AutoSSL inadvertently port sniffing on sub-domains

C

CODE grunt

Member
Aug 15, 2017
6
1
3
Canada
cPanel Access Level
Root Administrator
Howdy. While troubleshooting some failing AutoSSL renewals I noticed the following log entries (NOTE: domain, IP and keyfile name changed for privacy reasons):

------------
The system failed to send an <abbr title="Hypertext Transfer Protocol">HTTP</abbr> “GET” request to “http://mail.example.com/.well-known/pki-validation/1234567890abcdef.txt” because of an error: Could not connect to 'mail.example.com:80': Connection timed out . The domain “mail.example.com” resolved to an IP address “192.168.1.1” that does not exist on this server.
------------

The issue is that cPanel automatically tries to enable autossl for a wide swath of subdomains (such as "mail") which may or may not be hosted on the local server. If the subdomain exists but is hosted offsite, it will create an outbound request to port 80 which will look like a port sniffing attempt. This could easily lead to reputation problems for the local machine, especially if anything like mod_security is running on the remote host. This becomes especially likely during troubleshooting when the check process may be triggered manually a number of times in succession.

We really need to have the ability to limit what subdomains are used for AutoSSL.

Cheers,

Ron
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
P Certificate for a delegated subdomain (AutoSSL + Let's Encrypt). Security 2
M Sectigo AutoSSL doesn't renew domain Security 3
S AutoSSL cron run time(s) Security 13
A AutoSSL - Switch from Sectigo to Let's Encrypt Security 3
W problem with certificate parent cpanel - run autossl no work Security 3
Similar threads
Certificate for a delegated subdomain (AutoSSL + Let's Encrypt).
Sectigo AutoSSL doesn't renew domain
AutoSSL cron run time(s)
AutoSSL - Switch from Sectigo to Let's Encrypt
problem with certificate parent cpanel - run autossl no work
Top Bottom