AutoSSL unable to renew

mreidgs

Member
Nov 7, 2017
12
2
3
Calgary
cPanel Access Level
Root Administrator
1:55:40 PM WARN The domain “example.com” failed domain control validation: The system queried for a temporary file at “http://example.com/.well-known/pki-validation/C0658CFEA061A9D926F37CFD09D62DF5.txt”, but the web server responded with the following error: 403 (Forbidden). A DNS (Domain Name System) or web server misconfiguration may exist.

I log into the server via SSH and go look in that directory and there are no .txt files there.

I have 3 different cPanel servers and all the domains I try to renew on these servers are having this same issue.

CentOS 6.9, WHM v68.0.19
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
403 (Forbidden). A DNS (Domain Name System) or web server misconfiguration may exist.
Hello,

It looks like access to the DCV file was blocked. Could you let us know the contents of the .htaccess file in one of the affected account's public_html directory? Ensure to replace any real domain names or IP addresses with examples.

Thank you.
 

mreidgs

Member
Nov 7, 2017
12
2
3
Calgary
cPanel Access Level
Root Administrator
Code:
# BEGIN iThemes Security - Do not modify or remove this line
# iThemes Security Config Details: 2
   # Ban Hosts - Security > Settings > Banned Users
   SetEnvIF REMOTE_ADDR "^x\.x\.x\.x$" DenyAccess
   SetEnvIF X-FORWARDED-FOR "^x\.x\.x\.x$" DenyAccess
   SetEnvIF X-CLUSTER-CLIENT-IP "^x\.2x\.x\.x$" DenyAccess
**bunch of these repeated**

     <IfModule mod_authz_core.c>
       <RequireAll>
           Require all granted
           Require not env DenyAccess
           Require not ip x.x.x.x
**bunch of these repeated**
       </RequireAll>
   </IfModule>
 
<IfModule !mod_authz_core.c>
       Order allow,deny
       Allow from all
       Deny from env=DenyAccess
       Deny from x.x.x.x
**bunch of these repeated**
   </IfModule>
# END iThemes Security - Do not modify or remove this line

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule . /index.php
</IfModule>

# END WordPress
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Hello,

Does this system use EasyApache 4? If so, check to verify "Use a Global DCV Passthrough instead of .htaccess modification (requires EA4)" is enabled under the "Domains" tab in "WHM >> Tweak Settings". Otherwise, if you are using EasyApache 3, you will need to modify your .htaccess rules to ensure access attempts from Comodo to the ".well-known" directory are not blocked or restricted.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Hello,

Could you scroll down to the last options listed under the "Domains" tab in "WHM >> Tweak Settings" and upload a screenshot of what you see?

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Code:
# BEGIN iThemes Security - Do not modify or remove this line
# iThemes Security Config Details: 2
   # Ban Hosts - Security > Settings > Banned Users
   SetEnvIF REMOTE_ADDR "^x\.x\.x\.x$" DenyAccess
   SetEnvIF X-FORWARDED-FOR "^x\.x\.x\.x$" DenyAccess
   SetEnvIF X-CLUSTER-CLIENT-IP "^x\.2x\.x\.x$" DenyAccess
**bunch of these repeated**

     <IfModule mod_authz_core.c>
       <RequireAll>
           Require all granted
           Require not env DenyAccess
           Require not ip x.x.x.x
**bunch of these repeated**
       </RequireAll>
   </IfModule>
 
<IfModule !mod_authz_core.c>
       Order allow,deny
       Allow from all
       Deny from env=DenyAccess
       Deny from x.x.x.x
**bunch of these repeated**
   </IfModule>
# END iThemes Security - Do not modify or remove this line

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule . /index.php
</IfModule>

# END WordPress
Hello,

It looks like it's your "Deny" rules as opposed to your Mod_Rewrite rules that are preventing AutoSSL from completing the domain validation process. The rules look similar to what's referenced by another user on the following thread:

AutoSSL: The certificate is not available. (processing)

A workaround is suggested on the above post, so you may want to see if that helps.

As far as the "Use a Global DCV Passthrough instead of .htaccess modification (requires EA4)" option, that won't solve this particular issue, however you should still see the option if you are using cPanel version 68 and EasyApache 4. The fact that it's missing suggests you might be using an older version of cPanel. You can verify the version of cPanel installed with the following command:

Code:
cat /usr/local/cpanel/version
Thank you.