Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

AutoSSL not renewed due to content in .htaccess file

Discussion in 'Security' started by johk02, Jul 18, 2017.

Tags:
  1. johk02

    johk02 Registered

    Joined:
    Jul 18, 2017
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    bne
    cPanel Access Level:
    Reseller Owner
    Hi,
    I have a reseller account and one of the domains could not be updated with AUTOSSL.

    My hosting provider said it was due to the .htaccess file that the installation of the SSL certificates failed.

    This has now been going on for a few days and the certificates have still not been able to install.


    I have gone through the .htaccess file but can’t figure out what causes the AUTOSSL to NOT install.

    I have attached the .htaccess file and would appreciated any pointers.


    Thanks

    J

    Sorry forgot to add that i use WHM 64.0 build32.
     

    Attached Files:

    #1 johk02, Jul 18, 2017
    Last edited by a moderator: Jul 18, 2017
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,488
    Likes Received:
    60
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    You may have seen a strange big character file in your account that ends with .txt format. This is the verification file that has to be browseable. You have to alter your .htaccess to make this file browseable like http://domain.com/EIOTOIHGGHSFDJKHBFKJVGB.txt file (adjust accordingly)..
    SSL fails if Comodo or SSL provider is not able to browse this one and get proper response from this URL.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The previous post is correct. Your .htaccess file includes several query strings. You may need to disable those redirect rules one by one until you are able to determine which specific rule is the culprit. Here's an example of the URL that needs to be accessible:

    Code:
    HTTP://yourdomain.tld/.well-known/pki-validation/<filename.txt>
    Alternatively, you can ask your hosting provider to enable the following option under the "Domains" tab in "WHM >> Tweak Settings":

    Use a Global DCV Passthrough instead of .htaccess modification (requires EA4)

    Per it's description:

    Thank you.
     
  4. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    52
    Likes Received:
    23
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    As for your .htaccess rules...
    You have not stated which ssl provider is having their validation fail, so its hard to know what to look for in your .htaccess file.
    That said if it is comodo failing then look to the following rule.
    Line 279 has the following rule.
    Code:
    # 5G:[USER AGENTS]
    <IfModule mod_setenvif.c>
    # SetEnvIfNoCase User-Agent ^$ keep_out
    SetEnvIfNoCase User-Agent (binlar|casper|cmsworldmap|comodo|diavol|dotbot|feedfinder|flicky|ia_archiver|jakarta|kmccrew|nutch|planetwork|purebot|pycurl|skygrid|sucker|turnit|vikspider|zmeu) keep_out
    <limit GET POST PUT>
    Order Allow,Deny
    Allow from all
    Deny from env=keep_out
    </limit>
    </IfModule>
    This rule sets the environment variable keep_out if the user-agent string matches comodo.
    It then denys request for which the environment variable is set to keep_out.

    A cPanel knowledge-base article identifies the following user-agent as being used by comodo in its domain validation http request string.
    "GET /4F571E4CB76F46E37B8118CEA1DB42BA.txt HTTP/1.1" 200 53 "-" "COMODO DCV"

    So try deleting comodo from that list of user agents, then try to renew the ssl cert.
     
    Infopro likes this.
  5. johk02

    johk02 Registered

    Joined:
    Jul 18, 2017
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    bne
    cPanel Access Level:
    Reseller Owner
    fuzzylogic - Thanks a lot for this.
    Yes, the SSL provider is Comodo.
    What I did was to temporarily revert back to the original .htaccess file and the certificates have now been updated and installed.
    When I amend the .htaccess file - how can I afterwards test if this is working ie allow comodo?

    Thanks
    JH
     
  6. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    52
    Likes Received:
    23
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    To test this you would remove the ssl certificate then attempt to issue it again.
    I have no experience using cPanel's autossl so will not attempt to advise you how to do this.
    Maybe some with more experience could advise you.

    If after testing you find that the # 5G:[USER AGENTS] code block in your .htaccess file is the cause of the comodo autossl problem then that block could be removed by unchecking the following checkbox.
    WP Security => Settings => Firewall => 6G Blacklist Firewall Rules => Enable legacy 5G Firewall Protection: (checkbox)

    It looks to me as if the 5G rules were an old version of the 6G rules, so you would not lose much by disabling them.
    6G:[USER AGENTS] code block does not include the comodo string, so it should not block the domain validation request.
     
Loading...

Share This Page