Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED [CPANEL-25899] checkallsslcerts fails when the hostname is assigned an IPv6 address

Discussion in 'Security' started by k2tec, Feb 25, 2019.

Tags:
  1. k2tec

    k2tec Well-Known Member

    Joined:
    Aug 26, 2011
    Messages:
    104
    Likes Received:
    5
    Trophy Points:
    68
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    2 of my vps having problems with the manage service SSL.
    The servers are running for a longer time without problems, but now SSL won't renew it certificates.

    Both vps are running:
    • CENTOS 6.10 kvm [vps]
    • v78.0.12

    root@vps [~]# /usr/local/cpanel/bin/checkallsslcerts --verbose
    Code:
    root@vps [~]# /usr/local/cpanel/bin/checkallsslcerts --verbose
    The system will check for the certificate for the “cpanel” service.
    The system will attempt to verify that the certificate for the “cpanel” service                                                                                is still valid using OCSP (Online Certificate Status Protocol).
    The “cpanel” service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. The system will attempt to renew and install a new certificate to the “cpanel” service and any other services that use the old certificate.
    The system will attempt to install a certificate for the “cpanel” service from the system ssl storage.
    None of the certificates in the system ssl storage were acceptable to use for the “cpanel” service.
    The system will attempt to install a certificate for the “cpanel” service from the cPanel store.
    Received error “X::NoCertificate” from cPanel Store; requesting new certificate …
    Setting up HTTP DCV (/var/www/html/.well-known/pki-validation/09E981F8E1A905A6942C5769FA837165.txt) …
            … complete.
    Setting up DNS DCV (CNAME _09e981f8e1a905a6942c5769fa837165.vps.eq5.myserver.com) …
            … complete.
    Attempting DNS DCV preflight check …
            FAILED: The DNS DCV check (_09e981f8e1a905a6942c5769fa837165.vps.eq5.myserver.com IN CNAME) did not return the expected value (e49d0b50b0654e7f1efdb3e869f3529f.9fb7fecdbac8015d57fe650ae1d61ea5.comodoca.com).
    Attempting HTTP DCV preflight check …
            FAILED: Cpanel::Exception/(XID 6xnhx8) The system queried for a temporary file at “http://vps.eq5.myserver.com/.well-known/pki-validation/09E981F8E1A905A6942C5769FA837165.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
     at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 386.
            Cpanel::SSL::DCV::__ANON__(Cpanel::Exception::HTTP::Server=HASH(0x32ac8a0)) called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 118
            Try::Tiny::try(CODE(0x2c567a8), Try::Tiny::Catch=REF(0x2a1e3b8)) called at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 446
            Cpanel::SSL::DCV::_verify_http("http://vps.eq5.myserver.com/.well-known/pki-validation/09E"..., "e49d0b50b0654e7f1efdb3e869f3529f9fb7fecdbac8015d57fe650ae1d61"..., "COMODO DCV", ARRAY(0x32778d8)) called at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 282
            Cpanel::SSL::DCV::verify_http("http://vps.eq5.myserver.com/.well-known/pki-validation/09E"..., "e49d0b50b0654e7f1efdb3e869f3529f9fb7fecdbac8015d57fe650ae1d61"..., "COMODO DCV") called at /usr/local/cpanel/Cpanel/Market/Provider/cPStore/Utils.pm line 88
            Cpanel::Market::Provider::cPStore::Utils::imitate_http_dcv_check_locally("vps.eq5.myserver.com", ".well-known/pki-validation/09E981F8E1A905A6942C5769FA837165.txt", "e49d0b50b0654e7f1efdb3e869f3529f9fb7fecdbac8015d57fe650ae1d61"...) called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert/DCV.pm line 193
            eval {...} called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert/DCV.pm line 189
            Cpanel::cPStore::HostnameCert::DCV::set_up("-----BEGIN CERTIFICATE REQUEST-----\x{a}MIICnDCCAYQCAQAwIjEgMB4GA"...) called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert.pm line 159
            Cpanel::cPStore::HostnameCert::_request_new_certificate(Cpanel::cPStore::HostnameCert=HASH(0x25bd510)) called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert.pm line 129
            Cpanel::cPStore::HostnameCert::get_hostname_cert_from_store(Cpanel::cPStore::HostnameCert=HASH(0x25bd510)) called at bin/checkallsslcerts.pl line 528
            bin::checkallsslcerts::_get_certificate_pem_from_store(bin::checkallsslcerts=HASH(0x1b16120)) called at bin/checkallsslcerts.pl line 450
            bin::checkallsslcerts::__ANON__() called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 97
            eval {...} called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 88
            Try::Tiny::try(CODE(0x226abb8), Try::Tiny::Catch=REF(0x1b8b8f8)) called at bin/checkallsslcerts.pl line 454
            bin::checkallsslcerts::_replace_cert_with_ca_signed_cert_from_cpstore(bin::checkallsslcerts=HASH(0x1b16120), "cpanel") called at bin/checkallsslcerts.pl line 310
            bin::checkallsslcerts::_check_notify_and_auto_renew_cert_for_service(bin::checkallsslcerts=HASH(0x1b16120), "cpanel") called at bin/checkallsslcerts.pl line 86
            bin::checkallsslcerts::run(bin::checkallsslcerts=HASH(0x1b16120)) called at bin/checkallsslcerts.pl line 50
    Undoing HTTP DCV setup …
            … complete.
    Undoing DNS DCV setup …
            … complete.
    [WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: Neither HTTP nor DNS DCV preflight checks succeeded!
    root@vps [~]# dig a vps.eq5.myserver.com
    Code:
    root@vps [~]# dig a vps.eq5.myserver.com
    
