Howdy. While troubleshooting some failing AutoSSL renewals I noticed the following log entries (NOTE: domain, IP and keyfile name changed for privacy reasons):
------------
The system failed to send an <abbr title="Hypertext Transfer Protocol">HTTP</abbr> “GET” request to “http://mail.example.com/.well-known/pki-validation/1234567890abcdef.txt” because of an error: Could not connect to 'mail.example.com:80': Connection timed out . The domain “mail.example.com” resolved to an IP address “192.168.1.1” that does not exist on this server.
------------
The issue is that cPanel automatically tries to enable autossl for a wide swath of subdomains (such as "mail") which may or may not be hosted on the local server. If the subdomain exists but is hosted offsite, it will create an outbound request to port 80 which will look like a port sniffing attempt. This could easily lead to reputation problems for the local machine, especially if anything like mod_security is running on the remote host. This becomes especially likely during troubleshooting when the check process may be triggered manually a number of times in succession.
We really need to have the ability to limit what subdomains are used for AutoSSL.
Cheers,
Ron
------------
The system failed to send an <abbr title="Hypertext Transfer Protocol">HTTP</abbr> “GET” request to “http://mail.example.com/.well-known/pki-validation/1234567890abcdef.txt” because of an error: Could not connect to 'mail.example.com:80': Connection timed out . The domain “mail.example.com” resolved to an IP address “192.168.1.1” that does not exist on this server.
------------
The issue is that cPanel automatically tries to enable autossl for a wide swath of subdomains (such as "mail") which may or may not be hosted on the local server. If the subdomain exists but is hosted offsite, it will create an outbound request to port 80 which will look like a port sniffing attempt. This could easily lead to reputation problems for the local machine, especially if anything like mod_security is running on the remote host. This becomes especially likely during troubleshooting when the check process may be triggered manually a number of times in succession.
We really need to have the ability to limit what subdomains are used for AutoSSL.
Cheers,
Ron