Neither HTTP nor DNS DCV preflight checks succeeded

[f1alan]

We have been running v78.0.46 for around a year and recently started getting the following warning on a daily basis:

"The system failed to acquire a signed certificate from the cPanel Store because of the following error: Neither HTTP nor DNS DCV preflight checks succeeded!"

We did recently start getting other warnings for several SSL certificates like this one:

"The SSL certificate for “exim” on “******.******.com” will expire in less than 30 days"

Thinking that it might be related, we manually renewed these certificates. However, we are still getting this "preflight check" warning. Is there an explanation for it? It doesn't seem to be causing any problems but we can't understand why it has just started when we haven't changed anything.

 

[cPanelLauren]

Can you provide the output of the following (be sure to remove the actual domain name):

/usr/local/cpanel/bin/checkallsslcerts --verbose --allow-retry

 

[f1alan]

Can you provide the output of the following (be sure to remove the actual domain name):

/usr/local/cpanel/bin/checkallsslcerts --verbose --allow-retry

Thank you for getting back to me. Here is the requested output:

The system will check for the certificate for the “cpanel” service.
The system will attempt to replace the self-signed certificate for the “cpanel” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “cpanel” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “cpanel” service.
The system will attempt to install a certificate for the “cpanel” service from the cPanel store.
Received error “X::NoCertificate” from cPanel Store; requesting new certificate …
Setting up HTTP DCV (/var/www/html/.well-known/pki-validation/F6534ADAF09B61B8D15CBA54434F5254.txt) …
        … complete.
Setting up DNS DCV (CNAME _f6534adaf09b61b8d15cba54434f5254.*****************) …
        … complete.
Attempting DNS DCV preflight check …
        FAILED: The DNS DCV check (_f6534adaf09b61b8d15cba54434f5254.***************** IN CNAME) did not return the expected value (864eaf5d1456be06c820c9f2a7d13e82.1a38f0d21e882e135fd1180ca1f96afa****odoca****).
Attempting HTTP DCV preflight check …
        FAILED: Cpanel::Exception/(XID 9kdz7n) The system queried for a temporary file at “http://*****************/.well-known/pki-validation/F6534ADAF09B61B8D15CBA54434F5254.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
 at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 404.
        Cpanel::SSL::DCV::__ANON__(Cpanel::Exception::HTTP::Server=HASH(0x31a3758)) called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 118
        Try::Tiny::try(CODE(0x31ce878), Try::Tiny::Catch=REF(0x2db5980)) called at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 464
        Cpanel::SSL::DCV::_verify_http("http://*****************/.well-known/pki-validation/F6534ADAF"..., "864eaf5d1456be06c820c9f2a7d13e821a38f0d21e882e135fd1180ca1f96"..., "COMODO DCV", 4, ARRAY(0x3114c28)) called at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 306
        Cpanel::SSL::DCV::verify_http("http://*****************/.well-known/pki-validation/F6534ADAF"..., "864eaf5d1456be06c820c9f2a7d13e821a38f0d21e882e135fd1180ca1f96"..., "COMODO DCV") called at /usr/local/cpanel/Cpanel/Market/Provider/cPStore/Utils.pm line 88
        Cpanel::Market::Provider::cPStore::Utils::imitate_http_dcv_check_locally("*****************", ".well-known/pki-validation/F6534ADAF09B61B8D15CBA54434F5254.txt", "864eaf5d1456be06c820c9f2a7d13e821a38f0d21e882e135fd1180ca1f96"...) called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert/DCV.pm line 193
        eval {...} called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert/DCV.pm line 189
        Cpanel::cPStore::HostnameCert::DCV::set_up("-----BEGIN CERTIFICATE REQUEST-----\x{a}MIICkDCCAXgCAQAwHDEaMBgGA"...) called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert.pm line 159
        Cpanel::cPStore::HostnameCert::_request_new_certificate(Cpanel::cPStore::HostnameCert=HASH(0x2670830)) called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert.pm line 129
        Cpanel::cPStore::HostnameCert::get_hostname_cert_from_store(Cpanel::cPStore::HostnameCert=HASH(0x2670830)) called at bin/checkallsslcerts.pl line 528
        bin::checkallsslcerts::_get_certificate_pem_from_store(bin::checkallsslcerts=HASH(0x1e240f8)) called at bin/checkallsslcerts.pl line 450
        bin::checkallsslcerts::__ANON__() called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 97
        eval {...} called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 88
        Try::Tiny::try(CODE(0x223f940), Try::Tiny::Catch=REF(0x1e95180)) called at bin/checkallsslcerts.pl line 454
        bin::checkallsslcerts::_replace_cert_with_ca_signed_cert_from_cpstore(bin::checkallsslcerts=HASH(0x1e240f8), "cpanel") called at bin/checkallsslcerts.pl line 310
        bin::checkallsslcerts::_check_notify_and_auto_renew_cert_for_service(bin::checkallsslcerts=HASH(0x1e240f8), "cpanel") called at bin/checkallsslcerts.pl line 86
        bin::checkallsslcerts::run(bin::checkallsslcerts=HASH(0x1e240f8)) called at bin/checkallsslcerts.pl line 50
Undoing HTTP DCV setup …
        … complete.
Undoing DNS DCV setup …
        … complete.
[WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: Neither HTTP nor DNS DCV preflight checks succeeded!

