CSF is preventing AutoSSL from completing

[GoWilkes]

This one's been a thorn in my side for awhile, so I'm hoping if any of you have come across it then you can offer some insight.

Last month, I had an issue with AutoSSL not installing a certificate. After much digging, @cPanelLauren helped me isolate CSF as the culprit; when I turned it off, everything renewed.

Well, today I have the same problem with 37 certificates not renewing. When I turned off CSF and ran it again, though, they renewed just fine.

The only thing I have set that's not "normal" is that I set CC_ALLOW_FILTER to "US,MP,PR".

Can you guys and gals suggest what I might need to change or whitelist to let AutoSSL pass through CSF?

 

[ZenHostingTravis]

Hi @GoWilkes,

If you haven't already, you should open a support ticket with the cPanel team.

 

[cPanelLauren]

@GoWilkes

If I remember correctly you have countries blocked and that was causing the AutoSSL process to fail due to an inability to reach the root nameservers. Identifying which block is causing the issue would resolve this for the future or what might be a better solution for the moment is to block these countries in cPHulkd which prevents them from being able to login to the server but DNS queries to the root nameservers would still be successful.

 

[GoWilkes]

Sorry for the late reply, I'm not getting emails when you reply and I'm not sure why.

@cPanelLauren , I went the other direction with it... I'm not blocking countries, exactly, but I'm using CC_ALLOW_FILTER to block all countries except for US,MP,PR. Which I guess is the same thing? I'm not really sure. My sites exclusively target residents of NC, though, so any traffic from outside the US is just a waste of resources.

I have found, though, that turning off CC_ALLOW_FILTER fixes the problem, so certificates do renew. But then I have an immediate increase in server load and spam :-(

I do have every country except for the US blacklisted in cPHulk, and that does help, but you're right that it's not as tough as blocking in CSF. Until there's a way to add Sectigo to the CC_ALLOW_FILTER list, though, I'm not sure that I have much of a choice.

 

[cPanelLauren]

Sorry for the late reply, I'm not getting emails when you reply and I'm not sure why.

@cPanelLauren , I went the other direction with it... I'm not blocking countries, exactly, but I'm using CC_ALLOW_FILTER to block all countries except for US,MP,PR. Which I guess is the same thing? I'm not really sure. My sites exclusively target residents of NC, though, so any traffic from outside the US is just a waste of resources.

I have found, though, that turning off CC_ALLOW_FILTER fixes the problem, so certificates do renew. But then I have an immediate increase in server load and spam :-(

I do have every country except for the US blacklisted in cPHulk, and that does help, but you're right that it's not as tough as blocking in CSF. Until there's a way to add Sectigo to the CC_ALLOW_FILTER list, though, I'm not sure that I have much of a choice.

Yea CC_ALLOW_FILTER is basically saying If I tell you the things I want it's a much shorter list than the things I don't want. And it'll still honor exceptions on port or by packet

# An alternative to CC_ALLOW is to only allow access from the following
# countries but still filter based on the port and packets rules. All other
# connections are dropped
CC_ALLOW_FILTER = ""

I actually don't think its Sectigo that is being blocked, since they're based in the US. The issue is the lack of a response from the root nameservers that you were getting because they're not all necessarily based in the US. So when the DCV check is attempted and your NS are queried for the domains, the response was null which was why I was originally asking about NAT routing (this is a common NAT misconfiguration problem) and why it was so confusing when you weren't NAT routed and a bit tricky to understand why the firewall was to blame.

I think short of allowing the root nameservers to be reached you'd have to disable the CC filtering - I believe you can allow exceptions for specific IPs by whitelisting them or adding them to the ignore list - you can find the root NS IP's here: IANA — Root Servers

 

[keat63]

I briefly looked at this earlier in the week to see if I could identify the IP's for Sectico servers, with a hope of you maybe whitelisting them in CSF, but there were far too many, and I thought...,

@cPanelLauren is on the case, she's far more knowledgeable than I will ever be, so I'll keep my nose out

 

[GoWilkes]

I think short of allowing the root nameservers to be reached you'd have to disable the CC filtering - I believe you can allow exceptions for specific IPs by whitelisting them or adding them to the ignore list - you can find the root NS IP's here: IANA — Root Servers

I'm getting a tooooooooon of scams, spam, and crack attempts after I removed the CC_ALLOW_FILTER setting, so I'm back to revisiting this.

Do you know if whitelisting via csf.allow will supersede CC_ALLOW_FILTER? I've added all of the root-servers.net IPs, but if it doesn't have priority over CC_ALLOW_FILTER then I think I would still have a problem.