Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

AutoSSL Validation Process

Discussion in 'Security' started by timwoolfson, Jun 30, 2017.

Tags:
  1. timwoolfson

    timwoolfson Member

    Joined:
    May 24, 2006
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    151
    Hi,

    It seems that the AutoSSL process as at WHM 64 build 29 first queries for a temporary file. If it gets 403 forbidden, it fails without ever writing the temporary file.

    Why doesn't it write the file first. Then query it?

    If it did that it could work with people who have their .htaccess rules set-up to forbid (403) access to non-existent files.

    WordPress with en-gb.wordpress.org/plugins/all-in-one-wp-security-and-firewall behaves like this for example (more than half a million installs).

    Grateful for any feedback,

    Tim.
     
    #1 timwoolfson, Jun 30, 2017
    Last edited by a moderator: Jun 30, 2017
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,880
    Likes Received:
    89
    Trophy Points:
    78
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    The AutoSSL first verifies your account, then write a file in it for the Comodo to verify that the account is on this machine itself that the cPanel has send in a request for on SSL..

    If you have .htaccess blocking this, then SSL generation will continue to fail. You have to make sure that the .htaccess allow this .txt file to be browseable, at least for the time being the SSL is generated..
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. timwoolfson

    timwoolfson Member

    Joined:
    May 24, 2006
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    151
    Thanks for trying to help but you miss the point - I've better formulated my suggestion as a feature request AutoSSL should write text file before access check
    I can turn off AIOWPS so that autossl works but that's mental - AutoSSL should write the file before trying to access it. Forbidding attempts to access non-existent files seems sound from a security perspective to me. Alternatively perhaps AUTOSSLcould be refactored to use DNS to establish request authenticity...
     
    chitramathur likes this.
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Are you sure the DCV text file is never generated? As I understand, it should generate first, but is automatically removed when AutoSSL fails on a certificate order. This is to prevent multiple DCV files in the document root in cases of repeat AutoSSL failures.

    Note the following feature under the "Domains" tab in "WHM >> Tweak Settings" allows for global DCV passthrough without the need to manipulate the .htaccess file:

    Use a Global DCV Passthrough instead of .htaccess modification (requires EA4)

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    chitramathur likes this.
  5. timwoolfson

    timwoolfson Member

    Joined:
    May 24, 2006
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    151
    kanban - in future please post a new thread unless your post is directly related to the original post - yours is tangentially related but muddies the water so far as the original post is concerned - a separate thread would have been better for both of us.

    Michael, thanks for your comments - I will look into the Global DCV rewrite - nonetheless, I can confirm that at the time that AutoSSL tests for the file - log excerpt follows - cPanel name and domain name have been rewritten to example but the domain / account in question is on the server and DNS configured, the file does not exist, if it did exist AIWOPS would allow the file to be read - I have checked - it is rightly blocking the request because the file does not exist - 404s are blocked as 403s. Please vote for the feature request if you are also having this issue AutoSSL should write text file before access check
    Code:
    10:33:09 AM Checking websites for “example” …
     10:33:09 AM The website “example.com”, owned by “example”, has a faulty SSL certificate (OPENSSL_VERIFY:0:10:CERT_HAS_EXPIRED NOT_ALL_DOMAINS ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate.
     10:33:09 AM WARN The domain “example.com” failed domain control validation: The system queried for a temporary file at “<a href="http://example.com/63A14725691C86DA179389AEB54D6BB8.txt">http://example.com/63A14725691C86DA179389AEB54D6BB8.txt</a>”, but the web server responded with the following error: 403 (Forbidden). A <abbr title="Domain Name System">DNS</abbr> or web server misconfiguration may exist. 
     
    #5 timwoolfson, Jul 4, 2017
    Last edited by a moderator: Jul 4, 2017
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,470
    Likes Received:
    421
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Separated Threads..
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Feel free to open a support ticket using the link in my signature so we can take a closer look.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    chitramathur likes this.
  8. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    842
    Likes Received:
    14
    Trophy Points:
    168
    Can you please confirm whether access to these text files is required for renewal as well as the original validation? As you'd expect, may customers have htaccess directives that don't allow access to this file, so when validation fails we need to intervene. Is this going to be a continual problem upon renewal too?

    Is there an Email notification for failed validation?

    I'm wondering why the validation doesn't simply check that the domain resolves to an IP on the server that is requesting the certificate?
     
  9. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yes, it's required for the renewal as well as the original request. The following feature under the "Domains" tab in "WHM >> Tweak Settings" allows for global DCV passthrough so that customers do not need to manipulate their .htaccess files:

    Use a Global DCV Passthrough instead of .htaccess modification

    The following notifications are available as of cPanel version 68:

    SSL and AutoSSL certificate renewal, expiry, failure, and success notifications

    It's part of Comodo's and Let's Encrypt's validation process. You can read more about it at:

    Urgent DCV Updates This Week | cPanel Blog

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    842
    Likes Received:
    14
    Trophy Points:
    168
    Enabling "Global DVC Passthrough" in tweak settings doesn't resolve this problem. We are not discussing the issue of cpanel automatically making changes to .htaccess files.

    This discussion is specific to the issue surrounding .htaccess directives that inadvertently prevent access to the /.well-known/pki-validation/<filename.txt> file - or as the OP points out, it seems if the initial check results in a 403, the file is never written and validation doesn't even start. As they said, it is reasonable to forbid access to non existent files.

    The ultimate goal here is automation of this process, but as the OP points out, anyone using their own htaccess directives to prevent access to filetypes, or various .htaccess based security plugins, of which there are hundreds of thousands of installs, are going to need manual intervention - and currently we don't even get notified when this is required.

    For a provider with lots of servers, once the use of AutoSSL becomes the norm, this could become a real pain, having to make changes to many clients htaccess files every time their DV cert needs creating or re-validating.

    The above suggestion, to create the text file before checking to see if it exists doesn't make much sense though. I assume the process of checking the existence of the file is required, prior to validation, modification, or creation if it doesn't exist - it just seems the script doesn't take into account the fact that access might be explicitly forbidden. So perhaps the script should handle that result differently? Although there are still plenty of other situations in which this process could fail. Only time will tell if it is going to become a major issue.
     
  11. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    There's no functionality to account for those types of .htaccess rules at this time. I encourage anyone experiencing this issue to vote and add feedback to the following feature request:

    AutoSSL should write text file before access check

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice