Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED [CPANEL-25598] AutoSSL not always working

Discussion in 'Security' started by Denis Gomes Franco, Feb 21, 2019.

  1. Denis Gomes Franco

    Denis Gomes Franco Active Member

    Joined:
    Sep 3, 2018
    Messages:
    43
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    Tupã, São Paulo, Brazil
    cPanel Access Level:
    Root Administrator
    Why is this happening? Seems that AutoSSL can successfully encrypt everything for some domains and mostly nothing for other domains.

    upload_2019-2-21_23-20-43.png

    This is the notification e-mail I receive from AutoSSL:
    upload_2019-2-21_23-23-8.png

    All of my domains are run through Cloudflare, all of them have the exact same DNS entries, all of them are set to FULL crypto... any ideas of what is going on? This is rather variable, eg., sometimes it will work, sometimes it won't (I have to keep trying until I get full encryption on all subdomains).
     
    #1 Denis Gomes Franco, Feb 21, 2019
    Last edited by a moderator: May 28, 2019
  2. Denis Gomes Franco

    Denis Gomes Franco Active Member

    Joined:
    Sep 3, 2018
    Messages:
    43
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    Tupã, São Paulo, Brazil
    cPanel Access Level:
    Root Administrator
    By the way, I noticed something while trying to issue a certificate for a domain that was not getting validated in any way. Cloudflare was already enabled with full crypto, redirect to HTTPS and automatic HTTPS rewrites were on and the SSL log showed that the certificate was not issued because it won't allow redirects as it was trying to read a .TXT authentication file and Cloudflare was redirecting it from http to https.

    So it seems that the certificate cannot be issued while Cloudflare is HTTPs'ing the site. And that is weird because I never had any issues like this in this same scenario while using Plesk or other hosting solutions like Cloudways or Runcloud.
     
  3. Denis Gomes Franco

    Denis Gomes Franco Active Member

    Joined:
    Sep 3, 2018
    Messages:
    43
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    Tupã, São Paulo, Brazil
    cPanel Access Level:
    Root Administrator
    And right now I just confirmed the above: disabling Cloudflare's crypto allows the certificate to be issued correctly for all subdomains. Still, that doesn't answer why it could encrypt some subdomains and not others.

    Question now is: what will happen when the certificate needs to be renewed? Guess I'll have to wait 3 months to find out.
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,468
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @Denis Gomes Franco

    This occurs in most cases when the proxy subdomains are not properly added through CloudFlare. In order to allow them to route properly they need to be added in the CloudFlare configuration.

    Are the other domains listed in the initial screenshot using CloudFlare as well? To troubleshoot I'd compare the domains added on one of the working ones to the domains added on the one that isn't working properly.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Denis Gomes Franco

    Denis Gomes Franco Active Member

    Joined:
    Sep 3, 2018
    Messages:
    43
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    Tupã, São Paulo, Brazil
    cPanel Access Level:
    Root Administrator
    Hey Lauren, thanks for the reply. Yes I've added them, I know if I don't then I won't be able to open them up ;)
     
  6. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,468
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Denis Gomes Franco

    I’m wondering about two items at this point:

    1. Do the other domains listed there have cloudflare? I’d asked in my previous response but it is important for the next question.
    2. Do you have ipv6 enabled on the server?
    AutoSSL fails on CloudFlare servers now that we have implemented IPv6 if the underlying server doesn’t have IPv6 and is only accessible via IPv6 because CloudFlare is in front of it.

    That case ID is CPANEL-25598 but do let us know if that matches the situation you’re experiencing.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Denis Gomes Franco

    Denis Gomes Franco Active Member

    Joined:
    Sep 3, 2018
    Messages:
    43
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    Tupã, São Paulo, Brazil
    cPanel Access Level:
    Root Administrator
    1. Yes, all of my domains are on Cloudflare. They are all configured the same way, with the same entries as those set up by Cpanel's DNS server.
    2. Yes, it is enabled on Vultr (it was enabled prior to installing Cpanel) but Cpanel does not seem to be using it, nor there are any DNS entries pointing to IPV6 addresses. Also I don't mind using IPV6 at all.

    In my reply (#3) I posited that the problem is completely gone when I turn off Cloudflare's crypto, HTTPS redirect and HTTPS automatic rewrites. Looks like AutoSSL is validating the certificate by looking for a file under http://www.domain.tld/<something> (and other subdomains such as mail, webmail, cpanel) and that validation failed because Cloudflare would redirect to https://www.domain.tld/<something>. Then, AutoSSL complains that redirects were not allowed in validation so the certificate is never issued (or partially issued, which is even weirder).

