AutoSSL and an external WAF

Operating System & Version
CentOS v7.9.2009
cPanel & WHM Version
cPanel & WHM v104.0.4

j.burbidge

Member
Apr 27, 2020
5
0
1
UK
cPanel Access Level
Root Administrator
Hi

We use WHM/cPanel on our server but have an issue with AutoSSL for a domain that's using an external WAF. It's not Cloudflare, but one provided by the customer.

When I try to renew the SSL, I get the following warnings:

WARN Local HTTP DCV error (mywebsite.co.uk): The content “<!DOCTYPE html> <html><head> <meta http-equiv="Pragma" content="no-cache"/> <meta http-equiv="Expires" content="-1"/> <meta …” of the DCV (Domain Control Validation) file, as accessed at “http://mywebsite.co.uk/.well-known/pki-validation/F594D4BC942B5BB0F23B12C2A5E8A6EE.txt”, did not match the expected value.
The domain “mywebsite.co.uk” resolved to an IP address “xxx.xxx.xxx.xxx” that does not exist on this server.

I can confirm that the a file added to http://www.mywebsite.co.uk/.well-known/pki-validation/F594D4BC942B5BB0F23B12C2A5E8A6EE.txt can be accessed without HTTPS.
And I'm aware that the domain resolves to an IP address the is not the server - it goes via the WAF.

So, does anyone know how I can re-generate the SSL?

Thanks
 

cPanelWilliam

Administrator
Staff member
Mar 13, 2018
101
16
93
Houston
cPanel Access Level
Root Administrator
Hello,

I believe in this case the main error that is causing the failure is the following:

Code:
WARN Local HTTP DCV error (mywebsite.co.uk): The content “<!DOCTYPE html> <html><head> <meta http-equiv="Pragma" content="no-cache"/> <meta http-equiv="Expires" content="-1"/> <meta …” of the DCV (Domain Control Validation) file, as accessed at “http://mywebsite.co.uk/.well-known/pki-validation/F594D4BC942B5BB0F23B12C2A5E8A6EE.txt”, did not match the expected value.
In short, the server is not receiving the expected response when querying the DCV file. This could indicate the request is getting blocked by something such as a .htaccess directive or could be blocked by the WAF. I would recommend checking the domain's access logs and the Apache error log to see if the DCV requests are properly making it to the server without getting blocked by a .htaccess directive or something similar. If the logs do not help to clarify what is happening, I would suggest opening a ticket so our team could take a closer look.