CloudFlare and AutoSSL

[BFFMediaInc]

I like everyone else is hit by this, I have 20 servers. All I see is cpanel figuring out a way to hide the symptom but not sending out notices. But the problem still exists that the auto-ssl is no longer issuing certificate renewals behind cloudflare, is that correct?

I am approaching the warning dates from those emails. I assume they are correct that the replacement SSL will not be deployed. I use full-strict security at cloudflare and require a current SSL on the servers. These are all ecommerce stores with very high traffic. SSLs auto-renewed like clockwork before this upgrade which auto-deployed, I'll have words with my datacenter about that.

But what is being done to fix the lack of an ssl being re-issued at expiration?

 

[cPanelMichael]

Hello @BFFMediaInc,

I moved this post to it's own thread.

Could you verify which certificate provider is enabled for the AutoSSL feature on this server (e.g. cPanel-signed (Comodo), Let's Encrypt)? Also, in "WHM >> Manage AutoSSL", under the "Logs" tab, what output do you see when the AutoSSL feature attempts to renew the certificate for one of the domain names using CloudFlare?

Thank you.

 

[Tearabite]

Following because I had an AutoSSL fail to renew behind Cloudflare that caused mucho headaches.. But i’m Still on 66 not 68..

 

[cPanelMichael]

Following because I had an AutoSSL fail to renew behind Cloudflare that caused mucho headaches.. But i’m Still on 66 not 68..

Could you let us know the answers to the questions in my last post?

Could you verify which certificate provider is enabled for the AutoSSL feature on this server (e.g. cPanel-signed (Comodo), Let's Encrypt)? Also, in "WHM >> Manage AutoSSL", under the "Logs" tab, what output do you see when the AutoSSL feature attempts to renew the certificate for one of the domain names using CloudFlare?

Thanks!

 

[BFFMediaInc]

Hello @BFFMediaInc,

I moved this post to it's own thread.

Could you verify which certificate provider is enabled for the AutoSSL feature on this server (e.g. cPanel-signed (Comodo), Let's Encrypt)? Also, in "WHM >> Manage AutoSSL", under the "Logs" tab, what output do you see when the AutoSSL feature attempts to renew the certificate for one of the domain names using CloudFlare?

Thank you.

Sorry I did not get notified of the response.

I have tried both Comodo and today Let's Encrypt.

12:39:26 PM WARN The domain “sub.domain.com” failed domain control validation: The system queried for a temporary file at “https://sub.domain.com/.well-known/acme-challenge/Q_Y_6UQJ2EOYXZRXE_VT3YG2YL4C03SZ”, which was redirected from “http://sub.domain.com/.well-known/acme-challenge/Q_Y_6UQJ2EOYXZRXE_VT3YG2YL4C03SZ”. The web server responded with the following error: 526 (Origin SSL Certificate Error). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “sub.domain.com” resolved to an IP address “104.31.95.6” that does not exist on this server.

Maybe CF can whitelist this autossl service in someway?

 

[BFFMediaInc]

not I use FULL STRICT on CF. I run ecommerce stores and have domain certs and CF certs. both need to be in place for FULL STRICT which encrypts from CF to public and also CF to the server. FULL is only from CF to public. So turning off CF to allow an autossl run first stops the ability to process secure transactions and secondly opens up to other vulnerabilities. It seems that the Comodo auto-ssl even with CF off doesn't want to work anymore for renewal (but does for new) however Let's Encrypt with CF off does work for a renewal/replacement. But again, I can't expose the origin for that waiting period for security reasons as well as traffic and caching issues.

So two things to me seem a solution.
1. CF whitelists the autossl and give it the origin details
2. we run mod_cloudflare which allows the IPs of the visitors into the server so we know the ips of customers etc, so why can't WHM recognize it's own ssl lookup and trigger something?

 

[cPanelMichael]

Hello,

Currently, the AutoSSL providers need to resolve the domain name to an IP address associated with the cPanel server for the domain validation process to succeed. Thus, if that doesn't happen (e.g. the domain name resolves to a CloudFlare IP), then validation will fail.

So two things to me seem a solution.
1. CF whitelists the autossl and give it the origin details
2. we run mod_cloudflare which allows the IPs of the visitors into the server so we know the ips of customers etc, so why can't WHM recognize it's own ssl lookup and trigger something?

I encourage you to open a feature request to add full support for CloudFlare and AutoSSL:

Submit A Feature Request

Thank you.

 

[Gabriel Goaga]

Hi,
I also have an issue with AutoSSL and it might have something to do with cloudflare that I use for that domain.
The email that I get is this, please let me know what should I do:

The “cPanel” AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems:


The validation required 1 HTTP redirect, but the AutoSSL provider “cPanel (powered by Comodo)” does not permit HTTP redirects.

 

[cPanelMichael]

The validation required 1 HTTP redirect, but the AutoSSL provider “cPanel (powered by Comodo)” does not permit HTTP redirects

Feel free to open a support ticket using the link in my signature so we can take a closer look.

Thank you.

 

[Gabriel Goaga]

All set. Your support request ID: 9076577

Feel free to open a support ticket using the link in my signature so we can take a closer look.

Thank you.