed back in, without the lines below the website never goes to any other page other than the index.

Code:

RewriteEngine on
RewriteCond $1 !^(index\.php|js|media|images|css|fonts|sitemap\.xml|robots\.txt|favicon\.ico)
RewriteRule ^(.*)$ /index.php/$1 [L]

Cheers.

 

Support ticket opened: 8565865

 

Brian Dial of cPanel support sorted this out with the addition of two lines in the .htaccess file.

Changed this:

Code:

RewriteEngine on
RewriteCond $1 !^(index\.php|js|media|images|css|fonts|sitemap\.xml|robots\.txt|favicon\.ico)
RewriteRule ^(.*)$ /index.php/$1 [L]

to this:

Code:

RewriteEngine on
RewriteCond $1 !^(index\.php|js|media|images|css|fonts|sitemap\.xml|robots\.txt|favicon\.ico)
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^(.*)$ /index.php/$1 [L]

If we still see the errors post-update of the .htaccess when Auto-SSL runs again I'll let you know, but if all is well others may find this solution helpful.

 

One final thing with this.
There is no issue with the fix for sites hosted on our servers, seems to be working as hoped for.
However; in some circumstances we only host email accounts on our servers with websites hosted remotely with other companies.
The Auto-SSL check is checking websites that are not hosted with us and causing errors to be logged on our server.