Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

AutoSSL with Cloudflare questions

Discussion in 'Security' started by ThreePoint-Kalpesh, Mar 6, 2018.

  1. ThreePoint-Kalpesh

    ThreePoint-Kalpesh Registered

    Joined:
    Mar 6, 2018
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Wellington, New Zealand
    cPanel Access Level:
    Root Administrator
    Hello
    While I have a brief understanding of how AutoSSL works, I would like to find out how the validation works with an already secured domain name.

    AutoSSL runs a process which places a text file in the users account, and cPanel will validate the domain by accessing the link, for example:

    Code:
    http://www.domainname.com/well-known/pki-validation/E4C6EAECEA54898108AF58B5A2825341.txt
    Once it validates the SSL cert is provisioned.

    Question 1:

    If the SSL cert is already active and AutoSSL renews the certificate, it goes through validation again.

    Does cPanel revalidate on the secured link or on a non-secured link?
    For example:


    Code:
    httpS://www.domainname.com/well-known/pki-validation/E4C6EAECEA54898108AF58B5A2825341.txt 
    
    or
    
    http://www.domainname.com/well-known/pki-validation/E4C6EAECEA54898108AF58B5A2825341.txt 
    If the answer above is it always validates to a non-ssl link then:

    Question 2:

    If a website has a redirect where non-ssl URLs are redirected to ssl URLs, does cPanel have some sort of way of bypassing this to access the non-ssl URL?

    Now I'm trying to understand how AutoSSL works behind a domain name that is using Cloudflare.

    Question 3:

    Does AutoSSL work behind Cloudflare?

    If it doesn't, what is the process for validating SSL certs behind Cloudflare?

    Hopefully it all makes sense and someone is able to help me understand this.
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,743
    Likes Received:
    1,884
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    It should use the same method as the original validation attempt (non-secured link).

    Yes, the following option under the "Domains" tab in "WHM >> Tweak Settings" is enabled by default:

    Use a Global DCV Passthrough instead of .htaccess modification (requires EA4)

    Per it's description:

    When you enable this option, Apache adds global rewrite rules to the webserver configuration so that the system does not process additional rewrite rules for DCV filenames. These global rules make it unnecessary for cPanel & WHM to modify each virtual host’s .htaccess file. Note: When you enable this option, the system receives a trivial performance penalty because all of the HTTP requests must be matched against the DCV filename regular expressions.


    As long as Comodo is able to fetch the DCV file from the domain name with a "200" status code, then the AutoSSL validation process should succeed and the certificate should be issued.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. WhiteDog

    WhiteDog Well-Known Member

    Joined:
    Feb 19, 2008
    Messages:
    132
    Likes Received:
    1
    Trophy Points:
    68
    I have multiple accounts on multiple servers that are using CloudFlare. Despite the above information, all these domains have a AutoSSL provided certificate. They do not resolve directly to the server IP. How is this possible?

    I'm asking because this is important when using NGNIX, which sometimes requires CloudFlare Crypto setting to be set to be set to "Full", which in turn requires that the domain also has SSL on cPanel.
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,743
    Likes Received:
    1,884
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @WhiteDog,

    As long as Comodo is able to fetch the DCV file from the domain name with a "200" status code, then the AutoSSL validation process should succeed and the certificate should be issued. I've edited my earlier response to clarify that.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice