Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Pending Publication [CPANEL-21489] autoSSL DCV to www instead of base domain?

Discussion in 'Security' started by chuckcintron, Jun 27, 2018.

  1. chuckcintron

    chuckcintron Member

    Joined:
    May 17, 2012
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    I'm using addon domains, and need autoSSL to generate certificates.

    I'm hitting a problem with redirect, where DCV is failing due to autoSSL looking for the file at mysite.com/.well-known/pki-validation -- and my Amazon S3 bucket is always redirecting to www. mysite.com/.well-known/pki-validation.

    autoSSL sees the 302 redirect and then says "sorry this fails".

    For many reasons I cannot turn off the Amazon S3 redirect. Even if I do temporarily, when autoSSL tries to renew 90 days from now, it will fail again unless I remember to turn it off. For hundreds of websites.

    So: Is there a way get this DCV to work by having autoSSL make the request to www. instead of the base domain? Or some other workaround?
     
  2. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,721
    Likes Received:
    186
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @chuckcintron


    While the AutoSSL HTTP DCV check for the root domain in this instance may fail it shouldn't fail to secure the www. subdomain, unless there's an alternate redirect. cPanel does add an .htaccess rule to make an exception for these kinds of redirections into the .htaccess if you're doing the redirection somewhere else you may want to look at the exception it adds and add it where you're creating the redirects with Amazon if possible.

    Otherwise, in order for the HTTP DCV check to complete it must be able to query the URL. We will be introducing a DNS DCV check fallback in a future version of cPanel (v74 I believe) which will allow a DNS version of the check to be completed if the HTTP DCV check fails.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. chuckcintron

    chuckcintron Member

    Joined:
    May 17, 2012
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Thanks. So, the fail of the root domain and then the success of securing the www. subdomain -- this is an "okay" condition to have?

    If it is, then my problem is solved since I force all traffic to www.

    When looking at the autoSSL status page inside cPanel, it is disconcerting to see red/failure on the root domain and then green/success on the www. -- it made me worry that 90 days from now when it attempts a renewal, it might fail.

    If I am safe in this condition and the renewal will not fail for the www. subdomain then I can relax about this a bit.

    As a side comment -- you guys do attempt to follow the 301 from Amazon -- but you follow the wrong IP address. You go after the Amazon S3 IP address (i.e. the redirect issuer), not the destination of the redirect. I really believe that a reasonable fix here is to follow the redirect as long as the root domain is the same. Who cares if foosite.com is redirected to www.foosite.com?
     
  4. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,721
    Likes Received:
    186
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    It's not ideal but if traffic can't access the root domain it shouldn't be an issue

    cPanel's AutoSSL attempts to secure every domain in the account, as long as it's passing on the www. it should be fine, you can exclude the root domain that fails if you like by going to cPanel>>Security>>SSL/TLS Status

    It doesn't actually follow the redirects though, COMODO does not support any redirects so the HTTP DCV check HAS to be able to query the domain over HTTP at the IP address it's hosted on without being redirected. The DNS DCV check additions we're making in v74 should resolve this completely for you though.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. chuckcintron

    chuckcintron Member

    Joined:
    May 17, 2012
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Lauren - thanks. One point though on the redirect. In my case I tried both COMODO and the Let's Encrypt plugin for autoSSL. Let's Encrypt will allow DCV to pass through a redirect -- but it seems that autoSSL was being more strict and disallowing the redirect. It should have worked with Let's Encrypt as the CA.
     
  6. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,721
    Likes Received:
    186
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @chuckcintron

    Both of them should disallow redirects, I'm not sure I understand what you mean by:

    Let's Encrypt allows forced HTTPS redirects but as far as I know, not the forced redirect to www
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. chuckcintron

    chuckcintron Member

    Joined:
    May 17, 2012
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    ok...maybe I got bad information from the let's encrypt community forum, but they said the DCV redirect from base domain to www should be allowed, for retrieving the nonce and validating the base domain. In fact one fellow watched the network traffic in detail and is convinced that autoSSL did attempt to follow the redirect, but it picked the AWS S3 IP address instead of the redirect destination:

    autoSSL DCV vs Let's Encrypt DCV
     
  8. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,721
    Likes Received:
    186
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @chuckcintron

    Thanks for that, I've opened an inquiry to our developers asking about the Let's Encrypt portion of this CPANEL-21489. The user in their forums does provide some pretty enlightening information.

    I'll update you as far as that goes as soon as I have an answer from them.

    Thank you!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,721
    Likes Received:
    186
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @chuckcintron

    I apologize for the delay in responding to you, but I did want to let you know that I noticed one of our developers did respond to the post in the LE forum - https://community.letsencrypt.org/t/autossl-dcv-vs-lets-encrypt-dcv/65412/10

    From what I understand after discussion this with the team working on AutoSSL related items the change should be in the LE RPM and I'm curious if for some reason the package hasn't been updated on your server. Can you check the version:

    Code:
    rpm -qa |grep cpanel-letsencrypt
    And let me know the output?

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice