AutoSSL unable to replace certificate - failed domain control validation

[nivekau]

AutoSSL is unable to replace an expired certificate. The log shows a bunch of errors like these;

 4:11:00 PM WARN The domain “*****.com.au” failed domain control validation: The system queried for a temporary file at “http://*****.com.au/.well-known/pki-validation/B4CA6D73F49FCDB3A6261716272CC13B.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
 4:11:01 PM WARN The domain “whm.*****.com.au” failed domain control validation: The system queried for a temporary file at “http://whm.*****.com.au/.well-known/pki-validation/C3E25B0D11F2C6EB4D8BB998BAD5CF8F.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.

Please advise how to fix this.

 

[24x7server]

Hi,

AutoSSL first validates by creating a temporary link and it does this to make sure the domain is pointing to the correct server and then only processes. You have to browse the validation link to see if that works and if it does not work, you will have to check .htaccess in your account to see if that is blocking it from being browsed.

 

[nivekau]

Okay. Thanks. On this particular site access to the site was restricted in the .htaccess file because it's a development site. I commented out the auth section of the .htaccess file and ran the AutoSSL "check" for this user in WHM.

It inserted the following mod rewrite conditions into my .htaccess file in each section where rewrite conditions already existed;

RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$

So this is what my .htaccess file looks like now;

RewriteEngine on

# only rewrite if the file or directory doesn't exists
# and if we're not viewing the homepage

RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d [OR]
RewriteCond %{REQUEST_URI} ^/$
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^.*$ /engine.php [L]
# AuthType Basic
# AuthName "private"
# AuthUserFile "/home/worknews/.htpasswds/public_html/passwd"
# require valid-user​

The folders .well-known/pki-validation/ exist, but there is no file in the pki-validation folder and it does not appear that the expired certificate has been replaced - I am still getting a certificate expiry warning in Firefox

 

[cPanelLauren]

Hi @nivekau


We created the following troubleshooting guide for issues with AutoSSL:

AutoSSL Troubleshooting Steps

Does the following curl request return anything?

curl -k --user-agent "COMODO DCV" http://example.com/.well-known/pki-validation/hash.txt

 

[nivekau]

This is what the curl request returns (logged into the relevant cpanel user account using putty);

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
        <head>
                <title>404 - Not Found</title>
        </head>
        <body>
                <h1>404 - Not Found</h1>
        </body>
</html>

 

[nivekau]

I should add, that on very simple sites on the same server, https works fine. It's the sites that already have .htaccess files that appear to be a problem.

 

[nivekau]

Also, I ran the curl command exactly as it was. If I run it and substitute example.com for my domain, this is what I get back;

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://----------.com.au/.well-known/pki-validation/hash.txt">here</a>.</p>
</body></html>

 

[cPanelLauren]

HI @nivekau

It seems something in the .htaccess is still preventing the DCV check from completing. To confirm that is the case you could rename the .htaccess temporarily then re-run the AutoSSL check - you could also comment out directives line by line to determine which is causing the issue.

Thanks!