Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED LetsEncrypt CloudFlare acme.sh

Discussion in 'Security' started by John Schmerold, Mar 28, 2019.

  1. John Schmerold

    John Schmerold Well-Known Member

    Joined:
    Apr 21, 2004
    Messages:
    74
    Likes Received:
    5
    Trophy Points:
    158
    Location:
    st. louis
    cPanel Access Level:
    Root Administrator
    I have my server cloaked behind CloudFlare, all was well until I started getting [Let's Encrypt SSL] failure notices. It makes sense: CloudFlare proxies our sites and provides DNS for our domains.

    There doesn't seem to be a solution using FleetSSL or AutoSSL, or is there a solution that I didn't find.

    I found acme.sh it seems to have everything I need, but requires that I get my hands dirty poking around with bash - I am willing and able, but looking for a better alternative.

    Are there updates to FleetSSL or AutoSSL that will resolve this issue, or am I missing something?

    Perhaps someone is building a FleetSSL type plugin using acme.sh

    Thanks for your help!
     
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,221
    Likes Received:
    478
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @John Schmerold

    cPanel's AutoSSL using the Sectigo provider should work with your sites being behind CloudFlare, the only currently pending issue I'm aware of was an issue with SSL certificates being failed when the server had improperly configured IPv6 IP's.

    Have you tried using cPanel's provider? If so what are the errors presented in AutoSSL logs?

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. John Schmerold

    John Schmerold Well-Known Member

    Joined:
    Apr 21, 2004
    Messages:
    74
    Likes Received:
    5
    Trophy Points:
    158
    Location:
    st. louis
    cPanel Access Level:
    Root Administrator
    This seems to be the most important message:
    The provider “cPanel (powered by Sectigo)” cannot currently accept incoming requests. The system will try again later.

    Full log:
    Code:
    Log for the AutoSSL run for “nossl”: Saturday, March 30, 2019 7:35:39 PM GMT-0500 (cPanel (powered by Sectigo))
     7:35:39 PM AutoSSL’s configured provider is “cPanel (powered by Sectigo)”.
     This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
     Checking websites for “nossl” …
     7:35:39 PM Analyzing “nossl.com” …
     7:35:39 PM ERROR TLS Status: Defective
     ERROR Defect: NO_SSL: No SSL certificate is installed.
     7:35:39 PM Performing DCV (Domain Control Validation) …
     7:35:39 PM Local HTTP DCV OK: nossl.com
     Local HTTP DCV OK: www.nossl.com (via nossl.com)
     Local HTTP DCV OK: mail.nossl.com (via nossl.com)
     Local HTTP DCV OK: cpanel.nossl.com (via nossl.com)
     Local HTTP DCV OK: webdisk.nossl.com (via nossl.com)
     Local HTTP DCV OK: webmail.nossl.com (via nossl.com)
     7:35:39 PM Analyzing “nossl.com”’s DCV results …
     7:35:39 PM AutoSSL will request a new certificate.
     7:35:39 PM The system will attempt to renew the SSL certificate for the website (nossl.com: nossl.com www.nossl.com mail.nossl.com webmail.nossl.com cpanel.nossl.com webdisk.nossl.com).
     No CAA record added because there is no CAA record from another provider in the DNS for nossl.com.
     7:35:40 PM The provider “cPanel (powered by Sectigo)” cannot currently accept incoming requests. The system will try again later.
     7:35:40 PM The system has completed the AutoSSL check for “nossl”.
    
     
    #3 John Schmerold, Mar 30, 2019
    Last edited by a moderator: Apr 1, 2019
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,221
    Likes Received:
    478
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @John Schmerold

    This looks like it may have been bad timing, as it seems to indicate Sectigo was undergoing maintenance. Their status page for these issues can be found here: Sectigo

    If you run the AutoSSL check again do you continue to receive that same message?


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. John Schmerold

    John Schmerold Well-Known Member

    Joined:
    Apr 21, 2004
    Messages:
    74
    Likes Received:
    5
    Trophy Points:
    158
    Location:
    st. louis
    cPanel Access Level:
    Root Administrator
    I had support dig into this. We are blocking international traffic. I added this allow rule to facilitate Sectigo's UK servers safe passage to our website:

    ((cf.client.bot and cf.threat_score lt 15) or (ip.geoip.asnum in {32934 63293 48447}) or (ip.src in {178.255.81.12 178.255.81.13 199.66.201.132}))
     
  6. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,221
    Likes Received:
    478
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. John Schmerold

    John Schmerold Well-Known Member

    Joined:
    Apr 21, 2004
    Messages:
    74
    Likes Received:
    5
    Trophy Points:
    158
    Location:
    st. louis
    cPanel Access Level:
    Root Administrator
    You and support nailed it -- as always!

    BTW, I love the fact that support provides us with just enough information so that we can solve these issues ourselves. In this case, we had to open up our website to Sectigo in the UK, support ran:
    /usr/local/cpanel/bin/autossl_check_cpstore_queue --force

    This pushed the Sectigo to revisit our site. Now all is well.

    Thanks again!
     
    cPanelLauren likes this.
  8. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,221
    Likes Received:
    478
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @John Schmerold

    I'm really glad to hear that your issue was able to get resolved and happy we could help!!

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice