AutoSSL inadvertently port sniffing on sub-domains

C

CODE grunt

Member
Aug 15, 2017
6
1
3
Canada
cPanel Access Level
Root Administrator
Howdy. While troubleshooting some failing AutoSSL renewals I noticed the following log entries (NOTE: domain, IP and keyfile name changed for privacy reasons):

------------
The system failed to send an <abbr title="Hypertext Transfer Protocol">HTTP</abbr> “GET” request to “http://mail.example.com/.well-known/pki-validation/1234567890abcdef.txt” because of an error: Could not connect to 'mail.example.com:80': Connection timed out . The domain “mail.example.com” resolved to an IP address “192.168.1.1” that does not exist on this server.
------------

The issue is that cPanel automatically tries to enable autossl for a wide swath of subdomains (such as "mail") which may or may not be hosted on the local server. If the subdomain exists but is hosted offsite, it will create an outbound request to port 80 which will look like a port sniffing attempt. This could easily lead to reputation problems for the local machine, especially if anything like mod_security is running on the remote host. This becomes especially likely during troubleshooting when the check process may be triggered manually a number of times in succession.

We really need to have the ability to limit what subdomains are used for AutoSSL.

Cheers,

Ron
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
L AutoSSL polls for days with no result Security 4
P AutoSSL Issuing Expired Certificates Security 2
C AutoSSL for smtp Security 1
C AutoSSL failing for addon domain Security 3
C AutoSSL failing for domains with external DNS but hosted and resolving to cpanel server Security 5
Similar threads
AutoSSL polls for days with no result
AutoSSL Issuing Expired Certificates
AutoSSL for smtp
AutoSSL failing for addon domain
AutoSSL failing for domains with external DNS but hosted and resolving to cpanel server
Top Bottom