Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

AutoSSL provider could not renew the SSL certificate

Discussion in 'Security' started by chrismfz, Dec 8, 2017.

Tags:
  1. chrismfz

    chrismfz Well-Known Member

    Joined:
    Jul 4, 2007
    Messages:
    125
    Likes Received:
    1
    Trophy Points:
    68
    Location:
    Greece
    cPanel Access Level:
    DataCenter Provider
    It seems like the last month or so I am getting multiple e-mails from customers asking why subdomains like those mentioned (autodiscover/webmail/cpanel/webdisk) are failing AutoSSL renewal.

    Indeed even in personal and test accounts I have I am getting mails like this:

    AutoSSL did not renew the certificate for my-domain”. You must take action to keep this site secure.
    Code:
    The “cPanel” AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems:        
    
    webmail.my-domain [ Last AutoSSL Run at “2017-12-08 at 22:35:12 UTC” ]
    The system failed to fetch the DCV (Domain Control Validation) file at “http://webmail./.well-known/pki-validation/00DA63E2744526D6F1D135BFD1485184.txt” because of an error: The system failed to send an HTTP (Hypertext Transfer Protocol) “GET” request to “http://webmail./.well-known/pki-validation/00DA63E2744526D6F1D135BFD1485184.txt” because of an error: Unexpected end of stream while looking for line
    
    cpanel.my-domain [ Last AutoSSL Run at “2017-12-08 at 22:35:12 UTC” ]
    The system failed to fetch the DCV (Domain Control Validation) file at “http://cpanel./.well-known/pki-validation/280FCD577ACB51C8EC3BCCB375C453AF.txt” because of an error: The system failed to send an HTTP (Hypertext Transfer Protocol) “GET” request to “http://cpanel/.well-known/pki-validation/280FCD577ACB51C8EC3BCCB375C453AF.txt” because of an error: Unexpected end of stream while looking for line
    .
    
    Same for autodiscover and webdisk too. For multiple accounts on different servers.

    All servers are EA4 and I've checked Global rewrite is on.
    (Use a Global DCV Passthrough instead of .htaccess modification (requires EA4) [?] On)

    Did some digging and changed a few things (I had for example .htaccess optimization off, switched it to home, had Indexes OFF, switched it On) but with no luck. Still subdomains are failing DCV and I from console I am getting:

    AutoSSL will defer the renewal of “my-domain”’s certificate because 4 domains (cpanel.my-domain, webdisk.my-domain, webmail.my-domain, and autodiscover.my-domain) that the current certificate secures failed DCV. If AutoSSL renewed the certificate now, those domains would lose SSL coverage. AutoSSL will defer “my-domain”’s certificate renewal until 12/11/17


    No engintron or any other plugins on domains. Pure EasyApache 4 only.
    All cPanel servers are on stable tier.v68.0.19
     
    #1 chrismfz, Dec 8, 2017
    Last edited by a moderator: Dec 8, 2017
  2. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,483
    Likes Received:
    31
    Trophy Points:
    158
    cPanel Access Level:
    DataCenter Provider
    If the dns entries are missing for the proxy subdomains, you can run force them to be added with the following command

    Code:
    /scripts/checkproxysubdomains --force
    
    Code:
    # /scripts/checkproxysubdomains --help
    Usage:
        checkproxysubdomains [options]
    
            Options:
              --help        Brief help message
              --man         Full help message
              --force       Rerun configuration even if previously done
    
     
  3. chrismfz

    chrismfz Well-Known Member

    Joined:
    Jul 4, 2007
    Messages:
    125
    Likes Received:
    1
    Trophy Points:
    68
    Location:
    Greece
    cPanel Access Level:
    DataCenter Provider
    Hello there. That's not the issue. I've checked all the subdomains, they work.
    After ~10 tries with "./autossl_check --user=user-here" it worked for all subdomains except one, webdisk, which of course it exists.
    With the same error

    because of an error: Unexpected end of stream while looking for line
    . at /usr/local/cpanel/Cpanel/SSL/Auto/Provider/cPanel.pm line 302.

    But that's not the only issue, customers are wondering what is this notification and why it's failing filling multiple support tickets.
    I disabled notifications as a "solution" just wondering if this happened again before.
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,167
    Likes Received:
    1,934
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @chrismfz,

    Here's a link to a blog post and forums thread where the new AutoSSL notifications in cPanel version 68 are discussed:

    New SSL Notifications in v68 | cPanel Blog
    SSL Notifications in cPanel 68

    As far as the AutoSSL validation failures, do you have any custom Mod_Security rules enabled on this system? If so, check to see if it's a Mod_Security rule that's blocking the AutoSSL validation request. For instance, in the AutoSSL failure notification, you will see a reference to a .txt file (e.g. 00DA63E2744526D6F1D135BFD1485184.txt in the example you posted). You can search for the specific file name in your /etc/apache2/logs/modsec_audit.log file with a command like this:

    Code:
    grep 00DA63E2744526D6F1D135BFD1485184.txt /etc/apache2/logs/modsec_audit.log
    This should help determine if it's a Mod_Security rule that's blocking the request. Feel free to open a support ticket using the link in my signature if you can't find anything and would like us to take a closer look.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. chrismfz

    chrismfz Well-Known Member

    Joined:
    Jul 4, 2007
    Messages:
    125
    Likes Received:
    1
    Trophy Points:
    68
    Location:
    Greece
    cPanel Access Level:
    DataCenter Provider
    I am not getting any output on error_log / modsec log.

    Code:
    [root@saturn logs]# grep "1BE66A1525109767BBCAA2860264E7FE.txt" *
    grep: archive: Is a directory
    grep: domlogs: Is a directory
    grep: lsapisock: Is a directory
    grep: mod_evasive: Is a directory
    grep: modsec_audit: Is a directory
    [root@saturn logs]# grep "1BE66A1525109767BBCAA2860264E7FE.txt" */*
    
    I am getting 404 for those .txt files.
    The requested URL /.well-known/pki-validation/1BE66A1525109767BBCAA2860264E7FE.txt was not found on this server.

    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

    And if modsec was enabled or a rule is blocking the certification it would block it everywhere.
    I am usually see only cPanel's domains blocked (autodiscover,mail,webmail,cpanel).

    Eventually I will get the CRT but not for all subdomains. But all other subdomains are valid, has A/CNAME records and they are working.

    Example, in the screenshot all subdomains are working. But most of them didn't get a certificate.
     

    Attached Files:

  6. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,167
    Likes Received:
    1,934
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Could you open a support ticket using the link in my signature so we can take a closer look?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice