Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED AutoSSL DCV HTTP redirection error on reseller IPs

Discussion in 'Security' started by Stavro, Aug 7, 2018.

  1. Stavro

    Stavro Member

    Joined:
    Aug 5, 2018
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United States
    cPanel Access Level:
    Root Administrator
    On my main server IP, every domain can get certificates for every service subdomain (cpanel.example.com, etc). But my reseller accounts, and every sub-account, has DCV HTTP errors for every service subdomain.

    Here's the autoSSL log file for a reseller account:
    Code:
    Checking “example.com” …
     12:00:00 AM ERROR TLS Status: Defective
     ERROR Defect: NO_SSL: No SSL certificate is installed.
     12:00:00 AM Redirection #1 (webmail.example.com): http://webmail.example.com/.well-known/pki-validation/-----.txt → https://webmail.example.com/.well-known/pki-validation/-----.txt
     ERROR “cPanel (powered by Comodo)” forbids DCV HTTP redirections.
     WARN Local DCV error (webmail.example.com): The system queried for a temporary file at “https://webmail.example.com/.well-known/pki-validation/-----.txt”, which was redirected from “http://webmail.example.com/.well-known/pki-validation/-----.txt”. The web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
     Redirection #1 (cpanel.example.com): http://cpanel.example.com/.well-known/pki-validation/-----.txt → https://cpanel.example.com/.well-known/pki-validation/-----.txt
     ERROR “cPanel (powered by Comodo)” forbids DCV HTTP redirections.
     WARN Local DCV error (cpanel.example.com): The system queried for a temporary file at “https://cpanel.example.com/.well-known/pki-validation/-----.txt”, which was redirected from “http://cpanel.example.com/.well-known/pki-validation/-----.txt”. The web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
     Redirection #1 (whm.example.com): http://whm.example.com/.well-known/pki-validation/-----.txt → https://whm.example.com/.well-known/pki-validation/-----.txt
     ERROR “cPanel (powered by Comodo)” forbids DCV HTTP redirections.
     WARN Local DCV error (whm.example.com): The system queried for a temporary file at “https://whm.example.com/.well-known/pki-validation/-----.txt”, which was redirected from “http://whm.example.com/.well-known/pki-validation/-----.txt”. The web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
     Redirection #1 (autodiscover.example.com): http://autodiscover.example.com/.well-known/pki-validation/-----.txt → https://autodiscover.example.com/.well-known/pki-validation/-----.txt
     ERROR “cPanel (powered by Comodo)” forbids DCV HTTP redirections.
     WARN Local DCV error (autodiscover.example.com): The system queried for a temporary file at “https://autodiscover.example.com/.well-known/pki-validation/-----.txt”, which was redirected from “http://autodiscover.example.com/.well-known/pki-validation/-----.txt”. The web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
     Redirection #1 (webdisk.example.com): http://webdisk.example.com/.well-known/pki-validation/-----.txt → https://webdisk.example.com/.well-known/pki-validation/-----.txt
     ERROR “cPanel (powered by Comodo)” forbids DCV HTTP redirections.
     WARN Local DCV error (webdisk.example.com): The system queried for a temporary file at “https://webdisk.example.com/.well-known/pki-validation/-----.txt”, which was redirected from “http://webdisk.example.com/.well-known/pki-validation/-----.txt”. The web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
     AutoSSL will request a new certificate.
     12:00:00 AM The system will attempt to renew the SSL certificate for the website (example.com: example.com www.example.com mail.example.com).
    
    And here's the log file for the same reseller account after moving it to my server's main IP:
    Code:
    Checking “example.com” …
     12:00:00 AM TLS Status: Incomplete
     Certificate expiry: 11/6/18, 12:00 AM UTC (90.58 days from now)
     Number of domains: 8
     Number of secured domains: 3
     12:00:00 AM AutoSSL will request a new certificate.
    As a temporary workaround I can move every account to my server IP, run AutoSSL, and move them back, but I cannot imagine this is working as intended.

    Comodo and LetsEncrypt give identical results, all domains are on the same server, and the IP reassignments are handled through cPanel, so I'm unsure what configuration error could be causing this.
     
