Comodo entries added to htaccess

canou83

Well-Known Member
Jul 20, 2016
78
7
8
France
cPanel Access Level
Website Owner
Hi. I need your clarification. My .htacesse looks like this according to my different sites with regards to the RewriteEngine. Out of all my sites, Cpanel has added in number:
Code:
]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$

# SEO URL Settings
RewriteEngine On
# If your opencart installation does not run on the main web folder make sure you folder it does run in ie. / becomes /shop/

RewriteBase /
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^sitemap.xml$ index.php?route=feed/google_sitemap [L]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^googlebase.xml$ index.php?route=feed/google_base [L]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^download/(.*) index.php?route=error/not_found [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} !.*\.(ico|gif|jpg|jpeg|png|js|css)
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^([^?]*) index.php?_route_=$1 [L,QSA]
    RewriteCond %{HTTP_HOST} ^example.com$
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^(.*) [URL]http://www.example.com/$1[/URL] [QSA,L,R=301]
    RewriteCond %{QUERY_STRING} ^(.*)common/home(.*)$
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^index\.php$ http://www.example.com/? [L,R=301]
I do not understand what these two lines are and why do they come so many times?

RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$

Thank you for your help.
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,225
463
Hello,

We now automatically update .htaccess files to exclude DCV checks from HTTP redirections so that the DCV checks complete successfully. This resolves issues that some customers reported with AutoSSL and cPanel Market purchases.

Reference: 60 Release Notes - Documentation - cPanel Documentation

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,225
463
Those lines are added before every “RewriteRule” directive to ensure that domain control validation (DCV) will avoid redirects.

Thank you.
 

Lizardhr

Member
Sep 14, 2015
5
0
51
Brazil
cPanel Access Level
Reseller Owner
Hi, is it possible to disable cPanel adding this rules?

I've a site with specials redirects and the auto added rules messed things that now don't work anymore.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,225
463
Hi, is it possible to disable cPanel adding this rules?

I've a site with specials redirects and the auto added rules messed things that now don't work anymore.
It's not possible, however I encourage you to review the comments on the following feature request where this topic is discussed:

Ability to prevent autossl editing .htaccess fles

Also, feel free to open a support ticket so we can review how the rules are preventing your website from working and determine if an internal case to account for those custom rules is necessary.

Thank you.
 

nickwuk

Active Member
Jul 18, 2009
27
2
53
I have a Cpanel server with AutoSSL with several accounts, all accounts have similar rewrite rules in htaccess, but only one htaccess includes these DCV rewrite conditions, and that file is updated everyday although the content does not change. Does this mean there is something wrong with the domain setup?

The fact that the htaccess file date changes everyday causes a false positive alert with a file scanner that checks for any changed files.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,225
463
I have a Cpanel server with AutoSSL with several accounts, all accounts have similar rewrite rules in htaccess, but only one htaccess includes these DCV rewrite conditions, and that file is updated everyday although the content does not change. Does this mean there is something wrong with the domain setup?

The fact that the htaccess file date changes everyday causes a false positive alert with a file scanner that checks for any changed files.
Hello,

Are you adding new domain names to the account on a regular basis that would result in AutoSSL initiating the validation process? If not, do you notice any error messages for this account under the "Logs" tab in "WHM >> Manage AutoSSL"?

Thank you.
 

nickwuk

Active Member
Jul 18, 2009
27
2
53
Hello,

Are you adding new domain names to the account on a regular basis that would result in AutoSSL initiating the validation process? If not, do you notice any error messages for this account under the "Logs" tab in "WHM >> Manage AutoSSL"?

Thank you.
No not regularly adding domain names. Yes there are errors listed in the logs. From the first error message it seems it has trouble parsing the directive 'rewritecond' in lowercase. I've changed 'rewritecond' to 'RewriteCond'; I notice there is all lowercase used on another account without issue, I think the issue here was using a mix of 'rewritecond' and 'RewriteCond' before 'rerwiterule'.

Code:
WARN Failed to parse RewriteCond directive: “rewritecond %{http_host} ^mydomain.co.uk [nc] ”
The second error says:

