AutoSSL unable to replace certificate - failed domain control validation

nivekau

Well-Known Member
Jul 22, 2011
51
4
58
Australia
cPanel Access Level
Root Administrator
AutoSSL is unable to replace an expired certificate. The log shows a bunch of errors like these;
Code:
 4:11:00 PM WARN The domain “*****.com.au” failed domain control validation: The system queried for a temporary file at “http://*****.com.au/.well-known/pki-validation/B4CA6D73F49FCDB3A6261716272CC13B.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
 4:11:01 PM WARN The domain “whm.*****.com.au” failed domain control validation: The system queried for a temporary file at “http://whm.*****.com.au/.well-known/pki-validation/C3E25B0D11F2C6EB4D8BB998BAD5CF8F.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
Please advise how to fix this.
 
Last edited by a moderator:

24x7server

Well-Known Member
Apr 17, 2013
1,913
99
78
India
cPanel Access Level
Root Administrator
Twitter
Hi,

AutoSSL first validates by creating a temporary link and it does this to make sure the domain is pointing to the correct server and then only processes. You have to browse the validation link to see if that works and if it does not work, you will have to check .htaccess in your account to see if that is blocking it from being browsed.
 

nivekau

Well-Known Member
Jul 22, 2011
51
4
58
Australia
cPanel Access Level
Root Administrator
Okay. Thanks. On this particular site access to the site was restricted in the .htaccess file because it's a development site. I commented out the auth section of the .htaccess file and ran the AutoSSL "check" for this user in WHM.

It inserted the following mod rewrite conditions into my .htaccess file in each section where rewrite conditions already existed;

RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$

So this is what my .htaccess file looks like now;

RewriteEngine on

# only rewrite if the file or directory doesn't exists
# and if we're not viewing the homepage

RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d [OR]
RewriteCond %{REQUEST_URI} ^/$
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^.*$ /engine.php [L]
# AuthType Basic
# AuthName "private"
# AuthUserFile "/home/worknews/.htpasswds/public_html/passwd"
# require valid-user​

The folders .well-known/pki-validation/ exist, but there is no file in the pki-validation folder and it does not appear that the expired certificate has been replaced - I am still getting a certificate expiry warning in Firefox
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,272
1,296
363
Houston
Hi @nivekau


We created the following troubleshooting guide for issues with AutoSSL:

AutoSSL Troubleshooting Steps

Does the following curl request return anything?

Code:
curl -k --user-agent "COMODO DCV" http://example.com/.well-known/pki-validation/hash.txt
 

nivekau

Well-Known Member
Jul 22, 2011
51
4
58
Australia
cPanel Access Level
Root Administrator
This is what the curl request returns (logged into the relevant cpanel user account using putty);
Code:
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
        <head>
                <title>404 - Not Found</title>
        </head>
        <body>
                <h1>404 - Not Found</h1>
        </body>
</html>
 
Last edited by a moderator:

nivekau

Well-Known Member
Jul 22, 2011
51
4
58
Australia
cPanel Access Level
Root Administrator
Also, I ran the curl command exactly as it was. If I run it and substitute example.com for my domain, this is what I get back;
Code:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://----------.com.au/.well-known/pki-validation/hash.txt">here</a>.</p>
</body></html>
 
Last edited by a moderator:

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,272
1,296
363
Houston
HI @nivekau

It seems something in the .htaccess is still preventing the DCV check from completing. To confirm that is the case you could rename the .htaccess temporarily then re-run the AutoSSL check - you could also comment out directives line by line to determine which is causing the issue.

Thanks!