AutoSSL fails to Auto Update Certificates

[martin MHC]

I found this morning that AutoSSL failed to update a certificate automatically on the following situation:

When the domain is covered by a HTTPAuth password protection and/or when the domain has a custom HSTS header:

.htaccess:

RewriteCond %{HTTPS} !on
RewriteCond %{THE_REQUEST} ^(GET|HEAD)\ ([^\ ]+)
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^ https://%{HTTP_HOST}%2 [L,R=301]

AuthName "privateCRM"
AuthUserFile "/home/account/.htpasswds/public_html/passwd"
AuthType Basic
require valid-user

Header set Strict-Transport-Security "max-age=31536000;" env=HTTPS​

I have disabled HTTPAuth and HSTS header and reloading the page works correctly (autoSSL also updates correctly); I don't know which of the two rules applies (due to the nature of HSTS) but disabling both seemed to work.

NOTE: I do realise that HTTPAuth is no longer good practise but until we have a more complete security solution on this domain (it's a big domain) then it's in place for the time being.

If this issue is caused directly by the HSTS command this is a serious concern as many sites use HSTS in the .htaccess file in this way. I hope it's just the HTTPAuth .

 

[cPanelMichael]

Hello,

Can you verify if the "Use a Global DCV Passthrough instead of .htaccess modification (requires EA4)" option is enabled under the "Domains" tab in "WHM >> Tweak Settings"?

Thank you.

 

[martin MHC]

Hello Michael, Yes, this setting is enabled on my WHM. The more I look at it the issue the more I suspect it's the HTTPAuth causing this but I've not found any other sites on my server yet with HSTS that need to auto udate their TLS yet, so can't confirm... yet.

 

[albatroz]

I noticed a similar behaviour and reported it in the ticket with number 8839375
however I am still waiting for reply

 

[cPanelMichael]

The more I look at it the issue the more I suspect it's the HTTPAuth causing this but I've not found any other sites on my server yet with HSTS that need to auto udate their TLS yet, so can't confirm... yet.

The AutoSSL validation attempt will fail if password authentication is required. You'd need to setup a rule that excludes specific IP addresses from the authentication requirement. Comodo validates the DCV file from the following IP addresses:

178.255.81.12
178.255.81.13
91.199.212.132
199.66.201.132

I noticed a similar behaviour and reported it in the ticket with number 8839375
however I am still waiting for reply

In this case, it looks like it was caused by the account's .htaccess using "root" ownership. Updating the ownership of the .htaccess file to the account username corrected the issue.

Thank you.

 

[martin MHC]

Thanks for the clarification Michael, I will add some complexity to the HTTPAuth.

Cheers