Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

AutoSSL inadvertently port sniffing on sub-domains

Discussion in 'Security' started by CODE grunt, Aug 15, 2017.

Tags:
  1. CODE grunt

    CODE grunt Registered

    Joined:
    Aug 15, 2017
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Howdy. While troubleshooting some failing AutoSSL renewals I noticed the following log entries (NOTE: domain, IP and keyfile name changed for privacy reasons):

    ------------
    The system failed to send an <abbr title="Hypertext Transfer Protocol">HTTP</abbr> “GET” request to “http://mail.example.com/.well-known/pki-validation/1234567890abcdef.txt” because of an error: Could not connect to 'mail.example.com:80': Connection timed out . The domain “mail.example.com” resolved to an IP address “192.168.1.1” that does not exist on this server.
    ------------

    The issue is that cPanel automatically tries to enable autossl for a wide swath of subdomains (such as "mail") which may or may not be hosted on the local server. If the subdomain exists but is hosted offsite, it will create an outbound request to port 80 which will look like a port sniffing attempt. This could easily lead to reputation problems for the local machine, especially if anything like mod_security is running on the remote host. This becomes especially likely during troubleshooting when the check process may be triggered manually a number of times in succession.

    We really need to have the ability to limit what subdomains are used for AutoSSL.

    Cheers,

    Ron
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,220
    Likes Received:
    1,376
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page