  2. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,137
    Likes Received:
    222
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Stavro

    While Comodo does support DCV redirection to https it will not do so on a domain with an expired or invalid certificate. In this instance the certificate was not present initially:

    Code:
     12:00:00 AM ERROR TLS Status: Defective
     ERROR Defect: NO_SSL: No SSL certificate is installed.
    This isn't just for resellers though and I find it odd that this is occurring only when you're using a specific IP address. Which version of cPanel was this occurring on? I'd like to see if you're not already running v74 you could update to it as we introduced the DNS DCV fallback which I hope will resolve this for you.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Stavro

    Stavro Member

    Joined:
    Aug 5, 2018
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United States
    cPanel Access Level:
    Root Administrator
    Thank you, the update to v74 did indeed fix the issue. I've included some more information below just in case this might be a previously unknown bug.

    This was occuring on v72.0.10, with three IPs on the system, as follows:
    Code:
    1.2.145.63 - Main server shared IP, in use by vps.host.com, host.com, ns1.host.com
    1.2.199.51 - Reseller 1 shared IP, in use by example.com, customer1.com, customer2.com
    1.2.199.58 - Reseller 2 shared IP, in use by reseller.com, customer3.com, customer4.com
    
    If I moved all six non-root domains to 63, Autossl would run perfectly for every domain and subdomain, then I could move them back. But even if I moved customer1 and customer2 off to 58, and manually assigned example.com 51 as a dedicated IP, it would still fail DCV validation, as would everything on 58.

    I have moved every site back to its original IP, ran the update to v74.0.4, purged the existing certificates for example.com (to make sure there's no lingering issues), and re-ran AutoSSL. Here's that log:
    Code:
    Checking websites for “example” …
    3:18:10 PM Analyzing “example.com” …
    3:18:10 PM ERROR TLS Status: Defective
    ERROR Defect: NO_SSL: No SSL certificate is installed.
    3:18:10 PM Performing DCV (Domain Control Validation) …
    Local HTTP DCV OK: example.com
    Local HTTP DCV OK: whm.example.com (via example.com)
    Local HTTP DCV OK: www.example.com (via example.com)
    Local HTTP DCV OK: mail.example.com (via example.com)
    Local HTTP DCV OK: cpanel.example.com (via example.com)
    Local HTTP DCV OK: webdisk.example.com (via example.com)
    Local HTTP DCV OK: webmail.example.com (via example.com)
    Local HTTP DCV OK: autodiscover.example.com (via example.com)
    Analyzing “example.com”’s DCV results …
    3:18:10 PM AutoSSL will request a new certificate.
    3:18:10 PM The system will attempt to renew the SSL certificate for the website (example.com: example.com www.example.com mail.example.com webmail.example.com cpanel.example.com whm.example.com autodiscover.example.com webdisk.example.com).
    3:18:11 PM The cPanel Store received “example.com”’s certificate order. (Order Item ID: ---) The system will periodically poll the cPanel Store for the issued certificate and then install it after a successful retrieval.
    3:18:11 PM The system has completed the AutoSSL check for “example”.
    I was expecting it to pass on DNS DCV, instead every site passed with HTTP DCV, there's no reference to DNS anywhere in the log. Apparently the DCV update fixed some hidden bug in HTTP validation, so I guess we can mark this one as solved. I'll be sure to let you know if the issue comes back.

    I appreciate your help, and please send my thanks to the devs as well for their perfectly timed update.
     
    #3 Stavro, Aug 8, 2018
    Last edited: Aug 8, 2018
  4. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,137
    Likes Received:
    222
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Stavro

    Looking through our Changelog here: 74 Change Log - Change Logs - cPanel Documentation

    . We did fix/improve the handling of some of these and implemented some new methods of procuring the end result.

    There are quite a few AutoSSL cases that were resolved, I believe the following could be responsible for the improved behavior you're seeing:

    • CPANEL-20043: Expand Comodo HTTP DCV to include parent domains.
    • CPANEL-20101: Teach Comodo HTTP DCV preparation sanity check to try ancestor domains.
    • CPANEL-20818: Improve AutoSSL’s ancestor-substitution efficiency.
    I'm really happy to hear that it's working for you though and please do let us know if you experience any further issues. I'll send them your thanks as well :D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice