SOLVED autossl - subdomain - not creating ssl?

[katmai]

Hey guys, so if this issue is solved, i wasn't able to find it by searching.

1 - i have a domain, which got the ssl alright. then i added yesterday a subdomain: "forums.domainname.com" and the autossl hasn't created a ssl for it.

is there any way i can force create it from the cli or do i have to move the forum to a new account forums.domainname... and let it create the ssl cert ?

2 - is there any cli at all for the autossl feature, as i find it rather cumbersome to have to wait for it to generate the certificate as opposed to being able to run it from the console ? (didn't find anything in the documentation about cli)

 

[katmai]

can anyone tell me if this is a PEBKAC or if what i am asking for really isn't implemented and i should just separate the 2 sites to get the ssl?

 

[Infopro]

i find it rather cumbersome to have to wait for it to generate the certificate as opposed to being able to run it from the console

Lots of certs being generated these days:
Securing your site; Comodo, cPanel, & AutoSSL | cPanel Blog


Have you checked your log for signs of issues?
WebHost Manager »SSL/TLS »Manage AutoSSL

 

[katmai]

ow. silly me not to check the logs:

5:35:52 AM Checking websites for “example” …
5:35:52 AM The website “forums.example.com”, owned by “example”, has no SSL certificate. AutoSSL will attempt to obtain a new certificate and install it.
5:35:52 AM The website “example.com”, owned by “example”, has a valid SSL certificate, but additional SSL coverage may be possible for the domain “mail.example.com”. The system will attempt to replace this certificate with one that includes this additional domain.
5:35:52 AM WARN The domain “www.forums.example.com” failed domain control validation: “www.forums.example.com” does not resolve to any IPv4 addresses on the internet. at bin/autossl_check.pl line 512.
5:35:52 AM WARN The domain “mail.example.com” failed domain control validation: “mail.example.com” does not resolve to any IPv4 addresses on the internet. at bin/autossl_check.pl line 512.
5:35:52 AM WARN All of “example.com”’s unsecured domains failed domain control validation. AutoSSL skip this website. at bin/autossl_check.pl line 441.
5:35:52 AM The system will attempt to renew SSL certificates for the following websites:
5:35:52 AM forums.example.com (forums.example.com)
5:35:55 AM ERROR AutoSSL failed to request an SSL certificate for “forums.example.com” because of an error: Cpanel::Exception::cPStoreError/(XID uqzsqn) The cPanel Store returned an error (X::Item::ActivationFailure) in response to the request “POST ssl/certificate/free”: Generic exception at /usr/local/cpanel/Cpanel/Exception/CORE.pm line 77. Cpanel::Exception::create("cPStoreError", HASH(0x427ee88)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 231 Cpanel::cPStore::__ANON__(Cpanel::Exception::HTTP::Server=HASH(0x30db9d8)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 103 Try::Tiny::try(CODE(0x42754e0), Try::Tiny::Catch=REF(0x3d48de0)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 239 Cpanel::cPStore::_request(Cpanel::cPStore::LicenseAuthn=HASH(0x4307d48), "post", "ssl/certificate/free", "item_params", HASH(0x42819c8)) called at /usr/local/cpanel/Cpanel/cPStore.pm line 178 Cpanel::cPStore::post(Cpanel::cPStore::LicenseAuthn=HASH(0x4307d48), "ssl/certificate/free", "item_params", HASH(0x42819c8)) called at /usr/local/cpanel/Cpanel/SSL/Auto/Provider/cPanel.pm line 169 Cpanel::SSL::Auto::Provider::cPanel::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80 eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71 Try::Tiny::try(CODE(0x4264e68), Try::Tiny::Catch=REF(0x4296ae0)) called at /usr/local/cpanel/Cpanel/SSL/Auto/Provider/cPanel.pm line 193 Cpanel::SSL::Auto::Provider::cPanel::renew_ssl_for_vhosts(Cpanel::SSL::Auto::Provider::cPanel=HASH(0x2dbae00), "example", "forums.example.com", ARRAY(0x427ced0)) called at bin/autossl_check.pl line 259 bin::autossl_check::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80 eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71 Try::Tiny::try(CODE(0x41702d0), Try::Tiny::Catch=REF(0x4150d98)) called at bin/autossl_check.pl line 266 bin::autossl_check::__ANON__() called at /usr/local/cpanel/Cpanel/PIDFile.pm line 101 Cpanel::PIDFile::do("Cpanel::PIDFile", "/var/cpanel/autossl_check.pid", CODE(0x2dbb298)) called at bin/autossl_check.pl line 287 bin::autossl_check::_run_maybe_captured("--all") called at bin/autossl_check.pl line 109 bin::autossl_check::__ANON__() called at /usr/local/cpanel/Cpanel/CaptureFH.pm line 50 Cpanel::CaptureFH::do_with_output_captured_to_path_if_non_tty("/usr/local/cpanel/logs/error_log", CODE(0x2d916d0)) called at bin/autossl_check.pl line 110 bin::autossl_check::run("--all") called at bin/autossl_check.pl line 78
5:35:55 AM The system has completed the AutoSSL check for “example”.

