AUTO SSL error: size of response body exceeds

acpro

Member
Mar 7, 2017
11
2
3
Portugal
cPanel Access Level
Root Administrator
Hi.

I had to set chattr in "public_html" in some domains weeks ago, so cPanel was unable to create new ssl TXT files.

WARN The domain “website.com” failed domain control validation: The system failed to create the directory “/home/website/public_html/.well-known” because of an error: Permission denied
Today i removed chattr from public_html and tried to renew the SSL certificates, but i´m having this error:



Code:
This system has AutoSSL set to use “cPanel (powered by Comodo)”.
Checking websites for “website” …
The website “website.com”, owned by “website”, has a valid SSL certificate, but additional SSL coverage may be possible for the domains “cpanel.website.com”, “webmail.website.com”, and “webdisk.website.com”. The system will attempt to replace this certificate with one that includes these additional domains.
The domain “cpanel.website.com” failed domain control validation: The system failed to fetch the DCV (Domain Control Validation) file at “http://cpanel.website.com/.well-known/pki-validation/7D3DEB83740BCC1196057375FD29C066.txt” because of an error: The system failed to send an HTTP (Hypertext Transfer Protocol) “GET” request to “http://cpanel.website.com/.well-known/pki-validation/7D3DEB83740BCC1196057375FD29C066.txt” because of an error: Size of response body exceeds the maximum allowed of 16384
.
The domain “webmail.website.com” failed domain control validation: The system failed to fetch the DCV (Domain Control Validation) file at “http://webmail.website.com/.well-known/pki-validation/0CE820DCC8F40124767D1F3E4E9687C0.txt” because of an error: The system failed to send an HTTP (Hypertext Transfer Protocol) “GET” request to “http://webmail.website.com/.well-known/pki-validation/0CE820DCC8F40124767D1F3E4E9687C0.txt” because of an error: Size of response body exceeds the maximum allowed of 16384
.
The domain “webdisk.website.com” failed domain control validation: The system queried for a temporary file at “http://webdisk.website.com/.well-known/pki-validation/8AEC32147A47FA80E2264501A6E8FCEE.txt”, but the web server responded with the following error: 401 (Unauthorized). A DNS (Domain Name System) or web server misconfiguration may exist.
AutoSSL cannot add any new domains to SSL coverage for the website “website.com”.
The system has completed the AutoSSL check for “website”.
How can i fix this? (chattr is removed and the folder is writtable).
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,229
463
Hello,

Do you have any redirect rules configured for this domain name? The error message suggests the request for the .TXT DCV file was redirected to another file, and the request was blocked because the size of the response body exceeded the 16-KiB limit.

Thank you.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Can you check your apache error log for ModSecurity messages regarding response body size? This is just a hunch but you may need to enable larger response bodies on your own server. This only applies if SecResponseBodyAccess is enabled.

I could be completely wrong on this one though if the DCV system is setting that limit and not your server.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,229
463
I could be completely wrong on this one though if the DCV system is setting that limit and not your server.
Hi @quizknows,

The following case was implemented in cPanel 64.0.30:

Fixed case CPANEL-13902: Limit DCV responses to a sane (constant for now) size.

This was done to address instances where HTTP requests for DCV text files were redirected to other file types (e.g. MP3 streams) through custom rewrite rules, leading to AutoSSL exhausting the server's memory. This change doesn't fix whatever the customer is doing to redirect the request, but it adds a 16-KiB limit on DCV responses to prevent AutoSSL from potentially spooling large amounts of data and using excessive amounts of memory.

Thank you.
 
  • Like
Reactions: quizknows

acpro

Member
Mar 7, 2017
11
2
3
Portugal
cPanel Access Level
Root Administrator
Hi.

Thanks for the answers, but no redirects are made in those domains.

But if i disable Engintron the warnings are gone:

This system has AutoSSL set to use “cPanel (powered by Comodo)”.
Checking websites for "website" …
The website “website.com”, owned by "website", has a valid SSL certificate, but additional SSL coverage may be possible for the domains “cpanel.website.com”, “webmail.website.com”, and “webdisk.website.com”. The system will attempt to replace this certificate with one that includes these additional domains.
The system will attempt to renew SSL certificates for the following websites:
website.com (website.com www.website.com mail.website.com webmail.website.com cpanel.website.com webdisk.website.com)
The system has completed the AutoSSL check for "website".
Something related with engintron?