SOLVED Auto SSL check, .htaccess, html code in error_log

[bloatedstoat]

Hello,

When the auto_ssl check feature runs we see the entire html content of the checked website's index page in /usr/local/cpanel/logs/error_log.

[2017-05-23 02:46:24 +1000] warn [autossl_check] XID msy4r8: expected "PRzM1XibvHUSt6OolQi6lJJjOPmoocM4lvMXc23Pf_xG8rxS9LNnKgWLbfIvc7zX"  from "http://www.ourdomain.com/83AE6615768A10553BE43D6A3FCC8E8B.txt", received
   
"<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head> ........ "

I suspect this is likely due to the following rewrite in our .htaccess file:

<Files .htaccess>
deny from all
</Files>
RewriteEngine on
RewriteCond $1 !^(index\.php|js|css|images|cgi-bin|robots\.txt)
RewriteRule ^(.*)$ /index.php/$1 [L]

From what I've read the .htaccess file is modified prior to the check, however in some cases domains on our server consistently produce the above.

Anything we can do to address this ourselves?

[Edit: We are running cPanel & WHM 64.0 (build 22) CloudLinux]

Thanks.

 

[24x7server]

Hi,

You have to make sure that the TXT file should be accessible through web browser and then only the AutoSSL will verify the existence of account on the server to generate the SSL request.
ourdomain.com/83AE6615768A10553BE43D6A3FCC8E8B.txt

If you are not able to browse the above URL with txt extension, then you have to check what rule of in the .htaccess if causing it to not work..

 

[cPanelMichael]

Hello,

It's the redirect of the TXT files that is resulting in the AutoSSL validation error. Does your website utilize .txt files, or are you able to remove that file extension from your rewrite rule?

Thank you.

 

[bloatedstoat]

Thanks Michael, as I understand it when a visitor hits this website the .htaccess rules only allow access to the index.php file, js, css, images and cgi-bin directories and the robots.txt file.

Anything other than that and the index page is shown. One would under normal circumstances expect a 404 but in this scenario the html output of the index page is served up and that's what is appearing in the logs as the error.

RewriteEngine on
RewriteCond $1 !^(index\.php|js|css|images|cgi-bin|robots\.txt)
RewriteRule ^(.*)$ /index.php/$1 [L]

If the .txt file that the Auto SSL feature checks was static we could amend this user's .htaccess file to allow access thus:

RewriteEngine on
RewriteCond $1 !^(index\.php|js|css|images|cgi-bin|robots\.txt|83AE6615768A10553BE43D6A3FCC8E8B\.txt)
RewriteRule ^(.*)$ /index.php/$1 [L]

The check would then serve up the file and the contents could be verified - but it isn't, it's dynamic.

Any other workaround?

Thanks.

 

[bloatedstoat]

Hello again, so this has escalated slightly.

We're now trying to set up an SSL certificate for a website for our client via "Purchase and Install an SSL certificate" in WHM.

1) Select "Purchase and Install an SSL Certificate" in WHM
2) Select domain name - ourdomain.com.
3) Button appears with "Go to CPanel", once clicked "Continue as User and Purchase SSL" certificate mini-modal appears.
4) Click on that and new window opens with list of options of which domains and sub-domains to secure.
5) Check option for base domain ourdomain.com.
6) Alert modal appears with:

Resolution Failed “The system queried for a temporary file at “http://ourdomain.com/339BBA831B4EB219229185BB254A34A1.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.”

The check is hunting for the temp text file 339BBA831B4EB219229185BB254A34A1.txt and getting a 404 because of the .htaccess rules. I tried adding the following to the .htaccess file but it still fails:

<FilesMatch "\.(txt)$">
  Order Deny,Allow
  Allow from all
</FilesMatch>

If I totally remove the following from the .htaccess I can get it to find the temp text file but the issue will remain with the auto-ssl check once it's placed back in, without the lines below the website never goes to any other page other than the index.

RewriteEngine on
RewriteCond $1 !^(index\.php|js|media|images|css|fonts|sitemap\.xml|robots\.txt|favicon\.ico)
RewriteRule ^(.*)$ /index.php/$1 [L]

Cheers.

 

[cPanelMichael]

Hello,

Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here and we will update this thread with the outcome.

Thank you.

 

[24x7server]

Hi,

This is how the AutoSSL works, it places a txt file in the document root and then send in the certificate request to the CA and then CA validates it through this txt file and then it issues a certificate..

Whenever you want to issue a certificate, make sure the txt file it is going to place must be accessible over the browser and if does not, SSL will not be validated and issued..
ourdomain.com/339BBA831B4EB219229185BB254A34A1.txt

If the htaccess rules restricts it, you should alter it and make sure the txt file is able to be seen, whatever it may have is created..

 

[bloatedstoat]

Support ticket opened: 8565865

 

[bloatedstoat]

Brian Dial of cPanel support sorted this out with the addition of two lines in the .htaccess file.

Changed this:

RewriteEngine on
RewriteCond $1 !^(index\.php|js|media|images|css|fonts|sitemap\.xml|robots\.txt|favicon\.ico)
RewriteRule ^(.*)$ /index.php/$1 [L]

to this:

RewriteEngine on
RewriteCond $1 !^(index\.php|js|media|images|css|fonts|sitemap\.xml|robots\.txt|favicon\.ico)
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^(.*)$ /index.php/$1 [L]

If we still see the errors post-update of the .htaccess when Auto-SSL runs again I'll let you know, but if all is well others may find this solution helpful.

 

[bloatedstoat]

One final thing with this.
There is no issue with the fix for sites hosted on our servers, seems to be working as hoped for.
However; in some circumstances we only host email accounts on our servers with websites hosted remotely with other companies.
The Auto-SSL check is checking websites that are not hosted with us and causing errors to be logged on our server.

 

[cPanelMichael]

The Auto-SSL check is checking websites that are not hosted with us and causing errors to be logged on our server.

You can disable the AutoSSL feature for these accounts by editing the feature list associated with the packages assigned to these accounts, or by manually disabling AutoSSL for each account that's not hosted on the cPanel server via "WHM >> Manage AutoSSL".

Thank you.