The system will check for the certificate for the “dovecot” service.
The system will attempt to replace the self-signed certificate for the “dovecot” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “dovecot” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “dovecot” service.
The system will check for the certificate for the “exim” service.
The system will attempt to replace the self-signed certificate for the “exim” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “exim” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “exim” service.
The system will check for the certificate for the “ftp” service.
The system will attempt to replace the self-signed certificate for the “ftp” service with a signed certificate from the cPanel Store.
The system will attempt to install a certificate for the “ftp” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “ftp” service.

 

[cPanelLauren]

There are two separate checks that are done for DCV DNS and HTTP

The DNS DCV check looks for a record added to your domain and only works if DNS is local

The HTTP check looks for the presence of a txt file using a curl request

In your case the output from the preflight checks (there is a check done before it's submitted to the CA) shows that neither of these is successful:

Attempting DNS DCV preflight check …
        FAILED: The DNS DCV check (_f6534adaf09b61b8d15cba54434f5254.***************** IN CNAME) did not return the expected value (864eaf5d1456be06c820c9f2a7d13e82.1a38f0d21e882e135fd1180ca1f96afa****odoca****).
Attempting HTTP DCV preflight check …
        FAILED: Cpanel::Exception/(XID 9kdz7n) The system queried for a temporary file at “http://*****************/.well-known/pki-validation/F6534ADAF09B61B8D15CBA54434F5254.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
 at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 404.

Two questions you need to ask are:

1. Is DNS hosted locally on the server

2. If DNS is not local can I place a .txt file in /home/$user/.well-known/pki-validation/ and perform a request similar to the following:

curl -kvv -A "COMODO DCV" http://domain.tld/.well-known/pki-validation/file.txt

 

[f1alan]

There are two separate checks that are done for DCV DNS and HTTP

The DNS DCV check looks for a record added to your domain and only works if DNS is local

The HTTP check looks for the presence of a txt file using a curl request

In your case the output from the preflight checks (there is a check done before it's submitted to the CA) shows that neither of these is successful:

Attempting DNS DCV preflight check …
        FAILED: The DNS DCV check (_f6534adaf09b61b8d15cba54434f5254.***************** IN CNAME) did not return the expected value (864eaf5d1456be06c820c9f2a7d13e82.1a38f0d21e882e135fd1180ca1f96afa****odoca****).
Attempting HTTP DCV preflight check …
        FAILED: Cpanel::Exception/(XID 9kdz7n) The system queried for a temporary file at “http://*****************/.well-known/pki-validation/F6534ADAF09B61B8D15CBA54434F5254.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 404.

Two questions you need to ask are:

1. Is DNS hosted locally on the server

2. If DNS is not local can I place a .txt file in /home/$user/.well-known/pki-validation/ and perform a request similar to the following:

curl -kvv -A "COMODO DCV" http://domain.tld/.well-known/pki-validation/file.txt

In answer to your first question, our DNS is hosted externally. Therefore, I followed your instructions and here is the output of the command:

curl -kvv -A "COMODO DCV" http://*****************/.well-known/pki-validation/file.txt
* About to connect() to ***************** port 80 (#0)
*   Trying 91.109.4.253... connected
* Connected to ***************** (91.109.4.253) port 80 (#0)
> GET /.well-known/pki-validation/file.txt HTTP/1.1
> User-Agent: COMODO DCV
> Host: *****************
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Date: Fri, 28 Feb 2020 09:06:17 GMT
< Server: Apache/2.4.38 (cPanel) OpenSSL/1.0.2r mod_bwlimited/1.4
< Content-Length: 352
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /.well-known/pki-validation/file.txt was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>
* Connection #0 to host ***************** left intact
* Closing connection #0

I believe this is equivalent to the command run in your script. However, I changed it to use HTTPS rather than HTTP and got the following output:

curl -kvv -A "COMODO DCV" https://*****************/.well-known/pki-validation/file.txt
* About to connect() to ***************** port 443 (#0)
*   Trying 91.109.4.253... connected
* Connected to ***************** (91.109.4.253) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*       subject: CN=*****************,[email protected]*****************
*       start date: Feb 19 08:49:51 2020 GMT
*       expire date: Feb 18 08:49:51 2021 GMT
*       common name: *****************
*       issuer: CN=*****************,[email protected]*****************
> GET /.well-known/pki-validation/file.txt HTTP/1.1
> User-Agent: COMODO DCV
> Host: *****************
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 28 Feb 2020 09:06:37 GMT
< Server: Apache/2.4.38 (cPanel) OpenSSL/1.0.2r mod_bwlimited/1.4
< Last-Modified: Fri, 28 Feb 2020 09:04:18 GMT
< ETag: "e25cf-0-59f9f1f60d368"
< Accept-Ranges: bytes
< Content-Length: 0
< Content-Type: text/plain
<
* Connection #0 to host ***************** left intact
* Closing connection #0

 

[cPanelLauren]

Hello,

You'd need to create the .txt file - I used file.txt as an example. Note that in this output you get a 404 error because it's not present. Also, the HTTP DCV check cannot be completed over HTTPS (it assumes you do not have a valid SSL and as such wouldn't have an SSL VirtualHost)

 

[f1alan]

Hello,

You'd need to create the .txt file - I used file.txt as an example. Note that in this output you get a 404 error because it's not present. Also, the HTTP DCV check cannot be completed over HTTPS (it assumes you do not have a valid SSL and as such wouldn't have an SSL VirtualHost)

Thanks. Just to confirm that I did indeed create file.txt in the test. It had the same permissions as the generated C2256B0463FB5735B559623759F600FD.txt.

 

[cPanelLauren]

That's my fault, I didn't even notice in the second attempt that you got a 200 response on that when performing the check over https as I stopped at HTTPS. The DCV check does not function over HTTPS and if you are forcing traffic to HTTPS for that domain or all domains you MUST add an exclusion for the HTTP DCV check.

 

[f1alan]

That's my fault, I didn't even notice in the second attempt that you got a 200 response on that when performing the check over https as I stopped at HTTPS. The DCV check does not function over HTTPS and if you are forcing traffic to HTTPS for that domain or all domains you MUST add an exclusion for the HTTP DCV check.

Ok but I'm still unsure how to proceed. Our version of cPanel has been stable for over a year and this only started a few weeks ago. Therefore, I'm a bit confused by the difference between HTTP and HTTPS as your script can't have changed.

 

[f1alan]

Are there any other suggestions how we might track down this problem?

 

[f1alan]

That's my fault, I didn't even notice in the second attempt that you got a 200 response on that when performing the check over https as I stopped at HTTPS. The DCV check does not function over HTTPS and if you are forcing traffic to HTTPS for that domain or all domains you MUST add an exclusion for the HTTP DCV check.

Any other ideas what has caused this?

 

[cPanelLauren]

The DCV check will not ever be performed over HTTPS - this assumes a certificate in place and neither comodo or the let's encrypt plugin perform the check over HTTPS. To accurately get an idea of whether or not your domain will successfully pass the DCV check you need to perform it over HTTP.

 

[f1alan]

The DCV check will not ever be performed over HTTPS - this assumes a certificate in place and neither comodo or the let's encrypt plugin perform the check over HTTPS. To accurately get an idea of whether or not your domain will successfully pass the DCV check you need to perform it over HTTP.

I appreciate this but my concern still stands that we have been using v78.0.46 for a year with no changes to this configuration made. Why has it suddenly started giving these errors if nothing has been changed?

 

[cPanelLauren]

Not sure, and kind of what I was hoping to start getting a lead on...but with the information I have right now that's impossible.
Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!

 

[f1alan]

Not sure, and kind of what I was hoping to start getting a lead on...but with the information I have right now that's impossible.
Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!

Thanks. I went through the ticket process was advised to raise a ticket with our ISP first so that is what I've done.