 

[cPanelMichael]

Hello,

Check to ensure "forums.example.com" resolves to the IP address associated with the cPanel account it's added on.

Your server will automatically order the free signed certificate when the server runs the /usr/local/cpanel/bin/checkallsslcerts tool as part of the upcp maintenance script. However, you can run the script manually if you'd like to see if the error messages still appear:

/usr/local/cpanel/bin/checkallsslcerts

Please also note the information from the following thread:

Errors from cPanel Store API when requesting autossl certs

Thanks!

 

[katmai]

Hello,

Check to ensure "forums.example.com" resolves to the IP address associated with the cPanel account it's added on.

Your server will automatically order the free signed certificate when the server runs the /usr/local/cpanel/bin/checkallsslcerts tool as part of the upcp maintenance script. However, you can run the script manually if you'd like to see if the error messages still appear:

/usr/local/cpanel/bin/checkallsslcerts

Please also note the information from the following thread:

Errors from cPanel Store API when requesting autossl certs

Thanks!

thank you oh generous god. adding the www entry in the dns pushed the ssl creation. thank you.

 

[cPanelMichael]

I'm happy to see the issue is now resolved. Thank you for updating us with the outcome.

 

[Maknet Corp]

I have a similar issue with my sub-domain. (I just noticed this new auto-SSL feature today, so I've been playing around with it).

Both sub.domain.com and www.sub.domain.com resolve properly, but I'm unable to install the SSL.

Any other ideas on where I could look? (or logs?)

Thanks.

I'm running: WHM 60.0 (build 25)
In addition, I have other sub.domains.com that work, just not this one. (Self-signing doesn't work either).

Any ideas would be appreciated.

 

[cPanelMichael]

Any other ideas on where I could look? (or logs?)

Hello,

You can find the AutoSSL logs to determine why it failed at:

"WHM >> Manage AutoSSL >> Logs"

Thanks!

 

[Maknet Corp]

Thanks a lot, I'm a _few_ steps closer (this is to help others as well):

1) I added sub.domain.com, so that the server can find the right IP.

2) I temporarily removed the .htaccess file. I may have fixed this error:

12:57:43 AM The website “sub.domain.com”, owned by “user”, has no SSL certificate. AutoSSL will attempt to obtain a new certificate and install it.
12:57:43 AM WARN The domain “sub.domain.com” failed domain control validation: The system queried for a temporary file at “<a href="[URL]http://sub.domain.com/24803.BIN_AUTOSSL_CHECK_PL__.IFcVwy6u.cpaneldcv[/URL]">[URL]http://sub.domain.com/24803.BIN_AUTOSSL_CHECK_PL__.IFcVwy6u.cpaneldcv</a>”[/URL], but the web server responded with the following error: 401 (Unauthorized). A <abbr title="Domain Name System">DNS</abbr> or web server misconfiguration may exist. at bin/autossl_check.pl line 512.
12:57:43 AM WARN The domain “[URL='http://www.sub.domain.com”']www.sub.domain.com”[/URL] failed domain control validation: The system queried for a temporary file at “<a href="[URL]http://www.sub.domain.com/24803.BIN_AUTOSSL_CHECK_PL__.YfLpxrqy.cpaneldcv[/URL]">[URL]http://www.sub.domain.com/24803.BIN_AUTOSSL_CHECK_PL__.YfLpxrqy.cpaneldcv</a>”[/URL], but the web server responded with the following error: 401 (Unauthorized). A <abbr title="Domain Name System">DNS</abbr> or web server misconfiguration may exist. at bin/autossl_check.pl line 512.

