The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

AutoSSL Validation Process

Discussion in 'Security' started by timwoolfson, Jun 30, 2017.

Tags:
  1. timwoolfson

    timwoolfson Member

    Joined:
    May 24, 2006
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    151
    Hi,

    It seems that the AutoSSL process as at WHM 64 build 29 first queries for a temporary file. If it gets 403 forbidden, it fails without ever writing the temporary file.

    Why doesn't it write the file first. Then query it?

    If it did that it could work with people who have their .htaccess rules set-up to forbid (403) access to non-existent files.

    WordPress with en-gb.wordpress.org/plugins/all-in-one-wp-security-and-firewall behaves like this for example (more than half a million installs).

    Grateful for any feedback,

    Tim.
     
    #1 timwoolfson, Jun 30, 2017
    Last edited by a moderator: Jun 30, 2017
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,399
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    The AutoSSL first verifies your account, then write a file in it for the Comodo to verify that the account is on this machine itself that the cPanel has send in a request for on SSL..

    If you have .htaccess blocking this, then SSL generation will continue to fail. You have to make sure that the .htaccess allow this .txt file to be browseable, at least for the time being the SSL is generated..
     
  3. timwoolfson

    timwoolfson Member

    Joined:
    May 24, 2006
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    151
    Thanks for trying to help but you miss the point - I've better formulated my suggestion as a feature request AutoSSL should write text file before access check
    I can turn off AIOWPS so that autossl works but that's mental - AutoSSL should write the file before trying to access it. Forbidding attempts to access non-existent files seems sound from a security perspective to me. Alternatively perhaps AUTOSSLcould be refactored to use DNS to establish request authenticity...
     
    chitramathur likes this.
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Are you sure the DCV text file is never generated? As I understand, it should generate first, but is automatically removed when AutoSSL fails on a certificate order. This is to prevent multiple DCV files in the document root in cases of repeat AutoSSL failures.

    Note the following feature under the "Domains" tab in "WHM >> Tweak Settings" allows for global DCV passthrough without the need to manipulate the .htaccess file:

    Use a Global DCV Passthrough instead of .htaccess modification (requires EA4)

    Thank you.
     
    chitramathur likes this.
  5. timwoolfson

    timwoolfson Member

    Joined:
    May 24, 2006
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    151
    kanban - in future please post a new thread unless your post is directly related to the original post - yours is tangentially related but muddies the water so far as the original post is concerned - a separate thread would have been better for both of us.

    Michael, thanks for your comments - I will look into the Global DCV rewrite - nonetheless, I can confirm that at the time that AutoSSL tests for the file - log excerpt follows - cPanel name and domain name have been rewritten to example but the domain / account in question is on the server and DNS configured, the file does not exist, if it did exist AIWOPS would allow the file to be read - I have checked - it is rightly blocking the request because the file does not exist - 404s are blocked as 403s. Please vote for the feature request if you are also having this issue AutoSSL should write text file before access check
    Code:
    10:33:09 AM Checking websites for “example” …
     10:33:09 AM The website “example.com”, owned by “example”, has a faulty SSL certificate (OPENSSL_VERIFY:0:10:CERT_HAS_EXPIRED NOT_ALL_DOMAINS ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate.
     10:33:09 AM WARN The domain “example.com” failed domain control validation: The system queried for a temporary file at “<a href="http://example.com/63A14725691C86DA179389AEB54D6BB8.txt">http://example.com/63A14725691C86DA179389AEB54D6BB8.txt</a>”, but the web server responded with the following error: 403 (Forbidden). A <abbr title="Domain Name System">DNS</abbr> or web server misconfiguration may exist. 
     
    #5 timwoolfson, Jul 4, 2017
    Last edited by a moderator: Jul 4, 2017
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,618
    Likes Received:
    296
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Separated Threads..
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Feel free to open a support ticket using the link in my signature so we can take a closer look.

    Thank you.
     
    chitramathur likes this.
Loading...

Share This Page