The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

AutoSSL Renewal Failure Due to CDN

Discussion in 'Security' started by livingmiracles, Jul 20, 2017.

  1. livingmiracles

    Joined:
    May 5, 2017
    Messages:
    13
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Kamas, Utah
    cPanel Access Level:
    Root Administrator
    Hello,

    I have a number of sites using Let's Encrypt certificates via AutoSSL. I believe the auto-renewals are failing because the websites' DNS all routes through SiteLock's CDN (provided by Incapsula). The Incapsula IP being used in the DNS for this particular site is 107.154.149.111, which essentially replaces my server IP. Here is the relevant notification from the log:

    Code:
    12:28:03 AM The website “aesculapius.net”, owned by “aesculnet”, has a faulty SSL certificate (NOT_ALL_DOMAINS ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate.
     12:28:03 AM WARN The domain “aesculapius.net” failed domain control validation: The content “<html><head><META NAME="robots" CONTENT="noindex,nofollow"><script src="/_Incapsula_Resource?SWJIYLWA=2977d8d74f63d7f8fedbea018b” of the <abbr title="Domain Control Validation">DCV</abbr> file, as accessed at “<a href="http://aesculapius.net/.well-known/acme-challenge/2JJ_G10CQQEX7-TJO4B54ET-XYB1AMN-">http://aesculapius.net/.well-known/acme-challenge/2JJ_G10CQQEX7-TJO4B54ET-XYB1AMN-</a>”, did not match the expected value. The domain “aesculapius.net” resolved to an IP address “107.154.149.111” that does not exist on this server.
    Obviously, I can switch the DNS temporarily to bypass the CDN and renew the certificate myself, but I would very much like to have this process be automated since I have quite a few sites in this scenario. So, I'm hoping someone might have a clever idea of how to tweak a setting somewhere so that the auto-renewal process doesn't result in failure.

    Thank you,
    JP
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    AutoSSL validation should still succeed in cases where a domain name uses a CDN service (e.g. CloudFlare) [Edited to add: This is only the case with cPanel-signed certificates from Comodo. It does not apply to Let's Encrypt]. Could you let us know the contents of the .htaccess file in the document root of the affected domain name? Ensure to replace any real domain names or IP addresses with examples.

    Thank you.
     
    #2 cPanelMichael, Jul 20, 2017
    Last edited: Jul 26, 2017
  3. livingmiracles

    Joined:
    May 5, 2017
    Messages:
    13
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Kamas, Utah
    cPanel Access Level:
    Root Administrator
    Hi Michael,

    Certainly, here it is:

    Code:
    # Use Vary header for compression only
    Header unset Vary
    Header set Vary "Accept-Encoding"
    
    # Require SiteLock IP ranges
    RewriteCond expr "!(-R '199.xx.xxx.0/21' || -R '198.xxx.xx.0/19' || -R '149.xxx.xx.0/21' || -R '103.xx.xxx.0/22' || -R '45.xx.xx.0/22' || -R '185.xx.xxx.0/22' || -R '192.xxx.xx.0/18' || -R '107.xxx.x.0/16' || -R '45.xx.x.0/16' || -R '45.xxx.x.0/16' || -R '2a02:xxxx::/29')"
    RewriteRule ^ - [F]
    
    # Send to non-www version and redirect HTTP to HTTPS
    RewriteCond %{HTTPS} !=on
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    RewriteCond %{HTTP_HOST} ^www\.example\.net [NC]
    RewriteRule ^(.*)$ https://example\.net/$1 [R=301,L]
    
    # php -- BEGIN cPanel-generated handler, do not edit
    # NOTE this account's php is controlled via FPM and the vhost, this is a place holder.
    # Do not edit. This next line is to support the cPanel php wrapper (php_cli).
    # AddType application/x-httpd-ea-php70 .php .phtml
    # php -- END cPanel-generated handler, do not edit
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you open a support ticket using the link in my signature so we can take a closer look?

    Thank you.
     
  5. livingmiracles

    Joined:
    May 5, 2017
    Messages:
    13
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Kamas, Utah
    cPanel Access Level:
    Root Administrator
    Gladly, thank you for the offer. I have just submitted the ticket (#8733213).
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    To update, it was determined the use of a CDN such as CloudFlare will prevent Let's Encrypt from successfully validating the domain name. The implementation of the following feature request would allow this to work:

    AutoSSL: DNS challenge validation

    I encourage anyone wanting to use AutoSSL with Let's Encrypt and a CDN to vote for this request.

    Thank you.
     
Loading...

Share This Page