3) Oddly enough, when I go to ttps://sub.example.com, it looks like it's going to the main ttps://w ww.example.com and then it errors.

Any other ideas on where to go from here?

I can confirm that the other sub-domains work. Just not these two. It's very confusing.

Thanks,

 

[cPanelMichael]

Hello @Maknet Corp,

Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[Maknet Corp]

OK, it works now. Ticket created.

 

[Maknet Corp]

Update: Both SSLs are now working correctly. A few notes for future people to debug:

1) Remove .htaccess authorization because it prevents Auto-SSL from placing a file and verifying the DCV
2) Changed SSL providers from Cpanel to Let's Encrypt:

# /scripts/install_lets_encrypt_autossl_provider​

3) I also removed some auto-SSLs, assuming that the 100 domain limit is affecting something.

Hope this help someone and thanks to Cpanel for the help!

 

[cPanelMichael]

Hello,

It's generally a good idea to first review the AutoSSL logs at "WHM >> Manage AutoSSL >> Logs" to determine the specific reason why domain validation failed.

Regarding password-protected directories, you can also exclude Comodo from the .htaccess authorization deny rule with an entry like this within the rule block:

allow from secure.comodo.net

Thanks!

 

[Maknet Corp]

For reference, here were the logs before it was corrected. Nothing really jumped out at me as to the correct course of action:

2:11:49 AM This system has AutoSSL set to use “cPanel (powered by Comodo)”.
2:11:49 AM Checking websites for “domaincorp” …
2:11:53 AM WARN OCSP response failed: internalerror at /usr/local/cpanel/Cpanel/SSL/OCSP.pm line 93.
2:11:59 AM The website “sub.domain.com”, owned by “domaincorp”, has no SSL certificate. AutoSSL will attempt to obtain a new certificate and install it.
2:11:59 AM The system will attempt to renew SSL certificates for the following websites:
2:11:59 AM sub.domain.com (sub.domain.com www.sub.domain.com)
2:11:59 AM The system has completed the AutoSSL check for “domaincorp”.
2:11:59 AM The system has finished checking 1 user.

 

[cPanelMichael]

Hello,

You'd have to wait for additional log entries once the validation attempt fails, as indicated with the message referenced in your previous post:

12:57:43 AM WARN The domain “sub.domain.com” failed domain control validation: The system queried for a temporary file at “<a href="http://sub.domain.com/24803.BIN_AUTOSSL_CHECK_PL__.IFcVwy6u.cpaneldcv">”" target="_blank" class="externalLink ProxyLink" data-proxy-href="http://sub.domain.com/24803.BIN_AUTOSSL_CHECK_PL__.IFcVwy6u.cpaneldcv”" rel="nofollow">http://sub.domain.com/24803.BIN_AUTOSSL_CHECK_PL__.IFcVwy6u.cpaneldcv</a>”, but the web server responded with the following error: 401 (Unauthorized). A <abbr title="Domain Name System">DNS</abbr> or web server misconfiguration may exist. at bin/autossl_check.pl line 512.

Thank you.

 

[Maknet Corp]

Sorry, i didn't mean to create any confusion. I had two sub-domains with two separate issues.

The log i just posted was for the issue that was corrected using Let's Encrypt.

The log you referenced was due to the .htaccess.

I just posted the logs for completeness. There isn't any issue on my end anymore.

Thanks.