AutoSSL with Cloudflare questions

[ThreePoint-Kalpesh]

Hello
While I have a brief understanding of how AutoSSL works, I would like to find out how the validation works with an already secured domain name.

AutoSSL runs a process which places a text file in the users account, and cPanel will validate the domain by accessing the link, for example:

http://www.domainname.com/well-known/pki-validation/E4C6EAECEA54898108AF58B5A2825341.txt

Once it validates the SSL cert is provisioned.

Question 1:

If the SSL cert is already active and AutoSSL renews the certificate, it goes through validation again.

Does cPanel revalidate on the secured link or on a non-secured link?
For example:

httpS://www.domainname.com/well-known/pki-validation/E4C6EAECEA54898108AF58B5A2825341.txt 

or

http://www.domainname.com/well-known/pki-validation/E4C6EAECEA54898108AF58B5A2825341.txt

If the answer above is it always validates to a non-ssl link then:

Question 2:

If a website has a redirect where non-ssl URLs are redirected to ssl URLs, does cPanel have some sort of way of bypassing this to access the non-ssl URL?

Now I'm trying to understand how AutoSSL works behind a domain name that is using Cloudflare.

Question 3:

Does AutoSSL work behind Cloudflare?

If it doesn't, what is the process for validating SSL certs behind Cloudflare?

Hopefully it all makes sense and someone is able to help me understand this.

 

[cPanelMichael]

Hello,

Does cPanel revalidate on the secured link or on a non-secured link?

It should use the same method as the original validation attempt (non-secured link).

If a website has a redirect where non-ssl URLs are redirected to ssl URLs, does cPanel have some sort of way of bypassing this to access the non-ssl URL?

Yes, the following option under the "Domains" tab in "WHM >> Tweak Settings" is enabled by default:

Use a Global DCV Passthrough instead of .htaccess modification (requires EA4)

Per it's description:

When you enable this option, Apache adds global rewrite rules to the webserver configuration so that the system does not process additional rewrite rules for DCV filenames. These global rules make it unnecessary for cPanel & WHM to modify each virtual host’s .htaccess file. Note: When you enable this option, the system receives a trivial performance penalty because all of the HTTP requests must be matched against the DCV filename regular expressions.

Does AutoSSL work behind Cloudflare?

If it doesn't, what is the process for validating SSL certs behind Cloudflare?

As long as Comodo is able to fetch the DCV file from the domain name with a "200" status code, then the AutoSSL validation process should succeed and the certificate should be issued.

Thank you.

 

[WhiteDog]

I have multiple accounts on multiple servers that are using CloudFlare. Despite the above information, all these domains have a AutoSSL provided certificate. They do not resolve directly to the server IP. How is this possible?

I'm asking because this is important when using NGNIX, which sometimes requires CloudFlare Crypto setting to be set to be set to "Full", which in turn requires that the domain also has SSL on cPanel.

 

[cPanelMichael]

I have multiple accounts on multiple servers that are using CloudFlare. Despite the above information, all these domains have a AutoSSL provided certificate. They do not resolve directly to the server IP. How is this possible?

Hello @WhiteDog,

As long as Comodo is able to fetch the DCV file from the domain name with a "200" status code, then the AutoSSL validation process should succeed and the certificate should be issued. I've edited my earlier response to clarify that.

Thank you.