AutoSSL Errors Due to HTTP Redirects in cPanel v68.0 Despite Domain Validation Exclusion Conditions

[schwartzy18510]

Hello, I am on a shared web hosting environment which incorporates cPanel v68.0 (build 28.0).

I am experiencing AutoSSL renewal exclusion warnings which began immediately after I implemented URL 301 redirects in .htaccess to force non-www and non-https URL versions of my website's domain to a URL which includes https and www.

The specific error I am receiving is as follows and applies to both the http:// and http:// www URL versions of the domain:

"The validation required 1 HTTP redirect, but the AutoSSL provider “cPanel (powered by Comodo)” does not permit HTTP redirects. When the system accessed the “http:// example.com/.well-known/pki-validation/7A2FD4D19D76C2BED16311E2C77471F0.txt” URL, it redirected to the “https:// www .example.com/.well-known/pki-validation/7A2FD4D19D76C2BED16311E2C77471F0.txt” URL."

I have checked my .htaccess file for the presence of the mod_redirect exclusions referenced in this thread in regard to cPanel v60 and do not see them.

I therefore manually added the three RewriteCond exclusions as listed in the thread linked above prior to my two existing URL 301 Rewrite Conditions and Rewrite Rule, but am still experiencing these errors.

Is there any updated work-around for this issue in relation to cPanel v68? Or is there perhaps a simpler solution that I have overlooked?

 

[cPanelNick]

I have checked my .htaccess file for the presence of the mod_redirect exclusions referenced in this thread in regard to cPanel v60 and do not see them.

The rewrite rules in that thread were outdated. The latest ones are:

For cPanel’s internal DCV checks:
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$

For Comodo:
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$

For Let’s Encrypt:
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/

I have also edited the post in that thread to update them.

 

[24x7server]

I am experiencing AutoSSL renewal exclusion warnings which began immediately after I implemented URL 301 redirects in .htaccess to force non-www and non-https URL versions of my website's domain to a URL which includes https and www.

You will have to disable the redirect rule, and then again execute the AutoSSL check because with this redirect, the verification will not work and that SSL will not be generated..

 

[schwartzy18510]

The rewrite rules in that thread were outdated...

...I have also edited the post in that thread to update them.

Many thanks, cPanelNick! After subbing in those conditions for those I was attempting to use previously, the two redirect-related AutoSSL errors resolved and the domains validated successfully.

Unfortunately, I now have a new error presenting for just my autodiscover subdomain:

"The system queried for a temporary file at “http://autodiscover.example.com/.well-known/pki-validation/745E786B921D18B07F2EE66397D27CE8.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist."

I can't seem to escape this error even after reverting to my previous RewriteCond within .htaccess, so it appears unlikely this is related to the change in domain validation exclusion conditions. It may simply be a new gremlin.

Any advice on resolving this new 404?

 

[cPanelNick]

Any advice on resolving this new 404?

You can force a check of all proxy domains config and DNS entries with the following command:

/scripts/checkproxysubdomains --force

 

[schwartzy18510]

You can force a check of all proxy domains config and DNS entries with the following command:

/scripts/checkproxysubdomains --force

I attempted to run this script in a SSH session via PuTTY, but found that root access is required to execute it. Unfortunately, I am in a shared web hosting environment and do not have root access.

I edited my .htaccess file to remove all redirect codes and the AutoSSL check still came back with the missing .txt file. Any other ideas on what I can try to resolve this error?

 

[cPanelNick]

I attempted to run this script in a SSH session via PuTTY, but found that root access is required to execute it. Unfortunately, I am in a shared web hosting environment and do not have root access.

I edited my .htaccess file to remove all redirect codes and the AutoSSL check still came back with the missing .txt file. Any other ideas on what I can try to resolve this error?

Hi schwartzy18510,

Your best bet is to ask your host to run that script as there isn't a way you can do it without root access. Also if you don't have any luck, the problem may resolve itself once your host updates to v70+. We check for this type of issue and will try to repair it automatically in v70+.

If you still don't have any luck getting your host to run the script, there is another opportunity coming up for us to work around the problem via an update: Later this year we plan on adding DNS DCV support which will provide an alternate validation method in the event HTTP DCV fails.

 

[schwartzy18510]

Your best bet is to ask your host to run that script as there isn't a way you can do it without root access. Also if you don't have any luck, the problem may resolve itself once your host updates to v70+. We check for this type of issue and will try to repair it automatically in v70+.

Just got off of chat with my web hosting provider. They didn't run the recommended script, but simply stated that excluding the autodiscover subdomain from AutoSSL would be a sufficient work-around. Something I had already done, while awaiting resolution. I'm new enough to this game that I don't know enough to contradict them if they're off-base here.

I asked about plans to update cPanel version, they said there is no ETA at this time for an upgrade. Looks like I'm out of luck for the time being. I thank you for your help, I'm indebted.

 

[cPanelMichael]

Just got off of chat with my web hosting provider. They didn't run the recommended script, but simply stated that excluding the autodiscover subdomain from AutoSSL would be a sufficient work-around. Something I had already done, while awaiting resolution. I'm new enough to this game that I don't know enough to contradict them if they're off-base here.

Hello,

If your hosting provider is concerned about adding the missing proxy subdomain DNS entries for all domain names on the server, you could let them know they could run the command for your individual domain name. EX:

/scripts/proxydomains --domain=domain.tld add

Thank you.