AutoSSL unable to renew

mreidgs · Dec 12, 2017

1:55:40 PM WARN The domain “example.com” failed domain control validation: The system queried for a temporary file at “http://example.com/.well-known/pki-validation/C0658CFEA061A9D926F37CFD09D62DF5.txt”, but the web server responded with the following error: 403 (Forbidden). A DNS (Domain Name System) or web server misconfiguration may exist.

I log into the server via SSH and go look in that directory and there are no .txt files there.

I have 3 different cPanel servers and all the domains I try to renew on these servers are having this same issue.

CentOS 6.9, WHM v68.0.19

cPanelMichael · Dec 12, 2017

mreidgs said: ↑

403 (Forbidden). A DNS (Domain Name System) or web server misconfiguration may exist.
Click to expand...

Hello,

It looks like access to the DCV file was blocked. Could you let us know the contents of the .htaccess file in one of the affected account's public_html directory? Ensure to replace any real domain names or IP addresses with examples.

Thank you.

mreidgs · Dec 13, 2017

Code:

# BEGIN iThemes Security - Do not modify or remove this line
# iThemes Security Config Details: 2
   # Ban Hosts - Security > Settings > Banned Users
   SetEnvIF REMOTE_ADDR "^x\.x\.x\.x$" DenyAccess
   SetEnvIF X-FORWARDED-FOR "^x\.x\.x\.x$" DenyAccess
   SetEnvIF X-CLUSTER-CLIENT-IP "^x\.2x\.x\.x$" DenyAccess
**bunch of these repeated**

     <IfModule mod_authz_core.c>
       <RequireAll>
           Require all granted
           Require not env DenyAccess
           Require not ip x.x.x.x
**bunch of these repeated**
       </RequireAll>
   </IfModule>
 
<IfModule !mod_authz_core.c>
       Order allow,deny
       Allow from all
       Deny from env=DenyAccess
       Deny from x.x.x.x
**bunch of these repeated**
   </IfModule>
# END iThemes Security - Do not modify or remove this line

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule . /index.php
</IfModule>

# END WordPress

cPanelMichael · Dec 13, 2017

Hello,

Does this system use EasyApache 4? If so, check to verify "Use a Global DCV Passthrough instead of .htaccess modification (requires EA4)" is enabled under the "Domains" tab in "WHM >> Tweak Settings". Otherwise, if you are using EasyApache 3, you will need to modify your .htaccess rules to ensure access attempts from Comodo to the ".well-known" directory are not blocked or restricted.

Thank you.

mreidgs · Dec 14, 2017

I'm looking at a server using EA4 and I do not see that setting in Tweak settings.

cPanelMichael · Dec 15, 2017

mreidgs said: ↑

I'm looking at a server using EA4 and I do not see that setting in Tweak settings.
Click to expand...

What version of cPanel is installed on this server? Are you logged in via WHM as root?

Thank you.

mreidgs · Dec 19, 2017

v68.0.20 and logged in as root.

cPanelMichael · Dec 19, 2017

Hello,

Could you scroll down to the last options listed under the "Domains" tab in "WHM >> Tweak Settings" and upload a screenshot of what you see?

Thank you.

mreidgs · Dec 19, 2017

Here is a screenshot.

What specifically would I add to .htaccess so that access to ".well-known" directory is not blocked?

cPanelMichael · Dec 19, 2017

mreidgs said: ↑
Code:
# BEGIN iThemes Security - Do not modify or remove this line
# iThemes Security Config Details: 2
   # Ban Hosts - Security > Settings > Banned Users
   SetEnvIF REMOTE_ADDR "^x\.x\.x\.x$" DenyAccess
   SetEnvIF X-FORWARDED-FOR "^x\.x\.x\.x$" DenyAccess
   SetEnvIF X-CLUSTER-CLIENT-IP "^x\.2x\.x\.x$" DenyAccess
**bunch of these repeated**

     <IfModule mod_authz_core.c>
       <RequireAll>
           Require all granted
           Require not env DenyAccess
           Require not ip x.x.x.x
**bunch of these repeated**
       </RequireAll>
   </IfModule>
 
<IfModule !mod_authz_core.c>
       Order allow,deny
       Allow from all
       Deny from env=DenyAccess
       Deny from x.x.x.x
**bunch of these repeated**
   </IfModule>
# END iThemes Security - Do not modify or remove this line

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule . /index.php
</IfModule>

# END WordPress
Click to expand...
Hello,

It looks like it's your "Deny" rules as opposed to your Mod_Rewrite rules that are preventing AutoSSL from completing the domain validation process. The rules look similar to what's referenced by another user on the following thread:

AutoSSL: The certificate is not available. (processing)

A workaround is suggested on the above post, so you may want to see if that helps.

As far as the "Use a Global DCV Passthrough instead of .htaccess modification (requires EA4)" option, that won't solve this particular issue, however you should still see the option if you are using cPanel version 68 and EasyApache 4. The fact that it's missing suggests you might be using an older version of cPanel. You can verify the version of cPanel installed with the following command:
Code:
cat /usr/local/cpanel/version
Thank you.

mreidgs · Dec 20, 2017

Looking into this solution.

Thanks.

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

AutoSSL unable to renew

mreidgs Member

cPanelMichael Technical Support Community Manager
Staff Member

mreidgs Member

cPanelMichael Technical Support Community Manager
Staff Member

mreidgs Member

cPanelMichael Technical Support Community Manager
Staff Member

mreidgs Member

cPanelMichael Technical Support Community Manager
Staff Member

mreidgs Member

Attached Files:

tweaksettingsjpg.jpg

cPanelMichael Technical Support Community Manager
Staff Member

mreidgs Member

AutoSSL certificate is unable to be renewed without reduction in coverage

AutoSSL unable to replace certificate - failed domain control validation

unable to delete nobody hostname autossl

SOLVED Unable to generate AutoSSL for accounts

SOLVED AutoSSL update error

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

AutoSSL unable to renew

mreidgs Member

cPanelMichael Technical Support Community Manager Staff Member

mreidgs Member

cPanelMichael Technical Support Community Manager Staff Member

mreidgs Member

cPanelMichael Technical Support Community Manager Staff Member

mreidgs Member

cPanelMichael Technical Support Community Manager Staff Member

mreidgs Member

Attached Files:

tweaksettingsjpg.jpg

cPanelMichael Technical Support Community Manager Staff Member

mreidgs Member

AutoSSL certificate is unable to be renewed without reduction in coverage

AutoSSL unable to replace certificate - failed domain control validation

unable to delete nobody hostname autossl

SOLVED Unable to generate AutoSSL for accounts

SOLVED AutoSSL update error

Share This Page

cPanelMichael Technical Support Community Manager
Staff Member

cPanelMichael Technical Support Community Manager
Staff Member

cPanelMichael Technical Support Community Manager
Staff Member

cPanelMichael Technical Support Community Manager
Staff Member

cPanelMichael Technical Support Community Manager
Staff Member