Code:
WARN The domain “mydomain.co.uk” failed domain control validation: 
The system queried for a temporary file at “<a href="http://www.mydomain.co.uk/BD7EA736A32676F14436484DE48AC353.txt">http://www.mydomain.co.uk/BD7EA736A32676F14436484DE48AC353.txt</a>”, 
which was redirected from “<a href="http://mydomain.co.uk/BD7EA736A32676F14436484DE48AC353.txt">http://mydomain.co.uk/BD7EA736A32676F14436484DE48AC353.txt</a>”. 
The web server responded with the following error: 404 (Not Found). 
A <abbr title="Domain Name System">DNS</abbr> or web server misconfiguration may exist. 
The domain “mydomain.co.uk” resolved to an IP address “xx.xxx.xx.xx” that does not exist on this server. at bin/autossl_check.pl
The mydomain.co.uk redirection to www.mydomain.co.uk is a directive in .htaccess . Sounds like it also has an issue with the domain dns.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,225
463
The domain “mydomain.co.uk” resolved to an IP address “xx.xxx.xx.xx” that does not exist on this server. at bin/autossl_check.pl
Could you verify if the domain name resolves to the IP address associated with the cPanel account it's associated with? It needs to resolve to the cPanel server in order for the domain validation process to succeed. If it does, please feel free to open a support ticket using the link in my signature so we can take a closer look.

Thank you.
 

cnisvcs

Registered
Jun 2, 2017
1
0
1
Chicago
cPanel Access Level
Website Owner
I would like to share my experience on the subject of Comodo rewrite rules added to .htaccess file.

Several days ago, using SSL certificates applet incPanel, I installed EV SSL certificate purchased from DigiCert. Since then my web application stopped working properly. I identified a reason to be the sessions acting in an unpredictable manner. More specifically, most often the values of session variables were not stored on the server. In efforts to get to the bottom of this issue, I switched session storage to the database, created my own session handler with open, close, read, write, destroy, and garbage collection functions equipped with debugging markers saving traces in the file. In the test script, I used only the service objects for database access and session handling, and the actual code only starting the session (session_start()) and assigning value to session variable ($_SESSION['foo']='bar'). Upon calling the script, the session record appeared in the database, but the data field was empty. The debugging markers indicated that session functions were called as follows:

open
read
write (session value successfully recorded here)
close
open
read (session value successfully read here)
write (session value recorded as null here)
close

This test indicated that a single call of session_start() caused two full cycles of accessing session storage, almost as the script was called twice. That prompted me to check the configuration of the server. At the initial phase of the project, I added a simple rewrite rule to the .thaccess file, which any string not being a call for file or a directory converted to a call for index.php with entire input string passed as one GET parameter. Here is the original code:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?p=$1 [L]
</IfModule>

What I found in my .htaccess file was:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^(.+)$ index.php?p=$1 [L]
</IfModule>

The two extra lines, related to domain control validation caused two effects:

1. Any file I called with HTTP was automatically redirected to HTTPS.
2. Session values were not being saved properly.

I contacted my hosting company. Tech support rep suggested that I should separate the domain control validation rules into a separate block at the top of my .htaccess file:

RewriteEngine on
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteEngine off

He mentioned, that these rules are not absolutely necessary at this point and I can comment them out if I want.

Secondly, he walked me through logging to WHM, accessing 'Add an A Entry for Your Hostname' applet, and re-submitting the IP address for the already existing hostname.

Since then the sessions work normally. Today, I tried to re-produce the issue by inserting the two extra lines back into my rewrite rules sequence, but that did not cause the same problem. That would indicate that the DNS A record for my server hostname had something to do with the initial issue. Perhaps it compounded with the two extra rewrite rules causing abnormal behavior. I can't tell.

I'm writing this in case someone begins to experience weird behavior of sessions after SSL certificate installation in the cPanel.
 

TMS_BV

Registered
Nov 7, 2019
1
0
0
Amsterdam
cPanel Access Level
Website Owner
@cpanelmichael: Thanks for the valuable comments. If (!) I am correct:
  1. AutoSSL is a feature of cPanel v60+ to have a webserver automatically install/ renew domain-validated SSL-certificates for users' domains.
  2. What you described is explained only in this and this (both outdated) documentation; not here.
  3. The webserver adds certain RewriteCond's before each RewriteRule in the htaccess file (to ensure that Domain Control Validation avoids redirects).
  4. Apache applies AND-operators to those RewriteCond's (as they don't contain OR-operators). This means that each RewriteRule fires only if ALL its preceding RewriteCond's are met.
  5. (cPanel v84+ allows to force "global DCV rewrite rules", avoiding the need to modify htaccess files of individual users.)

My questions:
a) Exactly which rules are added with cPanel v84? Asking this because mine are somewhat different from the ones mentioned by the OP and I don't fully understand their exact meaning:
Apache config:
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
b) Exactly when does the webserver add the RewriteCond's? Just before the domain control validation, certificate installation and/ or (periodically?) other moments?
c) Does the webserver check if the RewriteCond's are present already, before actually adding them? I suppose it does not blindly append. ;-)
d) Does the webserver need the CHMOD permission of htaccess file to be set in a certain way to be able to modify the file?
e) Commonly, htaccess redirects traffic from http to https. Does this mean that the DCV and/ or certificate installation happen over http (i.e. without a redirection to https)?