Installing AutoSSL for .app and .dev HSTS domains

louish

Active Member
Feb 2, 2006
25
1
153
I feel like I'm running into a 'Chicken or the Egg' issue with these HTTPS/HSTS required domains.

AutoSSL wouldn't validate because it couldn't find the .well-known file over an HTTP connection. (The system queried for a temporary file at “http://*****.app/.well-known/pki-validation/83FE....)

I can't add the DNS TXT record because everytime it attempts to validate, the _cpanel-dcv-test-record value changes. So there is no time to add the TXT record before it fails (using DNS server not hosted on its own box).

Then I realized the purchased domain from godaddy included an SSL certificate, makes sense... so I go to set it up and for some reason, godaddy just kept refusing to validate the requests dns txt record to prove ownership (and I can't use their html file method because the request is over http, not https). I don't know if this was just a bug, but I literally tried everything with no luck.

The only way I was able to get it to work, was move the DNS back to godaddy (instead of my linode dns server), then the certificate was able to be issued because dns was hosted at the same location as the SSL issuer, so there was no need to validate with a file or dns update. So now I have the valid GoDaddy issued certificate installed, but I don't want my DNS at godaddy. So I moved the DNS back to my linode dns, but then the godaddy certificate refused to work when my DNS is not at godaddy and the server kept loading the default website for the shared ip.

So then I thought, ok, move the DNS back to godaddy, and now that https works, I can get an autossl certificate. However, they won't issue a certificate until 3 days prior to expiration.

How are other people dealing with these issues? What am I missing here? I hope I explained everything right.
 

louish

Active Member
Feb 2, 2006
25
1
153
As a side note, I think I realized why my certificate didn't work when I moved the DNS to linode, and its because my CSR was generated by godaddy which I just found out bypasses the embedded IP address in the certificate and uses their name servers instead. When the DNS was changed, the embedded IP was not found in the certificate (since it was pointing to their dns servers to get the IP but the records were disabled/removed cause I changed the dns). To solve (this particular) issue, I would just need to re-key the certificate (with my server csr) at godaddy which doesn't require validation.


Even though that 1 problem is fixed, I'm still confused at how to setup an AutoSSL certificate for the 1st time on a domain that requires https connections without going through the process of purchasing and install a real certificate just to get this to work.
 

LucasRolff

Well-Known Member
Community Guide Contributor
May 27, 2013
141
85
78
cPanel Access Level
Root Administrator
Whenever you add a domain to cPanel, it will issue a self-signed certificate for the domain, meaning it can also call the https endpoint of the site and pass validation.

The certificate validation also doesn't actually listen to HSTS settings, so can still call over http anyway.

The 4 .dev domains I have at least got issued a certificate without having to purchase anything.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,261
313
Houston
When AutoSSL runs it automatically creates a new CSR, so I wouldn't think that would be the cause of the issue. When AutoSSL runs what is output in the AutoSSL logs at WHM>>SSL/TLS/Manage AutoSSL - > Logs (pending you have access to WHM) If you do not have access to WHM you might need to speak to your provider about why the SSL isn't being added. Whether or not DNS is hosted elsewhere, the HTTP DCV should complete, if you must have HTTPS (i.e., you have a forced redirect to https in place) you can add an exception in the .htaccess for cpaneldcv to allow that check to complete over http.