    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> a vps.eq5.myserver.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54963
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;vps.eq5.myserver.com.       IN      A
    
    ;; ANSWER SECTION:
    vps.eq5.myserver.com. 7200   IN      A       111.222.333.444
    
    ;; Query time: 4 msec
    ;; SERVER: 111.222.333.888#53(111.222.333.888)
    ;; WHEN: Sat Feb 23 12:00:21 2019
    ;; MSG SIZE  rcvd: 57
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,002
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. k2tec

    k2tec Well-Known Member

    Joined:
    Aug 26, 2011
    Messages:
    104
    Likes Received:
    5
    Trophy Points:
    68
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Hello Michael,

    In all the years it is running no other server applications are installed. The server are all installed with CSF, Letsencrypt.
    The thread with the nginx I have read.
    Maybe it is the old mixed setup with Letsencrypt. But I can't verify this.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,002
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @k2tec,

    Can you open a support ticket so we can take a closer look at your system to see why it's not working? You can post the ticket number here and we'll link this thread to it.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. k2tec

    k2tec Well-Known Member

    Joined:
    Aug 26, 2011
    Messages:
    104
    Likes Received:
    5
    Trophy Points:
    68
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Your support request ID: 11539333
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelMichael likes this.
  6. k2tec

    k2tec Well-Known Member

    Joined:
    Aug 26, 2011
    Messages:
    104
    Likes Received:
    5
    Trophy Points:
    68
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    The problem was the IPv6 IP range.

    I hope this will help other people with the same problem.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,002
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @k2tec,

    Edit. Here's the most recent update on this issue:

    The /usr/local/cpanel/bin/checkallsslcerts warnings appear because HTTP domain control validation will fail for the server's hostname when it's assigned an IPv6 address (the corresponding IPv6 virtual host entry isn't setup by default). Case CPANEL-25611 will address this issue.

    As a temporary workaround until the case is published, you can remove the AAAA DNS record for the server's hostname, manually run /usr/local/cpanel/bin/checkallsslcerts to ensure DCV (domain control validation) succeeds, and then re-add the AAAA DNS record for the server's hostname.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #7 cPanelMichael, Feb 28, 2019
    Last edited: Mar 4, 2019
  8. k2tec

    k2tec Well-Known Member

    Joined:
    Aug 26, 2011
    Messages:
    104
    Likes Received:
    5
    Trophy Points:
    68
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Thanks Michael,
    So far the solution above has created a certificat for both VPSen.
    Placed back the IPv6 on the server-services and the IPv6 on all users.

    regards,
    Tom
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelMichael likes this.
  9. AlanB

    AlanB Registered

    Joined:
    Feb 24, 2019
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Seattle,WA
    cPanel Access Level:
    Root Administrator
    I have the same issue and all the hoops we have to jump thru to "maybe " fix it is scary for some. How do we even know what IPv6 range to add ? This happened to me about a month ago and is still and issue.

    The following cPanel service generated warnings from the checkallsslcerts script.

    ⚠ cpanel

    The system failed to acquire a signed certificate from the cPanel Store because of the following error: Neither HTTP nor DNS DCV preflight checks succeeded!

    This notice is the result of a request from “/usr/local/cpanel/bin/checkallsslcerts”.
     
  10. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,002
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @AlanB,

    The /usr/local/cpanel/bin/checkallsslcerts warnings appear because HTTP domain control validation will fail for the server's hostname when it's assigned an IPv6 address (the corresponding IPv6 virtual host entry isn't setup by default). Case CPANEL-25611 will address this issue.

    As a temporary workaround until the case is published, you can remove the AAAA DNS record for the server's hostname, manually run /usr/local/cpanel/bin/checkallsslcerts to ensure DCV (domain control validation) succeeds, and then re-add the AAAA DNS record for the server's hostname.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. jmig

    jmig Member

    Joined:
    Jun 7, 2018
    Messages:
    7
    Likes Received:
    4
    Trophy Points:
    3
    Location:
    Philadelphia
    cPanel Access Level:
    Root Administrator
    Just want to add that I started receiving the same error about two weeks ago. I have an open ticket with cPanel support, but so far they have not been able to resolve the issue.

    EDIT: AAAA record is not configured, so I can't remove them.
     
    #11 jmig, Mar 5, 2019
    Last edited: Mar 5, 2019
    AlanB likes this.
  12. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,002
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi @jmig,

    Can you share the ticket number?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. bellwood

    bellwood Active Member PartnerNOC

    Joined:
    Sep 25, 2012
    Messages:
    29
    Likes Received:
    5
    Trophy Points:
    3
    Location:
    New York
    cPanel Access Level:
    DataCenter Provider
    If you're comfortable editing httpd.conf, on/around line 305 is the default vhost for your servers' IPv4 address.

    If you copy that virtualhost block and change the IPv4 to your servers main IPv6 and insert it directly after (so you now have both a default IPv4 and IPv6 vhost) and then restart apache you'll be able to run /usr/local/cpanel/bin/checkallsslcerts and receive a certificate without issue.

    While this is way easier than messing with DNS, you can bork up your Apache config and it's not supported by cPanel.

    Note: After /usr/local/cpanel/bin/checkallsslcerts completes, it will rebuild and restart Apache - removing the new vhost block you added - so there's no need to go back in and change/remove it.
     
    #13 bellwood, Mar 18, 2019
    Last edited: Mar 18, 2019
    cPanelMichael likes this.
  14. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,002
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello Everyone,

    The following case was included in cPanel & WHM version 78.0.15:

    Implemented case CPANEL-25899: Fallback to IPv4 DCV when IPv6 DCV fails for known proxies.

    This should address the issue reported in this thread. Additionally, case CPANEL-25611 is still planned for publication in an upcoming version 78 build to ensure the IPv6 virtual host for the server's main shared IPv6 address is setup when the httpd.conf file is built. I'll update this thread again when this case is published.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. bellwood

    bellwood Active Member PartnerNOC

    Joined:
    Sep 25, 2012
    Messages:
    29
    Likes Received:
    5
    Trophy Points:
    3
    Location:
    New York
    cPanel Access Level:
    DataCenter Provider
    Heeey we got a back port! Someone at cPanel scream "thanks Benny" across the office ;)
     
  16. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,002
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello Everyone,

    The additional case (CPANEL-25611) was published as part of cPanel & WHM version 78.0.20 (now available on the CURRENT release tier):

    Fixed case CPANEL-25611: Fix checkallsslcerts for servers with an IPv6 address.

    Let us know of any additional issues after upgrading to version 78.0.20 or higher.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. ericc06

    ericc06 Registered

    Joined:
    May 1, 2019
    Messages:
    2
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    France
    cPanel Access Level:
    Root Administrator
    Hello,

    Logged as root in WHM v.78.0.21, I renewed 2 self-signed SSL certificates yesterday.
    This morning we received this email from the system:

    The following cPanel service generated warnings from the checkallsslcerts script.

    The system failed to acquire a signed certificate from the cPanel Store because of the following error: Neither HTTP nor DNS DCV preflight checks succeeded!
    This notice is the result of a request from “/usr/local/cpanel/bin/checkallsslcerts”.
    The system generated this notice on Tuesday, April 30, 2019 at 11:20:04 PM UTC.


    Is this warning related to the present case [CPANEL-25899]?
    What can I do to fix this?

    There is no AAAA record in the DNS.

    The web server is Apache/2.4.39 (cPanel) OpenSSL/1.0.2r mod_bwlimited/1.4

    I opened a ticket for this. Support Request ID: 12154123

    Thank you.
     
  18. ericc06

    ericc06 Registered

    Joined:
    May 1, 2019
    Messages:
    2
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    France
    cPanel Access Level:
    Root Administrator
    In my case it seems that the problem comes from a DNS configuration issue.
    To be confirmed...
     
    cPanelMichael likes this.
  19. AlanB

    AlanB Registered

    Joined:
    Feb 24, 2019
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Seattle,WA
    cPanel Access Level:
    Root Administrator
    Still not working. failed to acquire a signed certificate same error since my first post and I have done all requested but the AAA is not applicable .
     
  20. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,002
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @AlanB,

    Can you open a support ticket so we can take a closer look?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice