AutoSSL not renewed due to content in .htaccess file

johk02

Registered
Jul 18, 2017
2
0
1
bne
cPanel Access Level
Reseller Owner
Hi,
I have a reseller account and one of the domains could not be updated with AUTOSSL.

My hosting provider said it was due to the .htaccess file that the installation of the SSL certificates failed.

This has now been going on for a few days and the certificates have still not been able to install.


I have gone through the .htaccess file but can’t figure out what causes the AUTOSSL to NOT install.

I have attached the .htaccess file and would appreciated any pointers.


Thanks

J

Sorry forgot to add that i use WHM 64.0 build32.
 

Attachments

Last edited by a moderator:

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter
Hi,

You may have seen a strange big character file in your account that ends with .txt format. This is the verification file that has to be browseable. You have to alter your .htaccess to make this file browseable like http://domain.com/EIOTOIHGGHSFDJKHBFKJVGB.txt file (adjust accordingly)..
SSL fails if Comodo or SSL provider is not able to browse this one and get proper response from this URL.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Hello,

The previous post is correct. Your .htaccess file includes several query strings. You may need to disable those redirect rules one by one until you are able to determine which specific rule is the culprit. Here's an example of the URL that needs to be accessible:

Code:
HTTP://yourdomain.tld/.well-known/pki-validation/<filename.txt>
Alternatively, you can ask your hosting provider to enable the following option under the "Domains" tab in "WHM >> Tweak Settings":

Use a Global DCV Passthrough instead of .htaccess modification (requires EA4)

Per it's description:

When you enable this option, Apache adds global rewrite rules to the webserver configuration so that the system does not process additional rewrite rules for DCV filenames. These global rules make it unnecessary for cPanel & WHM to modify each virtual host’s .htaccess file. Note: When you enable this option, the system receives a trivial performance penalty because all of the HTTP requests must be matched against the DCV filename regular expressions.
Thank you.
 

fuzzylogic

Well-Known Member
Nov 8, 2014
154
93
78
cPanel Access Level
Root Administrator
As for your .htaccess rules...
You have not stated which ssl provider is having their validation fail, so its hard to know what to look for in your .htaccess file.
That said if it is comodo failing then look to the following rule.
Line 279 has the following rule.
Code:
# 5G:[USER AGENTS]
<IfModule mod_setenvif.c>
# SetEnvIfNoCase User-Agent ^$ keep_out
SetEnvIfNoCase User-Agent (binlar|casper|cmsworldmap|comodo|diavol|dotbot|feedfinder|flicky|ia_archiver|jakarta|kmccrew|nutch|planetwork|purebot|pycurl|skygrid|sucker|turnit|vikspider|zmeu) keep_out
<limit GET POST PUT>
Order Allow,Deny
Allow from all
Deny from env=keep_out
</limit>
</IfModule>
This rule sets the environment variable keep_out if the user-agent string matches comodo.
It then denys request for which the environment variable is set to keep_out.

A cPanel knowledge-base article identifies the following user-agent as being used by comodo in its domain validation http request string.
"GET /4F571E4CB76F46E37B8118CEA1DB42BA.txt HTTP/1.1" 200 53 "-" "COMODO DCV"

So try deleting comodo from that list of user agents, then try to renew the ssl cert.
 
  • Like
Reactions: Infopro

johk02

Registered
Jul 18, 2017
2
0
1
bne
cPanel Access Level
Reseller Owner
fuzzylogic - Thanks a lot for this.
Yes, the SSL provider is Comodo.
What I did was to temporarily revert back to the original .htaccess file and the certificates have now been updated and installed.
When I amend the .htaccess file - how can I afterwards test if this is working ie allow comodo?

Thanks
JH
 

fuzzylogic

Well-Known Member
Nov 8, 2014
154
93
78
cPanel Access Level
Root Administrator
To test this you would remove the ssl certificate then attempt to issue it again.
I have no experience using cPanel's autossl so will not attempt to advise you how to do this.
Maybe some with more experience could advise you.

If after testing you find that the # 5G:[USER AGENTS] code block in your .htaccess file is the cause of the comodo autossl problem then that block could be removed by unchecking the following checkbox.
WP Security => Settings => Firewall => 6G Blacklist Firewall Rules => Enable legacy 5G Firewall Protection: (checkbox)

It looks to me as if the 5G rules were an old version of the 6G rules, so you would not lose much by disabling them.
6G:[USER AGENTS] code block does not include the comodo string, so it should not block the domain validation request.