Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

CloudFlare and AutoSSL

Discussion in 'Security' started by BFFMediaInc, Nov 11, 2017.

  1. BFFMediaInc

    BFFMediaInc Member

    Joined:
    Sep 29, 2016
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Reseller Owner
    I like everyone else is hit by this, I have 20 servers. All I see is cpanel figuring out a way to hide the symptom but not sending out notices. But the problem still exists that the auto-ssl is no longer issuing certificate renewals behind cloudflare, is that correct?

    I am approaching the warning dates from those emails. I assume they are correct that the replacement SSL will not be deployed. I use full-strict security at cloudflare and require a current SSL on the servers. These are all ecommerce stores with very high traffic. SSLs auto-renewed like clockwork before this upgrade which auto-deployed, I'll have words with my datacenter about that.

    But what is being done to fix the lack of an ssl being re-issued at expiration?
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,806
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @BFFMediaInc,

    I moved this post to it's own thread.

    Could you verify which certificate provider is enabled for the AutoSSL feature on this server (e.g. cPanel-signed (Comodo), Let's Encrypt)? Also, in "WHM >> Manage AutoSSL", under the "Logs" tab, what output do you see when the AutoSSL feature attempts to renew the certificate for one of the domain names using CloudFlare?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Tearabite

    Tearabite Well-Known Member

    Joined:
    Nov 28, 2010
    Messages:
    76
    Likes Received:
    11
    Trophy Points:
    58
    Location:
    Southern California
    cPanel Access Level:
    Root Administrator
    Following because I had an AutoSSL fail to renew behind Cloudflare that caused mucho headaches.. But i’m Still on 66 not 68..
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,806
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Could you let us know the answers to the questions in my last post?

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. BFFMediaInc

    BFFMediaInc Member

    Joined:
    Sep 29, 2016
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Reseller Owner
    Sorry I did not get notified of the response.

    I have tried both Comodo and today Let's Encrypt.

    12:39:26 PM WARN The domain “sub.domain.com” failed domain control validation: The system queried for a temporary file at “https://sub.domain.com/.well-known/acme-challenge/Q_Y_6UQJ2EOYXZRXE_VT3YG2YL4C03SZ”, which was redirected from “http://sub.domain.com/.well-known/acme-challenge/Q_Y_6UQJ2EOYXZRXE_VT3YG2YL4C03SZ”. The web server responded with the following error: 526 (Origin SSL Certificate Error). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “sub.domain.com” resolved to an IP address “104.31.95.6” that does not exist on this server.

    Maybe CF can whitelist this autossl service in someway?
     
  6. BFFMediaInc

    BFFMediaInc Member

    Joined:
    Sep 29, 2016
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Reseller Owner
    not I use FULL STRICT on CF. I run ecommerce stores and have domain certs and CF certs. both need to be in place for FULL STRICT which encrypts from CF to public and also CF to the server. FULL is only from CF to public. So turning off CF to allow an autossl run first stops the ability to process secure transactions and secondly opens up to other vulnerabilities. It seems that the Comodo auto-ssl even with CF off doesn't want to work anymore for renewal (but does for new) however Let's Encrypt with CF off does work for a renewal/replacement. But again, I can't expose the origin for that waiting period for security reasons as well as traffic and caching issues.

    So two things to me seem a solution.
    1. CF whitelists the autossl and give it the origin details
    2. we run mod_cloudflare which allows the IPs of the visitors into the server so we know the ips of customers etc, so why can't WHM recognize it's own ssl lookup and trigger something?
     
  7. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,806
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Currently, the AutoSSL providers need to resolve the domain name to an IP address associated with the cPanel server for the domain validation process to succeed. Thus, if that doesn't happen (e.g. the domain name resolves to a CloudFlare IP), then validation will fail.

    I encourage you to open a feature request to add full support for CloudFlare and AutoSSL:

    Submit A Feature Request

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Gabriel Goaga

    Gabriel Goaga Registered

    Joined:
    Sep 10, 2017
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Craiova
    cPanel Access Level:
    Root Administrator
    Hi,
    I also have an issue with AutoSSL and it might have something to do with cloudflare that I use for that domain.
    The email that I get is this, please let me know what should I do:

    The “cPanel” AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems:


    The validation required 1 HTTP redirect, but the AutoSSL provider “cPanel (powered by Comodo)” does not permit HTTP redirects.
     
    #8 Gabriel Goaga, Nov 30, 2017
    Last edited by a moderator: Nov 30, 2017
  9. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,806
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Feel free to open a support ticket using the link in my signature so we can take a closer look.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Gabriel Goaga

    Gabriel Goaga Registered

    Joined:
    Sep 10, 2017
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Craiova
    cPanel Access Level:
    Root Administrator
    All set. Your support request ID: 9076577

     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice