Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED Potential reduced AutoSSL coverage

Discussion in 'Security' started by PPNSteve, Nov 14, 2018.

Thread Status:
Not open for further replies.
  1. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    410
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    AutoSSL would normally renew this certificate now, but 9 of the website’s secured domains just failed DCV. To provide you with more time to resolve these problems, AutoSSL will defer the renewal until Nov 17, 2018 at 1:35:24 AM UTC. After that time, AutoSSL will request a replacement certificate that excludes any domains that fail DCV.

    example error messages:
    Code:
    www.[REDACTED].org (checked on Nov 15, 2018 at 4:46:36 AM UTC)
    DNS DCV: The DNS query to “_cpanel-dcv-test-record.[REDACTED].org” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=[REDACTED][REDACTED][REDACTED][REDACTED]”.; HTTP DCV: “www.[REDACTED].org” does not resolve to any IPv4 addresses on the internet.
    
    mail.[REDACTED].net (checked on Nov 15, 2018 at 4:46:36 AM UTC)
    DNS DCV: The DNS query to “_cpanel-dcv-test-record.[REDACTED].net” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=[REDACTED][REDACTED][REDACTED][REDACTED]”.; HTTP DCV: “mail.[REDACTED].net” does not resolve to any IPv4 addresses on the internet.
    
    [REDACTED].org (checked on Nov 15, 2018 at 4:46:36 AM UTC)
    DNS DCV: The DNS query to “_cpanel-dcv-test-record.[REDACTED].org” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=[REDACTED][REDACTED][REDACTED][REDACTED]”.; HTTP DCV: “[REDACTED].org” does not resolve to any IPv4 addresses on the internet.
    
    and so on for the .com, .net, and .org of this parked (alias) domain..

    WHM v76.0.7
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 PPNSteve, Nov 14, 2018
    Last edited by a moderator: Nov 15, 2018
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,791
    Likes Received:
    442
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @PPNSteve

    The issue here is that both the HTTP DCV and DNS DCV checks are failing.

    HTTP DCV: “www.[REDACTED].org” does not resolve to any IPv4 addresses on the internet.

    DNS DCV: The DNS query to “_cpanel-dcv-test-record.[REDACTED].org” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=[REDACTED][REDACTED][REDACTED][REDACTED]”.

    To allow you time to resolve this issue cPanel is deferring the renewal of the domain that DID pass the DCV until Nov 17, 2018 so potentially you can get all the domains secured. If you don't want these domains secured or attempted to be secured you can exclude them from the autossl check through cPanel.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    410
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yes, I see that you understand what is happening.. now how do I fix it?

    Be aware these are domains that have been on the system for quite a while now and have previously been (and are currently) secured via AutoSSL
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,791
    Likes Received:
    442
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Well, first of all, you'll need to identify why the DNS and HTTP DCV checks are failing. HTTP DCV is the primary method the DNS DCV is just a fallback.

    Typically what I do, to get an idea of what is going wrong is to run a curl request against the failing domain:

    Code:
    curl -kvv domain.tld 
    The output of this typically tells me the issue right away - you can even run the request against the full path if you place a text file in the user's .well-known/pki-validation/ (comodo) or .well-known/acme-challenge (Let's Encrypt) directory
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    410
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    Ok I get html or a test txt message I placed in the suggested full path folder when checking via curl.

    Code:
    root@svr4 [~]# curl -kvv [REDACTED].com/.well-known/pki-validation/test.txt
    * About to connect() to [REDACTED].com port 80 (#0)
    *   Trying 2607:[REDACTED]::2... connected
    * Connected to [REDACTED].com (2607:[REDACTED]::2) port 80 (#0)
    > GET /.well-known/pki-validation/test.txt HTTP/1.1
    > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
    > Host: [REDACTED].com
    > Accept: */*
    >
    < HTTP/1.1 200 OK
    < Date: Fri, 16 Nov 2018 00:19:02 GMT
    < Server: Apache
    < Last-Modified: Fri, 16 Nov 2018 00:17:51 GMT
    < Accept-Ranges: bytes
    < Content-Length: 78
    < Content-Type: text/plain
    <
    * Connection #0 to host [REDACTED].com left intact
    * Closing connection #0
    NOTE: this is a test file used for curl testing.. see, it works properly here.
    root@svr4 [~]#
    so the dns / http request IS working correctly but the AutoSSL DCV isn't seeing / processing this one domain group.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,009
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @PPNSteve,

    We'd like to take a closer look at your system to verify there's not an issue with the AutoSSL feature stemming from recent changes in cPanel & WHM version 76. Could you open a support ticket and then post the ticket number here? I'll link this thread to the ticket and ensure it's promptly investigated.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    410
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    OK Thanks..

    Your Support Request ID is: 10742907
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelMichael likes this.
  8. cPAusaf

    cPAusaf Linux Technical Analyst III Staff Member

    Joined:
    Aug 24, 2016
    Messages:
    33
    Likes Received:
    7
    Trophy Points:
    83
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Issue looks to have been related to DNS and is resolved now.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelMichael likes this.
Loading...
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice