Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

AutoSSL fails to Auto Update Certificates

Discussion in 'Security' started by martin MHC, Aug 30, 2017.

Tags:
  1. martin MHC

    martin MHC Active Member

    Joined:
    Sep 14, 2016
    Messages:
    38
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    I found this morning that AutoSSL failed to update a certificate automatically on the following situation:

    When the domain is covered by a HTTPAuth password protection and/or when the domain has a custom HSTS header:

    .htaccess:

    RewriteCond %{HTTPS} !on
    RewriteCond %{THE_REQUEST} ^(GET|HEAD)\ ([^\ ]+)
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^ https://%{HTTP_HOST}%2 [L,R=301]

    AuthName "privateCRM"
    AuthUserFile "/home/account/.htpasswds/public_html/passwd"
    AuthType Basic
    require valid-user

    Header set Strict-Transport-Security "max-age=31536000;" env=HTTPS

    I have disabled HTTPAuth and HSTS header and reloading the page works correctly (autoSSL also updates correctly); I don't know which of the two rules applies (due to the nature of HSTS) but disabling both seemed to work.

    NOTE: I do realise that HTTPAuth is no longer good practise but until we have a more complete security solution on this domain (it's a big domain) then it's in place for the time being.

    If this issue is caused directly by the HSTS command this is a serious concern as many sites use HSTS in the .htaccess file in this way. I hope it's just the HTTPAuth .
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,165
    Likes Received:
    1,371
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Can you verify if the "Use a Global DCV Passthrough instead of .htaccess modification (requires EA4)" option is enabled under the "Domains" tab in "WHM >> Tweak Settings"?

    Thank you.
     
  3. martin MHC

    martin MHC Active Member

    Joined:
    Sep 14, 2016
    Messages:
    38
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hello Michael, Yes, this setting is enabled on my WHM. The more I look at it the issue the more I suspect it's the HTTPAuth causing this but I've not found any other sites on my server yet with HSTS that need to auto udate their TLS yet, so can't confirm... yet.
     
  4. albatroz

    albatroz Well-Known Member

    Joined:
    Mar 6, 2003
    Messages:
    283
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Virtual Orbis / Peru
    cPanel Access Level:
    Root Administrator
    I noticed a similar behaviour and reported it in the ticket with number 8839375
    however I am still waiting for reply
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,165
    Likes Received:
    1,371
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    The AutoSSL validation attempt will fail if password authentication is required. You'd need to setup a rule that excludes specific IP addresses from the authentication requirement. Comodo validates the DCV file from the following IP addresses:

    Code:
    178.255.81.12
    178.255.81.13
    91.199.212.132
    199.66.201.132
    In this case, it looks like it was caused by the account's .htaccess using "root" ownership. Updating the ownership of the .htaccess file to the account username corrected the issue.

    Thank you.
     
  6. martin MHC

    martin MHC Active Member

    Joined:
    Sep 14, 2016
    Messages:
    38
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Thanks for the clarification Michael, I will add some complexity to the HTTPAuth.

    Cheers
     
Loading...

Share This Page