AutoSSL and an external WAF

Operating System & Version
CentOS v7.9.2009
cPanel & WHM Version
cPanel & WHM v104.0.4
J

j.burbidge

Member
Apr 27, 2020
5
0
1
UK
cPanel Access Level
Root Administrator
Hi

We use WHM/cPanel on our server but have an issue with AutoSSL for a domain that's using an external WAF. It's not Cloudflare, but one provided by the customer.

When I try to renew the SSL, I get the following warnings:

WARN Local HTTP DCV error (mywebsite.co.uk): The content “<!DOCTYPE html> <html><head> <meta http-equiv="Pragma" content="no-cache"/> <meta http-equiv="Expires" content="-1"/> <meta …” of the DCV (Domain Control Validation) file, as accessed at “http://mywebsite.co.uk/.well-known/pki-validation/F594D4BC942B5BB0F23B12C2A5E8A6EE.txt”, did not match the expected value.
The domain “mywebsite.co.uk” resolved to an IP address “xxx.xxx.xxx.xxx” that does not exist on this server.

I can confirm that the a file added to http://www.mywebsite.co.uk/.well-known/pki-validation/F594D4BC942B5BB0F23B12C2A5E8A6EE.txt can be accessed without HTTPS.
And I'm aware that the domain resolves to an IP address the is not the server - it goes via the WAF.

So, does anyone know how I can re-generate the SSL?

Thanks
 
cPanelWilliam

cPanelWilliam

Administrator
Staff member
Mar 13, 2018
161
23
93
Houston
cPanel Access Level
Root Administrator
Hello,

I believe in this case the main error that is causing the failure is the following:

Code: 
WARN Local HTTP DCV error (mywebsite.co.uk): The content “<!DOCTYPE html> <html><head> <meta http-equiv="Pragma" content="no-cache"/> <meta http-equiv="Expires" content="-1"/> <meta …” of the DCV (Domain Control Validation) file, as accessed at “http://mywebsite.co.uk/.well-known/pki-validation/F594D4BC942B5BB0F23B12C2A5E8A6EE.txt”, did not match the expected value.
In short, the server is not receiving the expected response when querying the DCV file. This could indicate the request is getting blocked by something such as a .htaccess directive or could be blocked by the WAF. I would recommend checking the domain's access logs and the Apache error log to see if the DCV requests are properly making it to the server without getting blocked by a .htaccess directive or something similar. If the logs do not help to clarify what is happening, I would suggest opening a ticket so our team could take a closer look.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
S AutoSSL cron run time(s) Security 7
A AutoSSL - Switch from Sectigo to Let's Encrypt Security 3
C AutoSSL failing for domains with external DNS but hosted and resolving to cpanel server Security 5
D SOLVED AutoSSL domain control validation on external server Security 1
M SOLVED autossl certs - not verifying for external sites, but fine in browser? Security 1
Similar threads
AutoSSL cron run time(s)
AutoSSL - Switch from Sectigo to Let's Encrypt
AutoSSL failing for domains with external DNS but hosted and resolving to cpanel server
SOLVED AutoSSL domain control validation on external server
SOLVED autossl certs - not verifying for external sites, but fine in browser?
Top Bottom