Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

AutoSSL inadvertently port sniffing on sub-domains

Discussion in 'Security' started by CODE grunt, Aug 15, 2017.

Tags:
  1. CODE grunt

    CODE grunt Registered

    Joined:
    Aug 15, 2017
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Howdy. While troubleshooting some failing AutoSSL renewals I noticed the following log entries (NOTE: domain, IP and keyfile name changed for privacy reasons):

    ------------
    The system failed to send an <abbr title="Hypertext Transfer Protocol">HTTP</abbr> “GET” request to “http://mail.example.com/.well-known/pki-validation/1234567890abcdef.txt” because of an error: Could not connect to 'mail.example.com:80': Connection timed out . The domain “mail.example.com” resolved to an IP address “192.168.1.1” that does not exist on this server.
    ------------

    The issue is that cPanel automatically tries to enable autossl for a wide swath of subdomains (such as "mail") which may or may not be hosted on the local server. If the subdomain exists but is hosted offsite, it will create an outbound request to port 80 which will look like a port sniffing attempt. This could easily lead to reputation problems for the local machine, especially if anything like mod_security is running on the remote host. This becomes especially likely during troubleshooting when the check process may be triggered manually a number of times in succession.

    We really need to have the ability to limit what subdomains are used for AutoSSL.

    Cheers,

    Ron
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,367
    Likes Received:
    1,855
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice