Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED AutoSSL Webmail subdomain DCV error

Discussion in 'Security' started by gnetwork-cp, May 1, 2018.

  1. gnetwork-cp

    gnetwork-cp Member

    Joined:
    Mar 1, 2016
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Some time ago I had excluded some of the cpanel service subdomains (webdisk, etc) from AutoSSL, as I wasn't using them. Now I need to use webmail.domain.com and so selected to "Include during AutoSSL" in cpanel "SSL/TLS Status" page. I then hit the button "Run AutoSSL" hoping it would now include the webmail subdomain, but it failed to include it - DCV error:
    An error occurred the last time AutoSSL ran, on May 1, 2018:
    The content “XXX” of the DCV (Domain Control Validation) file, as accessed at “http://webmail.domain.com/.well-known/pki-validation/YYY.txt”, did not match the expected value.
    Even though I selected to "Include" webmail subdomain, it still appears in SSL/TLS
    > Manage SSL Hosts with a red padlock.
    I rebooted and Run AutoSSL again, still no joy.
    Any ideas?
     
  2. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,721
    Likes Received:
    186
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @gnetwork-cp

    It sounds like either the webmail subdomain isn't present or there's a redirect that is occurring.

    To troubleshoot this I would first ensure that the proxy subdomains are enabled for the account by running the following via CLI:

    Code:
     /scripts/proxydomains --user=$USER add
    You may also want to check the .htaccess for the domain in question to ensure that it doesn't have any rewrite rules that would blindly affect subdomains


    Thank you,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. gnetwork-cp

    gnetwork-cp Member

    Joined:
    Mar 1, 2016
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    I have some necessary wordpress rewrite rules in .htaccess (run multisite subdomain install), maybe need to be circumvented. So I turned OFF the "Tweak Settings > Use a Global DCV Passthrough instead of .htaccess modification", then re-activated AutoSSL to get the rewrite rules added to htaccess. Run AutoSSL but no difference. Then tried with both "Use Global DCV" and htaccess rewrites, still no good.
    About running command above, I noticed at The proxydomains Script - Version 68 Documentation - cPanel Documentation
    it states:
    Note: You cannot add the cpanel, whm, or webmail proxy subdomains for addon or parked domains (aliases).
    which is what I need. When I access webmail.domain.com (even for addon domains), once I ignore the ssl warning it works and the page exists, so no problem with the proxy domain existing. Just can't get the DCV to work.
    If I run command: /scripts/proxydomains --user=$USER add
    can I run it as root, and replace "$USER" with the cpanel username?
    Any other suggestion?
     
  4. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,721
    Likes Received:
    186
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    That's exactly what you should do, though if you can go to webmail.addondomain.tld without issues it's likely that they are added and functioning.

    Can you show the rewrite rules you have in the .htaccess?

    There are some issues with proxy subdomains on custom ports are you running just apache or are you using a different webserver?


    Thank you,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. gnetwork-cp

    gnetwork-cp Member

    Joined:
    Mar 1, 2016
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Hi@cPanelLauren
    I definitely can go to webmail.addondomain.tld without issues.
    I am running Apache with standard ports. I do suspect my mod-cache-disk may be affecting this, I do have the following entry to allow DCV through in "Service Configuration »Apache Configuration »Include Editor" pre_main_global.conf - CacheDisable /.well-known
    maybe I should have an entry for .cpaneldcv?? (as appears in htaccess)

    Here are my htaccess rewrites including the DCV passthroughs:

    # SSL Redirect
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    # BEGIN WordPress
    # WP REWRITE LOOP START
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^index\.php$ - [L]
    # uploaded files
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^(.*)$ /index.php/$1 [L,QSA]
    # OLD Pre-modcache RewriteRule . /index.php [L]
    # WP REWRITE LOOP END
    # END WordPress

    What u reckon?
     
  6. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,721
    Likes Received:
    186
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @gnetwork-cp

    If you temporarily disable the rewrite to https are the results any different?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. gnetwork-cp

    gnetwork-cp Member

    Joined:
    Mar 1, 2016
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    No
     
  8. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,721
    Likes Received:
    186
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Thank you, please feel free to open a ticket using the link in my signature so that we can take a closer look. Once you do open a ticket please update this thread with the ticket ID

    Thank you,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. gnetwork-cp

    gnetwork-cp Member

    Joined:
    Mar 1, 2016
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    I solved it, almost...
    I disabled the mod-cache and it worked!

    So all I need is to add another entry to mod-cache config and the DCV should bypass cache completely.
    These are the htaccess entries for bypass:
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$

    I already have this entry in "Service Configuration »Apache Configuration »Include Editor" pre_main_global.conf
    CacheDisable /.well-known

    I'm not sure how to form the url entry to disable cache for .cpaneldcv
    Any idea?
     
  10. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,721
    Likes Received:
    186
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello,

    That makes sense, I wasn't aware you were using caching, though this line probably should had given it away:

    Code:
    # OLD Pre-modcache RewriteRule . /index.php [L]
    
    I'm glad you got it working, though.

    Disabling caching for ./well-known should encompass the cPanel DCV check since the hash file is stored in /home/$user/public_html(docroot)/.well-known/pki-validation/hash.txt

    You may want to check the Apache documentation on whether or not it needs to be configured further: mod_cache - Apache HTTP Server Version 2.4
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. gnetwork-cp

    gnetwork-cp Member

    Joined:
    Mar 1, 2016
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Seems to run fine now.
    I have these 2 lines in the mod-cache config:
    CacheDisable /.well-known
    CacheDisable /.cpaneldcv

    Thanks!
     
  12. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,721
    Likes Received:
    186
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello,


    Thank you for posting the resolution to the issue and I'm glad to hear it's working for you now.


    Thank you,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice