AutoSSL cPanel Certificates Failing With NGINX Reverse Proxy

Mar 30, 2020
6
3
3
Gauteng, South Africa
cPanel Access Level
Root Administrator
Hi cPanel Community,

I am having some trouble with AutoSSL cPanel certificates using NGINX as a reverse proxy.

Firstly, using the below include file:

Code:
if ($scheme = http) {
    return 301 https://$host$request_uri;
}

server_name example.com www.example.com;

location / {

    proxy_pass http://192.168.0.1:8080;
    proxy_http_version  1.1;
    proxy_cache_bypass  $http_upgrade;

    proxy_set_header Upgrade           $http_upgrade;
    proxy_set_header Connection        "upgrade";
    proxy_set_header Host              $host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host  $host;
    proxy_set_header X-Forwarded-Port  $server_port;

}
I get the following error for the domain when running AutoSSL:

DNS DCV: The DNS query to “_cpanel-dcv-test-record.novasec.co.za” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=OqvRoqrufUhwz2ZW0UD1KtLZlOO2VzXkDVkHoENuGjFzI8koWTeSGfNA3p6Gy_5b”.; HTTP DCV: “cPanel (powered by Sectigo)” forbids DCV HTTP redirections.
As it turns out, AutoSSL won’t run with the above return 301 https://$host$request_uri; redirection configured, which I had to use as Force HTTPS Redirect also doesn’t work with NGINX. This means that I will have to disable redirection every time a certificate has to be renewed.

Secondly, AutoSSL also fails for service subdomains when using NGINX with the following error:

DNS DCV: The DNS query to “_cpanel-dcv-test-record.novacloudsa.co.za” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=PYUV2b4zl7IsvBrt4oJZDLr8H6g68_fAfA0AZBu7bUBO6VdrszW9zGMIOk30y7WD”.; HTTP DCV: The system failed to fetch the DCV (Domain Control Validation) file at “http://cpanel.domain.co.za/.well-known/pki-validation/6AB7F975E4807393A97577BF7770B414.txt” because of an error: The system failed to send an HTTP (Hypertext Transfer Protocol) “GET” request to “http://cpanel.domain.co.za/.well-known/pki-validation/6AB7F975E4807393A97577BF7770B414.txt” because of an error: (XID hnpasa) The response exceeded the maximum length (16 KB). (<!DOCTYPE html><html lang="en" dir="ltr"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> …) at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 657..
I’m really hoping to get the above issues resolved, as I have been unsuccessful in reverse proxying our ZKTeco ZKBioSecurity servers using Apache. It breaks the WebUI completely for some reason.

With PowerDNS working as a recursor, this is the only outstanding requirement to start using cPanel as a full-fledged web hosting server.
 
Last edited by a moderator: