SOLVED [CPANEL-25899] checkallsslcerts fails when the hostname is assigned an IPv6 address

[k2tec]

2 of my vps having problems with the manage service SSL.
The servers are running for a longer time without problems, but now SSL won't renew it certificates.

Both vps are running:

• CENTOS 6.10 kvm [vps]
• v78.0.12

[email protected] [~]# /usr/local/cpanel/bin/checkallsslcerts --verbose

[email protected] [~]# /usr/local/cpanel/bin/checkallsslcerts --verbose
The system will check for the certificate for the “cpanel” service.
The system will attempt to verify that the certificate for the “cpanel” service                                                                                is still valid using OCSP (Online Certificate Status Protocol).
The “cpanel” service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. The system will attempt to renew and install a new certificate to the “cpanel” service and any other services that use the old certificate.
The system will attempt to install a certificate for the “cpanel” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “cpanel” service.
The system will attempt to install a certificate for the “cpanel” service from the cPanel store.
Received error “X::NoCertificate” from cPanel Store; requesting new certificate …
Setting up HTTP DCV (/var/www/html/.well-known/pki-validation/09E981F8E1A905A6942C5769FA837165.txt) …
        … complete.
Setting up DNS DCV (CNAME _09e981f8e1a905a6942c5769fa837165.vps.eq5.myserver.com) …
        … complete.
Attempting DNS DCV preflight check …
        FAILED: The DNS DCV check (_09e981f8e1a905a6942c5769fa837165.vps.eq5.myserver.com IN CNAME) did not return the expected value (e49d0b50b0654e7f1efdb3e869f3529f.9fb7fecdbac8015d57fe650ae1d61ea5.comodoca.com).
Attempting HTTP DCV preflight check …
        FAILED: Cpanel::Exception/(XID 6xnhx8) The system queried for a temporary file at “http://vps.eq5.myserver.com/.well-known/pki-validation/09E981F8E1A905A6942C5769FA837165.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
 at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 386.
        Cpanel::SSL::DCV::__ANON__(Cpanel::Exception::HTTP::Server=HASH(0x32ac8a0)) called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 118
        Try::Tiny::try(CODE(0x2c567a8), Try::Tiny::Catch=REF(0x2a1e3b8)) called at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 446
        Cpanel::SSL::DCV::_verify_http("http://vps.eq5.myserver.com/.well-known/pki-validation/09E"..., "e49d0b50b0654e7f1efdb3e869f3529f9fb7fecdbac8015d57fe650ae1d61"..., "COMODO DCV", ARRAY(0x32778d8)) called at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 282
        Cpanel::SSL::DCV::verify_http("http://vps.eq5.myserver.com/.well-known/pki-validation/09E"..., "e49d0b50b0654e7f1efdb3e869f3529f9fb7fecdbac8015d57fe650ae1d61"..., "COMODO DCV") called at /usr/local/cpanel/Cpanel/Market/Provider/cPStore/Utils.pm line 88
        Cpanel::Market::Provider::cPStore::Utils::imitate_http_dcv_check_locally("vps.eq5.myserver.com", ".well-known/pki-validation/09E981F8E1A905A6942C5769FA837165.txt", "e49d0b50b0654e7f1efdb3e869f3529f9fb7fecdbac8015d57fe650ae1d61"...) called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert/DCV.pm line 193
        eval {...} called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert/DCV.pm line 189
        Cpanel::cPStore::HostnameCert::DCV::set_up("-----BEGIN CERTIFICATE REQUEST-----\x{a}MIICnDCCAYQCAQAwIjEgMB4GA"...) called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert.pm line 159
        Cpanel::cPStore::HostnameCert::_request_new_certificate(Cpanel::cPStore::HostnameCert=HASH(0x25bd510)) called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert.pm line 129
        Cpanel::cPStore::HostnameCert::get_hostname_cert_from_store(Cpanel::cPStore::HostnameCert=HASH(0x25bd510)) called at bin/checkallsslcerts.pl line 528
        bin::checkallsslcerts::_get_certificate_pem_from_store(bin::checkallsslcerts=HASH(0x1b16120)) called at bin/checkallsslcerts.pl line 450
        bin::checkallsslcerts::__ANON__() called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 97
        eval {...} called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 88
        Try::Tiny::try(CODE(0x226abb8), Try::Tiny::Catch=REF(0x1b8b8f8)) called at bin/checkallsslcerts.pl line 454
        bin::checkallsslcerts::_replace_cert_with_ca_signed_cert_from_cpstore(bin::checkallsslcerts=HASH(0x1b16120), "cpanel") called at bin/checkallsslcerts.pl line 310
        bin::checkallsslcerts::_check_notify_and_auto_renew_cert_for_service(bin::checkallsslcerts=HASH(0x1b16120), "cpanel") called at bin/checkallsslcerts.pl line 86
        bin::checkallsslcerts::run(bin::checkallsslcerts=HASH(0x1b16120)) called at bin/checkallsslcerts.pl line 50
Undoing HTTP DCV setup …
        … complete.
Undoing DNS DCV setup …
        … complete.
[WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: Neither HTTP nor DNS DCV preflight checks succeeded!

[email protected] [~]# dig a vps.eq5.myserver.com

[email protected] [~]# dig a vps.eq5.myserver.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> a vps.eq5.myserver.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54963
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;vps.eq5.myserver.com.       IN      A

;; ANSWER SECTION:
vps.eq5.myserver.com. 7200   IN      A       111.222.333.444

;; Query time: 4 msec
;; SERVER: 111.222.333.888#53(111.222.333.888)
;; WHEN: Sat Feb 23 12:00:21 2019
;; MSG SIZE  rcvd: 57

 

[cPanelMichael]

Hello @k2tec,

Can you verify if you are using any third-party web server applications on this system? A recent report notes a similar problem and workaround when using Nginx:

SOLVED - cPanel Service SSL Certificate Warnings with Nginx

Thank you.

 

[k2tec]

Hello Michael,

In all the years it is running no other server applications are installed. The server are all installed with CSF, Letsencrypt.
The thread with the nginx I have read.
Maybe it is the old mixed setup with Letsencrypt. But I can't verify this.

 

[cPanelMichael]

Hello @k2tec,

Can you open a support ticket so we can take a closer look at your system to see why it's not working? You can post the ticket number here and we'll link this thread to it.

Thank you.

 

[k2tec]

Your support request ID: 11539333

 

[k2tec]

The problem was the IPv6 IP range.

After taking a look at your server I noticed that your servers shared IPv6 address is not a single IPv6 address but rather an entire /64.

I believe this is the root cause of the issue and you will need to add a single IPv6 address(aka a /128) from the range you have to the server and set that as your shared IPv6 address.

You can read more about how to properly configure IPv6 for cPanel servers at the link below.

**************************************************************************
Guide to IPv6 - How to Get Started With IPv6 - Version 78 Documentation - cPanel Documentation
**************************************************************************

The reason this is popping up as an issue now when it didn't previously is due to Sectigo (Formerly Comodo) recently started performing the DCV checks using IPv6 when a domain has an AAAA DNS record configured for it. Previously they only looked up the domains A record and used the IPv4 address that was returned which is why the check would have passed then without any issues.

Alternatively, you could also temporarily remove the AAAA record for your hostname which would result in Sectigo performing the DCV check using the IPv4 address instead of the IPv6.

I hope this will help other people with the same problem.

 

[cPanelMichael]

Hello @k2tec,

Edit. Here's the most recent update on this issue:

The /usr/local/cpanel/bin/checkallsslcerts warnings appear because HTTP domain control validation will fail for the server's hostname when it's assigned an IPv6 address (the corresponding IPv6 virtual host entry isn't setup by default). Case CPANEL-25611 will address this issue.

As a temporary workaround until the case is published, you can remove the AAAA DNS record for the server's hostname, manually run /usr/local/cpanel/bin/checkallsslcerts to ensure DCV (domain control validation) succeeds, and then re-add the AAAA DNS record for the server's hostname.

Thank you.

 

[k2tec]

Thanks Michael,
So far the solution above has created a certificat for both VPSen.
Placed back the IPv6 on the server-services and the IPv6 on all users.

regards,
Tom

 

[AlanB]

I have the same issue and all the hoops we have to jump thru to "maybe " fix it is scary for some. How do we even know what IPv6 range to add ? This happened to me about a month ago and is still and issue.

The following cPanel service generated warnings from the checkallsslcerts script.

cpanel

The system failed to acquire a signed certificate from the cPanel Store because of the following error: Neither HTTP nor DNS DCV preflight checks succeeded!

This notice is the result of a request from “/usr/local/cpanel/bin/checkallsslcerts”.

 

[cPanelMichael]

Hello @AlanB,

The /usr/local/cpanel/bin/checkallsslcerts warnings appear because HTTP domain control validation will fail for the server's hostname when it's assigned an IPv6 address (the corresponding IPv6 virtual host entry isn't setup by default). Case CPANEL-25611 will address this issue.

As a temporary workaround until the case is published, you can remove the AAAA DNS record for the server's hostname, manually run /usr/local/cpanel/bin/checkallsslcerts to ensure DCV (domain control validation) succeeds, and then re-add the AAAA DNS record for the server's hostname.

Thank you.

 

[Deleted member 920855]

Just want to add that I started receiving the same error about two weeks ago. I have an open ticket with cPanel support, but so far they have not been able to resolve the issue.

EDIT: AAAA record is not configured, so I can't remove them.

 

[cPanelMichael]

I have an open ticket with cPanel support, but so far they have not been able to resolve the issue.

Hi @jmig,

Can you share the ticket number?

Thank you.

 

[bellwood]

If you're comfortable editing httpd.conf, on/around line 305 is the default vhost for your servers' IPv4 address.

If you copy that virtualhost block and change the IPv4 to your servers main IPv6 and insert it directly after (so you now have both a default IPv4 and IPv6 vhost) and then restart apache you'll be able to run /usr/local/cpanel/bin/checkallsslcerts and receive a certificate without issue.

While this is way easier than messing with DNS, you can bork up your Apache config and it's not supported by cPanel.

Note: After /usr/local/cpanel/bin/checkallsslcerts completes, it will rebuild and restart Apache - removing the new vhost block you added - so there's no need to go back in and change/remove it.

 

[cPanelMichael]

Hello Everyone,

The following case was included in cPanel & WHM version 78.0.15:

Implemented case CPANEL-25899: Fallback to IPv4 DCV when IPv6 DCV fails for known proxies.

This should address the issue reported in this thread. Additionally, case CPANEL-25611 is still planned for publication in an upcoming version 78 build to ensure the IPv6 virtual host for the server's main shared IPv6 address is setup when the httpd.conf file is built. I'll update this thread again when this case is published.

Thank you.

 

[bellwood]

Heeey we got a back port! Someone at cPanel scream "thanks Benny" across the office

 

[cPanelMichael]

Hello Everyone,

The additional case (CPANEL-25611) was published as part of cPanel & WHM version 78.0.20 (now available on the CURRENT release tier):

Fixed case CPANEL-25611: Fix checkallsslcerts for servers with an IPv6 address.

Let us know of any additional issues after upgrading to version 78.0.20 or higher.

Thanks!

 

[ericc06]

Hello,

Logged as root in WHM v.78.0.21, I renewed 2 self-signed SSL certificates yesterday.
This morning we received this email from the system:

The following cPanel service generated warnings from the checkallsslcerts script.

The system failed to acquire a signed certificate from the cPanel Store because of the following error: Neither HTTP nor DNS DCV preflight checks succeeded!
This notice is the result of a request from “/usr/local/cpanel/bin/checkallsslcerts”.
The system generated this notice on Tuesday, April 30, 2019 at 11:20:04 PM UTC.

Is this warning related to the present case [CPANEL-25899]?
What can I do to fix this?

There is no AAAA record in the DNS.

The web server is Apache/2.4.39 (cPanel) OpenSSL/1.0.2r mod_bwlimited/1.4

I opened a ticket for this. Support Request ID: 12154123

Thank you.

 

[ericc06]

Hello,

Logged as root in WHM v.78.0.21, I renewed 2 self-signed SSL certificates yesterday.
This morning we received this email from the system:

The following cPanel service generated warnings from the checkallsslcerts script.

The system failed to acquire a signed certificate from the cPanel Store because of the following error: Neither HTTP nor DNS DCV preflight checks succeeded!
This notice is the result of a request from “/usr/local/cpanel/bin/checkallsslcerts”.
The system generated this notice on Tuesday, April 30, 2019 at 11:20:04 PM UTC.

Is this warning related to the present case [CPANEL-25899]?
What can I do to fix this?

There is no AAAA record in the DNS.

The web server is Apache/2.4.39 (cPanel) OpenSSL/1.0.2r mod_bwlimited/1.4

I opened a ticket for this. Support Request ID: 12154123

Thank you.

In my case it seems that the problem comes from a DNS configuration issue.
To be confirmed...

 

[AlanB]

Still not working. failed to acquire a signed certificate same error since my first post and I have done all requested but the AAA is not applicable .

 

[cPanelMichael]

Still not working. failed to acquire a signed certificate same error since my first post and I have done all requested but the AAA is not applicable .

Hello @AlanB,

Can you open a support ticket so we can take a closer look?

Thank you.