SOLVED AutoSSL DCV HTTP redirection error on reseller IPs

[Stavro]

On my main server IP, every domain can get certificates for every service subdomain (cpanel.example.com, etc). But my reseller accounts, and every sub-account, has DCV HTTP errors for every service subdomain.

Here's the autoSSL log file for a reseller account:

Checking “example.com” …
 12:00:00 AM ERROR TLS Status: Defective
 ERROR Defect: NO_SSL: No SSL certificate is installed.
 12:00:00 AM Redirection #1 (webmail.example.com): http://webmail.example.com/.well-known/pki-validation/-----.txt → https://webmail.example.com/.well-known/pki-validation/-----.txt
 ERROR “cPanel (powered by Comodo)” forbids DCV HTTP redirections.
 WARN Local DCV error (webmail.example.com): The system queried for a temporary file at “https://webmail.example.com/.well-known/pki-validation/-----.txt”, which was redirected from “http://webmail.example.com/.well-known/pki-validation/-----.txt”. The web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
 Redirection #1 (cpanel.example.com): http://cpanel.example.com/.well-known/pki-validation/-----.txt → https://cpanel.example.com/.well-known/pki-validation/-----.txt
 ERROR “cPanel (powered by Comodo)” forbids DCV HTTP redirections.
 WARN Local DCV error (cpanel.example.com): The system queried for a temporary file at “https://cpanel.example.com/.well-known/pki-validation/-----.txt”, which was redirected from “http://cpanel.example.com/.well-known/pki-validation/-----.txt”. The web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
 Redirection #1 (whm.example.com): http://whm.example.com/.well-known/pki-validation/-----.txt → https://whm.example.com/.well-known/pki-validation/-----.txt
 ERROR “cPanel (powered by Comodo)” forbids DCV HTTP redirections.
 WARN Local DCV error (whm.example.com): The system queried for a temporary file at “https://whm.example.com/.well-known/pki-validation/-----.txt”, which was redirected from “http://whm.example.com/.well-known/pki-validation/-----.txt”. The web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
 Redirection #1 (autodiscover.example.com): http://autodiscover.example.com/.well-known/pki-validation/-----.txt → https://autodiscover.example.com/.well-known/pki-validation/-----.txt
 ERROR “cPanel (powered by Comodo)” forbids DCV HTTP redirections.
 WARN Local DCV error (autodiscover.example.com): The system queried for a temporary file at “https://autodiscover.example.com/.well-known/pki-validation/-----.txt”, which was redirected from “http://autodiscover.example.com/.well-known/pki-validation/-----.txt”. The web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
 Redirection #1 (webdisk.example.com): http://webdisk.example.com/.well-known/pki-validation/-----.txt → https://webdisk.example.com/.well-known/pki-validation/-----.txt
 ERROR “cPanel (powered by Comodo)” forbids DCV HTTP redirections.
 WARN Local DCV error (webdisk.example.com): The system queried for a temporary file at “https://webdisk.example.com/.well-known/pki-validation/-----.txt”, which was redirected from “http://webdisk.example.com/.well-known/pki-validation/-----.txt”. The web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
 AutoSSL will request a new certificate.
 12:00:00 AM The system will attempt to renew the SSL certificate for the website (example.com: example.com www.example.com mail.example.com).

And here's the log file for the same reseller account after moving it to my server's main IP:

Checking “example.com” …
 12:00:00 AM TLS Status: Incomplete
 Certificate expiry: 11/6/18, 12:00 AM UTC (90.58 days from now)
 Number of domains: 8
 Number of secured domains: 3
 12:00:00 AM AutoSSL will request a new certificate.

As a temporary workaround I can move every account to my server IP, run AutoSSL, and move them back, but I cannot imagine this is working as intended.

Comodo and LetsEncrypt give identical results, all domains are on the same server, and the IP reassignments are handled through cPanel, so I'm unsure what configuration error could be causing this.

