Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

AutoSSL unable to renew

Discussion in 'Security' started by mreidgs, Dec 12, 2017.

Tags:
  1. mreidgs

    mreidgs Member

    Joined:
    Nov 7, 2017
    Messages:
    12
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Calgary
    cPanel Access Level:
    Root Administrator
    1:55:40 PM WARN The domain “example.com” failed domain control validation: The system queried for a temporary file at “http://example.com/.well-known/pki-validation/C0658CFEA061A9D926F37CFD09D62DF5.txt”, but the web server responded with the following error: 403 (Forbidden). A DNS (Domain Name System) or web server misconfiguration may exist.

    I log into the server via SSH and go look in that directory and there are no .txt files there.

    I have 3 different cPanel servers and all the domains I try to renew on these servers are having this same issue.

    CentOS 6.9, WHM v68.0.19
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,437
    Likes Received:
    1,608
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It looks like access to the DCV file was blocked. Could you let us know the contents of the .htaccess file in one of the affected account's public_html directory? Ensure to replace any real domain names or IP addresses with examples.

    Thank you.
     
  3. mreidgs

    mreidgs Member

    Joined:
    Nov 7, 2017
    Messages:
    12
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Calgary
    cPanel Access Level:
    Root Administrator
    Code:
    # BEGIN iThemes Security - Do not modify or remove this line
    # iThemes Security Config Details: 2
       # Ban Hosts - Security > Settings > Banned Users
       SetEnvIF REMOTE_ADDR "^x\.x\.x\.x$" DenyAccess
       SetEnvIF X-FORWARDED-FOR "^x\.x\.x\.x$" DenyAccess
       SetEnvIF X-CLUSTER-CLIENT-IP "^x\.2x\.x\.x$" DenyAccess
    **bunch of these repeated**
    
         <IfModule mod_authz_core.c>
           <RequireAll>
               Require all granted
               Require not env DenyAccess
               Require not ip x.x.x.x
    **bunch of these repeated**
           </RequireAll>
       </IfModule>
     
    <IfModule !mod_authz_core.c>
           Order allow,deny
           Allow from all
           Deny from env=DenyAccess
           Deny from x.x.x.x
    **bunch of these repeated**
       </IfModule>
    # END iThemes Security - Do not modify or remove this line
    
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule . /index.php
    </IfModule>
    
    # END WordPress
     
    #3 mreidgs, Dec 13, 2017
    Last edited by a moderator: Dec 19, 2017
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,437
    Likes Received:
    1,608
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Does this system use EasyApache 4? If so, check to verify "Use a Global DCV Passthrough instead of .htaccess modification (requires EA4)" is enabled under the "Domains" tab in "WHM >> Tweak Settings". Otherwise, if you are using EasyApache 3, you will need to modify your .htaccess rules to ensure access attempts from Comodo to the ".well-known" directory are not blocked or restricted.

    Thank you.
     
  5. mreidgs

    mreidgs Member

    Joined:
    Nov 7, 2017
    Messages:
    12
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Calgary
    cPanel Access Level:
    Root Administrator
    I'm looking at a server using EA4 and I do not see that setting in Tweak settings.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,437
    Likes Received:
    1,608
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    What version of cPanel is installed on this server? Are you logged in via WHM as root?

    Thank you.
     
  7. mreidgs

    mreidgs Member

    Joined:
    Nov 7, 2017
    Messages:
    12
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Calgary
    cPanel Access Level:
    Root Administrator
    v68.0.20 and logged in as root.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,437
    Likes Received:
    1,608
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you scroll down to the last options listed under the "Domains" tab in "WHM >> Tweak Settings" and upload a screenshot of what you see?

    Thank you.
     
  9. mreidgs

    mreidgs Member

    Joined:
    Nov 7, 2017
    Messages:
    12
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Calgary
    cPanel Access Level:
    Root Administrator
    Here is a screenshot.

    What specifically would I add to .htaccess so that access to ".well-known" directory is not blocked?
     

    Attached Files:

  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,437
    Likes Received:
    1,608
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It looks like it's your "Deny" rules as opposed to your Mod_Rewrite rules that are preventing AutoSSL from completing the domain validation process. The rules look similar to what's referenced by another user on the following thread:

    AutoSSL: The certificate is not available. (processing)

    A workaround is suggested on the above post, so you may want to see if that helps.

    As far as the "Use a Global DCV Passthrough instead of .htaccess modification (requires EA4)" option, that won't solve this particular issue, however you should still see the option if you are using cPanel version 68 and EasyApache 4. The fact that it's missing suggests you might be using an older version of cPanel. You can verify the version of cPanel installed with the following command:

    Code:
    cat /usr/local/cpanel/version
    Thank you.
     
  11. mreidgs

    mreidgs Member

    Joined:
    Nov 7, 2017
    Messages:
    12
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Calgary
    cPanel Access Level:
    Root Administrator
    Looking into this solution.

    Thanks.
     
Loading...

Share This Page