Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

AutoSSL Errors Due to HTTP Redirects in cPanel v68.0 Despite Domain Validation Exclusion Conditions

Discussion in 'Security' started by schwartzy18510, Feb 3, 2018.

  1. schwartzy18510

    schwartzy18510 Registered

    Joined:
    Feb 3, 2018
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    U.S.
    cPanel Access Level:
    Website Owner
    Hello, I am on a shared web hosting environment which incorporates cPanel v68.0 (build 28.0).

    I am experiencing AutoSSL renewal exclusion warnings which began immediately after I implemented URL 301 redirects in .htaccess to force non-www and non-https URL versions of my website's domain to a URL which includes https and www.

    The specific error I am receiving is as follows and applies to both the http:// and http:// www URL versions of the domain:

    "The validation required 1 HTTP redirect, but the AutoSSL provider “cPanel (powered by Comodo)” does not permit HTTP redirects. When the system accessed the “http:// example.com/.well-known/pki-validation/7A2FD4D19D76C2BED16311E2C77471F0.txt” URL, it redirected to the “https:// www .example.com/.well-known/pki-validation/7A2FD4D19D76C2BED16311E2C77471F0.txt” URL."

    I have checked my .htaccess file for the presence of the mod_redirect exclusions referenced in this thread in regard to cPanel v60 and do not see them.

    I therefore manually added the three RewriteCond exclusions as listed in the thread linked above prior to my two existing URL 301 Rewrite Conditions and Rewrite Rule, but am still experiencing these errors.

    Is there any updated work-around for this issue in relation to cPanel v68? Or is there perhaps a simpler solution that I have overlooked?
     
  2. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,483
    Likes Received:
    31
    Trophy Points:
    158
    cPanel Access Level:
    DataCenter Provider
    The rewrite rules in that thread were outdated. The latest ones are:

    For cPanel’s internal DCV checks:
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$

    For Comodo:
    RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt$
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$

    For Let’s Encrypt:
    RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/

    I have also edited the post in that thread to update them.
     
    schwartzy18510 likes this.
  3. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,888
    Likes Received:
    90
    Trophy Points:
    78
    Location:
    India
    cPanel Access Level:
    Root Administrator
    You will have to disable the redirect rule, and then again execute the AutoSSL check because with this redirect, the verification will not work and that SSL will not be generated..
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. schwartzy18510

    schwartzy18510 Registered

    Joined:
    Feb 3, 2018
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    U.S.
    cPanel Access Level:
    Website Owner
    Many thanks, cPanelNick! After subbing in those conditions for those I was attempting to use previously, the two redirect-related AutoSSL errors resolved and the domains validated successfully.

    Unfortunately, I now have a new error presenting for just my autodiscover subdomain:

    "The system queried for a temporary file at “http://autodiscover.example.com/.well-known/pki-validation/745E786B921D18B07F2EE66397D27CE8.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist."

    I can't seem to escape this error even after reverting to my previous RewriteCond within .htaccess, so it appears unlikely this is related to the change in domain validation exclusion conditions. It may simply be a new gremlin.

    Any advice on resolving this new 404?
     
  5. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,483
    Likes Received:
    31
    Trophy Points:
    158
    cPanel Access Level:
    DataCenter Provider
    You can force a check of all proxy domains config and DNS entries with the following command:

    Code:
    /scripts/checkproxysubdomains --force
    
     
    schwartzy18510 likes this.
  6. schwartzy18510

    schwartzy18510 Registered

    Joined:
    Feb 3, 2018
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    U.S.
    cPanel Access Level:
    Website Owner
    I attempted to run this script in a SSH session via PuTTY, but found that root access is required to execute it. Unfortunately, I am in a shared web hosting environment and do not have root access.

    I edited my .htaccess file to remove all redirect codes and the AutoSSL check still came back with the missing .txt file. Any other ideas on what I can try to resolve this error?
     
  7. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,483
    Likes Received:
    31
    Trophy Points:
    158
    cPanel Access Level:
    DataCenter Provider
    Hi schwartzy18510,

    Your best bet is to ask your host to run that script as there isn't a way you can do it without root access. Also if you don't have any luck, the problem may resolve itself once your host updates to v70+. We check for this type of issue and will try to repair it automatically in v70+.

    If you still don't have any luck getting your host to run the script, there is another opportunity coming up for us to work around the problem via an update: Later this year we plan on adding DNS DCV support which will provide an alternate validation method in the event HTTP DCV fails.
     
    schwartzy18510 likes this.
  8. schwartzy18510

    schwartzy18510 Registered

    Joined:
    Feb 3, 2018
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    U.S.
    cPanel Access Level:
    Website Owner
    Just got off of chat with my web hosting provider. They didn't run the recommended script, but simply stated that excluding the autodiscover subdomain from AutoSSL would be a sufficient work-around. Something I had already done, while awaiting resolution. I'm new enough to this game that I don't know enough to contradict them if they're off-base here.

    I asked about plans to update cPanel version, they said there is no ETA at this time for an upgrade. Looks like I'm out of luck for the time being. I thank you for your help, I'm indebted.
     
  9. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,400
    Likes Received:
    1,953
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    If your hosting provider is concerned about adding the missing proxy subdomain DNS entries for all domain names on the server, you could let them know they could run the command for your individual domain name. EX:

    Code:
    /scripts/proxydomains --domain=domain.tld add
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice