AutoSSL unable to renew

[mreidgs]

1:55:40 PM WARN The domain “example.com” failed domain control validation: The system queried for a temporary file at “http://example.com/.well-known/pki-validation/C0658CFEA061A9D926F37CFD09D62DF5.txt”, but the web server responded with the following error: 403 (Forbidden). A DNS (Domain Name System) or web server misconfiguration may exist.

I log into the server via SSH and go look in that directory and there are no .txt files there.

I have 3 different cPanel servers and all the domains I try to renew on these servers are having this same issue.

CentOS 6.9, WHM v68.0.19

 

[cPanelMichael]

403 (Forbidden). A DNS (Domain Name System) or web server misconfiguration may exist.

Hello,

It looks like access to the DCV file was blocked. Could you let us know the contents of the .htaccess file in one of the affected account's public_html directory? Ensure to replace any real domain names or IP addresses with examples.

Thank you.

 

[mreidgs]

# BEGIN iThemes Security - Do not modify or remove this line
# iThemes Security Config Details: 2
   # Ban Hosts - Security > Settings > Banned Users
   SetEnvIF REMOTE_ADDR "^x\.x\.x\.x$" DenyAccess
   SetEnvIF X-FORWARDED-FOR "^x\.x\.x\.x$" DenyAccess
   SetEnvIF X-CLUSTER-CLIENT-IP "^x\.2x\.x\.x$" DenyAccess
**bunch of these repeated**

     <IfModule mod_authz_core.c>
       <RequireAll>
           Require all granted
           Require not env DenyAccess
           Require not ip x.x.x.x
**bunch of these repeated**
       </RequireAll>
   </IfModule>
 
<IfModule !mod_authz_core.c>
       Order allow,deny
       Allow from all
       Deny from env=DenyAccess
       Deny from x.x.x.x
**bunch of these repeated**
   </IfModule>
# END iThemes Security - Do not modify or remove this line

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule . /index.php
</IfModule>

# END WordPress

 

[cPanelMichael]

Hello,

Does this system use EasyApache 4? If so, check to verify "Use a Global DCV Passthrough instead of .htaccess modification (requires EA4)" is enabled under the "Domains" tab in "WHM >> Tweak Settings". Otherwise, if you are using EasyApache 3, you will need to modify your .htaccess rules to ensure access attempts from Comodo to the ".well-known" directory are not blocked or restricted.

Thank you.

 

[mreidgs]

I'm looking at a server using EA4 and I do not see that setting in Tweak settings.

 

[cPanelMichael]

I'm looking at a server using EA4 and I do not see that setting in Tweak settings.

What version of cPanel is installed on this server? Are you logged in via WHM as root?

Thank you.

 

[mreidgs]

v68.0.20 and logged in as root.

 

[cPanelMichael]

Hello,

Could you scroll down to the last options listed under the "Domains" tab in "WHM >> Tweak Settings" and upload a screenshot of what you see?

Thank you.

 

[mreidgs]

Here is a screenshot.

What specifically would I add to .htaccess so that access to ".well-known" directory is not blocked?

 

[cPanelMichael]

# BEGIN iThemes Security - Do not modify or remove this line
# iThemes Security Config Details: 2
   # Ban Hosts - Security > Settings > Banned Users
   SetEnvIF REMOTE_ADDR "^x\.x\.x\.x$" DenyAccess
   SetEnvIF X-FORWARDED-FOR "^x\.x\.x\.x$" DenyAccess
   SetEnvIF X-CLUSTER-CLIENT-IP "^x\.2x\.x\.x$" DenyAccess
**bunch of these repeated**

     <IfModule mod_authz_core.c>
       <RequireAll>
           Require all granted
           Require not env DenyAccess
           Require not ip x.x.x.x
**bunch of these repeated**
       </RequireAll>
   </IfModule>
 
<IfModule !mod_authz_core.c>
       Order allow,deny
       Allow from all
       Deny from env=DenyAccess
       Deny from x.x.x.x
**bunch of these repeated**
   </IfModule>
# END iThemes Security - Do not modify or remove this line

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule . /index.php
</IfModule>

# END WordPress

Hello,

It looks like it's your "Deny" rules as opposed to your Mod_Rewrite rules that are preventing AutoSSL from completing the domain validation process. The rules look similar to what's referenced by another user on the following thread:

AutoSSL: The certificate is not available. (processing)

A workaround is suggested on the above post, so you may want to see if that helps.

As far as the "Use a Global DCV Passthrough instead of .htaccess modification (requires EA4)" option, that won't solve this particular issue, however you should still see the option if you are using cPanel version 68 and EasyApache 4. The fact that it's missing suggests you might be using an older version of cPanel. You can verify the version of cPanel installed with the following command:

cat /usr/local/cpanel/version

Thank you.

 

[mreidgs]

Looking into this solution.

Thanks.