Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

AutoSSL unable to replace certificate - failed domain control validation

Discussion in 'Security' started by nivekau, May 6, 2018.

  1. nivekau

    nivekau Active Member

    Joined:
    Jul 22, 2011
    Messages:
    35
    Likes Received:
    2
    Trophy Points:
    58
    AutoSSL is unable to replace an expired certificate. The log shows a bunch of errors like these;
    Code:
     4:11:00 PM WARN The domain “*****.com.au” failed domain control validation: The system queried for a temporary file at “http://*****.com.au/.well-known/pki-validation/B4CA6D73F49FCDB3A6261716272CC13B.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
     4:11:01 PM WARN The domain “whm.*****.com.au” failed domain control validation: The system queried for a temporary file at “http://whm.*****.com.au/.well-known/pki-validation/C3E25B0D11F2C6EB4D8BB998BAD5CF8F.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
    
    Please advise how to fix this.
     
    #1 nivekau, May 6, 2018
    Last edited by a moderator: May 7, 2018
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,812
    Likes Received:
    84
    Trophy Points:
    78
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    AutoSSL first validates by creating a temporary link and it does this to make sure the domain is pointing to the correct server and then only processes. You have to browse the validation link to see if that works and if it does not work, you will have to check .htaccess in your account to see if that is blocking it from being browsed.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. nivekau

    nivekau Active Member

    Joined:
    Jul 22, 2011
    Messages:
    35
    Likes Received:
    2
    Trophy Points:
    58
    Okay. Thanks. On this particular site access to the site was restricted in the .htaccess file because it's a development site. I commented out the auth section of the .htaccess file and ran the AutoSSL "check" for this user in WHM.

    It inserted the following mod rewrite conditions into my .htaccess file in each section where rewrite conditions already existed;

    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$

    So this is what my .htaccess file looks like now;

    RewriteEngine on

    # only rewrite if the file or directory doesn't exists
    # and if we're not viewing the homepage

    RewriteCond %{HTTPS} !=on
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d [OR]
    RewriteCond %{REQUEST_URI} ^/$
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^.*$ /engine.php [L]
    # AuthType Basic
    # AuthName "private"
    # AuthUserFile "/home/worknews/.htpasswds/public_html/passwd"
    # require valid-user​

    The folders .well-known/pki-validation/ exist, but there is no file in the pki-validation folder and it does not appear that the expired certificate has been replaced - I am still getting a certificate expiry warning in Firefox
     
  4. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,760
    Likes Received:
    131
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @nivekau


    We created the following troubleshooting guide for issues with AutoSSL:

    AutoSSL Troubleshooting Steps

    Does the following curl request return anything?

    Code:
    curl -k --user-agent "COMODO DCV" http://example.com/.well-known/pki-validation/hash.txt
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. nivekau

    nivekau Active Member

    Joined:
    Jul 22, 2011
    Messages:
    35
    Likes Received:
    2
    Trophy Points:
    58
    This is what the curl request returns (logged into the relevant cpanel user account using putty);
    Code:
    <?xml version="1.0" encoding="iso-8859-1"?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
             "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
            <head>
                    <title>404 - Not Found</title>
            </head>
            <body>
                    <h1>404 - Not Found</h1>
            </body>
    </html>
    
     
    #5 nivekau, May 9, 2018
    Last edited by a moderator: May 9, 2018
  6. nivekau

    nivekau Active Member

    Joined:
    Jul 22, 2011
    Messages:
    35
    Likes Received:
    2
    Trophy Points:
    58
    I should add, that on very simple sites on the same server, https works fine. It's the sites that already have .htaccess files that appear to be a problem.
     
  7. nivekau

    nivekau Active Member

    Joined:
    Jul 22, 2011
    Messages:
    35
    Likes Received:
    2
    Trophy Points:
    58
    Also, I ran the curl command exactly as it was. If I run it and substitute example.com for my domain, this is what I get back;
    Code:
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>301 Moved Permanently</title>
    </head><body>
    <h1>Moved Permanently</h1>
    <p>The document has moved <a href="https://----------.com.au/.well-known/pki-validation/hash.txt">here</a>.</p>
    </body></html>
     
    #7 nivekau, May 9, 2018
    Last edited by a moderator: May 9, 2018
  8. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,760
    Likes Received:
    131
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    HI @nivekau

    It seems something in the .htaccess is still preventing the DCV check from completing. To confirm that is the case you could rename the .htaccess temporarily then re-run the AutoSSL check - you could also comment out directives line by line to determine which is causing the issue.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice