SOLVED [CPANEL-25598] AutoSSL not always working

Denis Gomes Franco

Well-Known Member
Sep 3, 2018
45
6
8
Tupã, São Paulo, Brazil
cPanel Access Level
Root Administrator
Why is this happening? Seems that AutoSSL can successfully encrypt everything for some domains and mostly nothing for other domains.

upload_2019-2-21_23-20-43.png

This is the notification e-mail I receive from AutoSSL:
upload_2019-2-21_23-23-8.png

All of my domains are run through Cloudflare, all of them have the exact same DNS entries, all of them are set to FULL crypto... any ideas of what is going on? This is rather variable, eg., sometimes it will work, sometimes it won't (I have to keep trying until I get full encryption on all subdomains).
 
Last edited by a moderator:

Denis Gomes Franco

Well-Known Member
Sep 3, 2018
45
6
8
Tupã, São Paulo, Brazil
cPanel Access Level
Root Administrator
By the way, I noticed something while trying to issue a certificate for a domain that was not getting validated in any way. Cloudflare was already enabled with full crypto, redirect to HTTPS and automatic HTTPS rewrites were on and the SSL log showed that the certificate was not issued because it won't allow redirects as it was trying to read a .TXT authentication file and Cloudflare was redirecting it from http to https.

So it seems that the certificate cannot be issued while Cloudflare is HTTPs'ing the site. And that is weird because I never had any issues like this in this same scenario while using Plesk or other hosting solutions like Cloudways or Runcloud.
 

Denis Gomes Franco

Well-Known Member
Sep 3, 2018
45
6
8
Tupã, São Paulo, Brazil
cPanel Access Level
Root Administrator
And right now I just confirmed the above: disabling Cloudflare's crypto allows the certificate to be issued correctly for all subdomains. Still, that doesn't answer why it could encrypt some subdomains and not others.

Question now is: what will happen when the certificate needs to be renewed? Guess I'll have to wait 3 months to find out.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,112
661
263
Houston
cPanel Access Level
DataCenter Provider
Hello @Denis Gomes Franco

This occurs in most cases when the proxy subdomains are not properly added through CloudFlare. In order to allow them to route properly they need to be added in the CloudFlare configuration.

Are the other domains listed in the initial screenshot using CloudFlare as well? To troubleshoot I'd compare the domains added on one of the working ones to the domains added on the one that isn't working properly.


Thanks!
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,112
661
263
Houston
cPanel Access Level
DataCenter Provider
Hi @Denis Gomes Franco

I’m wondering about two items at this point:

  1. Do the other domains listed there have cloudflare? I’d asked in my previous response but it is important for the next question.
  2. Do you have ipv6 enabled on the server?
AutoSSL fails on CloudFlare servers now that we have implemented IPv6 if the underlying server doesn’t have IPv6 and is only accessible via IPv6 because CloudFlare is in front of it.

That case ID is CPANEL-25598 but do let us know if that matches the situation you’re experiencing.

Thanks!
 

Denis Gomes Franco

Well-Known Member
Sep 3, 2018
45
6
8
Tupã, São Paulo, Brazil
cPanel Access Level
Root Administrator
1. Yes, all of my domains are on Cloudflare. They are all configured the same way, with the same entries as those set up by Cpanel's DNS server.
2. Yes, it is enabled on Vultr (it was enabled prior to installing Cpanel) but Cpanel does not seem to be using it, nor there are any DNS entries pointing to IPV6 addresses. Also I don't mind using IPV6 at all.

In my reply (#3) I posited that the problem is completely gone when I turn off Cloudflare's crypto, HTTPS redirect and HTTPS automatic rewrites. Looks like AutoSSL is validating the certificate by looking for a file under http://www.domain.tld/<something> (and other subdomains such as mail, webmail, cpanel) and that validation failed because Cloudflare would redirect to https://www.domain.tld/<something>. Then, AutoSSL complains that redirects were not allowed in validation so the certificate is never issued (or partially issued, which is even weirder).

Thing is, I never had such issues when using Let's Encrypt on Plesk or other hosting platforms. They all worked flawlessly with my current Cloudflare settings.

It should also be noted that Cloudflare can be configured to use 'flexible' encryption - that is, the server-to-CF communication is unencrypted but the CF-to-client communication is. I suppose many people use this option simply because it is the easiest way to add encryption to a website, so I believe AutoSSL should allow redirects to HTTPS when validating.

EDIT: Just found out that pausing Cloudflare also allows the validation to proceed without any errors, so I don't need to disable HTTPS manually anymore.
 
Last edited:

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,112
661
263
Houston
cPanel Access Level
DataCenter Provider
Where it stands now, is If this is occurring on all the domains, I believe the internal case we have opened is relevant in this instance. If it's only happening for that one domain, I'd be more inclined to believe that there is something different with the configuration there.

In the instance, it is the case we have and it's affecting all domains, until the internal case is resolved the workaround options are as follows:

  • Disable cloudflare cdn routing temporarily
  • Disable IPv6 routing in CloudFlare (this is difficult on free cloudflare accounts as it requires the use of their API rather than a switch) How do I turn the Cloudflare IPv6 gateway on or off?
  • Enable or fix IPv6 routing on the server
 

Denis Gomes Franco

Well-Known Member
Sep 3, 2018
45
6
8
Tupã, São Paulo, Brazil
cPanel Access Level
Root Administrator

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,112
661
263
Houston
cPanel Access Level
DataCenter Provider
Hi @Denis Gomes Franco


Great, I think the portion where it was occurring on all domains was what I was missing, I was under the impression it was just the one domain that was having the issue. I'm really glad that the workaround listed in the case worked. The referenced case we have opened is being actively worked on and I'll update this thread when we release it to the product.

Thanks!
 

trsteel

Registered
Feb 26, 2019
2
0
1
Brisbane
cPanel Access Level
Root Administrator
I'm having the same problem. Cloudflare domains are not allowing an SSL renewal.

These all used to work. It seems to have only just stopped working recently.

The following error comes through via email when it attempts a renewal "The domain “domain.com.au” resolved to an IP address “2606:4700:30:0:0:0:6812:2ca8” that does not exist on this server.".

It looks like cPanel is now verifying the IP exists on the server for some reason?
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,112
661
263
Houston
cPanel Access Level
DataCenter Provider
Hello @trsteel

The current workarounds are listed in this thread, I've also included them here:

until the internal case is resolved the workaround options are as follows:

  • Disable cloudflare cdn routing temporarily
  • Disable IPv6 routing in CloudFlare (this is difficult on free cloudflare accounts as it requires the use of their API rather than a switch) How do I turn the Cloudflare IPv6 gateway on or off?
  • Enable or fix IPv6 routing on the server
As far as when the case will be fixed, it's resolved in v80 (which isn't moved to EDGE as of yet) of cPanel and slated to be patched in v78 but that hasn't been completed yet. I can't tell you exactly when it will be completed but I will update here when it is done.


Thanks!
 

kiti

Member
Sep 16, 2015
18
3
3
france
cPanel Access Level
Root Administrator
I found a workaround, I use my server as a nameserver.
I do a sudo nano /etc/hosts
I comment the actual nameserver and replace it with nameserver 127.0.0.1
Consequently, during the autossl renewal process, Whm/cpanel will not get the DNS entries from cloudflare by the DNS records from the Cpanel server itself. That's how i get the right _cpanel-dcv-test-record.mydomain.com
 
  • Like
Reactions: cPanelLauren