 

[cPanelLauren]

Hi @Stavro

While Comodo does support DCV redirection to https it will not do so on a domain with an expired or invalid certificate. In this instance the certificate was not present initially:

 12:00:00 AM ERROR TLS Status: Defective
 ERROR Defect: NO_SSL: No SSL certificate is installed.

This isn't just for resellers though and I find it odd that this is occurring only when you're using a specific IP address. Which version of cPanel was this occurring on? I'd like to see if you're not already running v74 you could update to it as we introduced the DNS DCV fallback which I hope will resolve this for you.

Thanks!

 

[Stavro]

Thank you, the update to v74 did indeed fix the issue. I've included some more information below just in case this might be a previously unknown bug.

This was occuring on v72.0.10, with three IPs on the system, as follows:

1.2.145.63 - Main server shared IP, in use by vps.host.com, host.com, ns1.host.com
1.2.199.51 - Reseller 1 shared IP, in use by example.com, customer1.com, customer2.com
1.2.199.58 - Reseller 2 shared IP, in use by reseller.com, customer3.com, customer4.com

If I moved all six non-root domains to 63, Autossl would run perfectly for every domain and subdomain, then I could move them back. But even if I moved customer1 and customer2 off to 58, and manually assigned example.com 51 as a dedicated IP, it would still fail DCV validation, as would everything on 58.

I have moved every site back to its original IP, ran the update to v74.0.4, purged the existing certificates for example.com (to make sure there's no lingering issues), and re-ran AutoSSL. Here's that log:

Checking websites for “example” …
3:18:10 PM Analyzing “example.com” …
3:18:10 PM ERROR TLS Status: Defective
ERROR Defect: NO_SSL: No SSL certificate is installed.
3:18:10 PM Performing DCV (Domain Control Validation) …
Local HTTP DCV OK: example.com
Local HTTP DCV OK: whm.example.com (via example.com)
Local HTTP DCV OK: www.example.com (via example.com)
Local HTTP DCV OK: mail.example.com (via example.com)
Local HTTP DCV OK: cpanel.example.com (via example.com)
Local HTTP DCV OK: webdisk.example.com (via example.com)
Local HTTP DCV OK: webmail.example.com (via example.com)
Local HTTP DCV OK: autodiscover.example.com (via example.com)
Analyzing “example.com”’s DCV results …
3:18:10 PM AutoSSL will request a new certificate.
3:18:10 PM The system will attempt to renew the SSL certificate for the website (example.com: example.com www.example.com mail.example.com webmail.example.com cpanel.example.com whm.example.com autodiscover.example.com webdisk.example.com).
3:18:11 PM The cPanel Store received “example.com”’s certificate order. (Order Item ID: ---) The system will periodically poll the cPanel Store for the issued certificate and then install it after a successful retrieval.
3:18:11 PM The system has completed the AutoSSL check for “example”.

I was expecting it to pass on DNS DCV, instead every site passed with HTTP DCV, there's no reference to DNS anywhere in the log. Apparently the DCV update fixed some hidden bug in HTTP validation, so I guess we can mark this one as solved. I'll be sure to let you know if the issue comes back.

I appreciate your help, and please send my thanks to the devs as well for their perfectly timed update.

 

[cPanelLauren]

Hi @Stavro

Looking through our Changelog here: 74 Change Log - Change Logs - cPanel Documentation

. We did fix/improve the handling of some of these and implemented some new methods of procuring the end result.

There are quite a few AutoSSL cases that were resolved, I believe the following could be responsible for the improved behavior you're seeing:

• CPANEL-20043: Expand Comodo HTTP DCV to include parent domains.
• CPANEL-20101: Teach Comodo HTTP DCV preparation sanity check to try ancestor domains.
• CPANEL-20818: Improve AutoSSL’s ancestor-substitution efficiency.

I'm really happy to hear that it's working for you though and please do let us know if you experience any further issues. I'll send them your thanks as well :D