    Thing is, I never had such issues when using Let's Encrypt on Plesk or other hosting platforms. They all worked flawlessly with my current Cloudflare settings.

    It should also be noted that Cloudflare can be configured to use 'flexible' encryption - that is, the server-to-CF communication is unencrypted but the CF-to-client communication is. I suppose many people use this option simply because it is the easiest way to add encryption to a website, so I believe AutoSSL should allow redirects to HTTPS when validating.

    EDIT: Just found out that pausing Cloudflare also allows the validation to proceed without any errors, so I don't need to disable HTTPS manually anymore.
     
    #7 Denis Gomes Franco, Feb 22, 2019
    Last edited: Feb 22, 2019
  8. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,468
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Where it stands now, is If this is occurring on all the domains, I believe the internal case we have opened is relevant in this instance. If it's only happening for that one domain, I'd be more inclined to believe that there is something different with the configuration there.

    In the instance, it is the case we have and it's affecting all domains, until the internal case is resolved the workaround options are as follows:

    • Disable cloudflare cdn routing temporarily
    • Disable IPv6 routing in CloudFlare (this is difficult on free cloudflare accounts as it requires the use of their API rather than a switch) How do I turn the Cloudflare IPv6 gateway on or off?
    • Enable or fix IPv6 routing on the server
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Denis Gomes Franco

    Denis Gomes Franco Active Member

    Joined:
    Sep 3, 2018
    Messages:
    43
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    Tupã, São Paulo, Brazil
    cPanel Access Level:
    Root Administrator
    Yes it is, at least for me...

    ...until I used this workaround, which so far has worked flawlessly.

    Thanks for the support so far, it's been much better than Plesk's, which never got around to open cases whenever I had a problem.
     
  10. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,468
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Denis Gomes Franco


    Great, I think the portion where it was occurring on all domains was what I was missing, I was under the impression it was just the one domain that was having the issue. I'm really glad that the workaround listed in the case worked. The referenced case we have opened is being actively worked on and I'll update this thread when we release it to the product.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. trsteel

    trsteel Registered

    Joined:
    Feb 26, 2019
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Brisbane
    cPanel Access Level:
    Root Administrator
    I'm having the same problem. Cloudflare domains are not allowing an SSL renewal.

    These all used to work. It seems to have only just stopped working recently.

    The following error comes through via email when it attempts a renewal "The domain “domain.com.au” resolved to an IP address “2606:4700:30:0:0:0:6812:2ca8” that does not exist on this server.".

    It looks like cPanel is now verifying the IP exists on the server for some reason?
     
  12. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,468
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @trsteel


    Please read above this is a known issue and the workarounds are listed in this thread. I'll update this thread when the issue is resolved.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Benish

    Benish Registered

    Joined:
    Sep 19, 2017
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Portland, OR
    cPanel Access Level:
    Root Administrator
    I'm running in to this same issue. Can you provide more guidance on how to implement this workaround:
    >Enable or fix IPv6 routing on the server​
     
  14. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,468
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. trsteel

    trsteel Registered

    Joined:
    Feb 26, 2019
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Brisbane
    cPanel Access Level:
    Root Administrator
    Can you tell me if a fix is coming soon? We a of certificate expiring in 5 days and wondering if we just wait.

    Would switching to the cPanel certificates over LetEncrypt resolve the issue?
     
  16. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,468
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @trsteel

    The current workarounds are listed in this thread, I've also included them here:

    As far as when the case will be fixed, it's resolved in v80 (which isn't moved to EDGE as of yet) of cPanel and slated to be patched in v78 but that hasn't been completed yet. I can't tell you exactly when it will be completed but I will update here when it is done.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,468
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello,

    I just wanted to let you guys know that the patch for v78 for this issue has been implemented in v78.0.15

    Please let us know if the issue persists after you update to this version.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. Hazz

    Hazz Registered

    Joined:
    Mar 4, 2019
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    When can we expect this to be available on the release tier?
     
  19. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,468
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @Hazz

    This just went to CURRENT today so I would anticipate sometime next week for it to be moved to RELEASE.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. kiti

    kiti Member

    Joined:
    Sep 16, 2015
    Messages:
    18
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    france
    cPanel Access Level:
    Root Administrator
    I found a workaround, I use my server as a nameserver.
    I do a sudo nano /etc/hosts
    I comment the actual nameserver and replace it with nameserver 127.0.0.1
    Consequently, during the autossl renewal process, Whm/cpanel will not get the DNS entries from cloudflare by the DNS records from the Cpanel server itself. That's how i get the right _cpanel-dcv-test-record.mydomain.com
     
    cPanelLauren likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice