SOLVED Potential reduced AutoSSL coverage

Status
Not open for further replies.
PPNSteve

PPNSteve

Well-Known Member
Mar 13, 2003
421
8
168
Somewhere in Ilex Forest
cPanel Access Level
Root Administrator
Twitter
AutoSSL would normally renew this certificate now, but 9 of the website’s secured domains just failed DCV. To provide you with more time to resolve these problems, AutoSSL will defer the renewal until Nov 17, 2018 at 1:35:24 AM UTC. After that time, AutoSSL will request a replacement certificate that excludes any domains that fail DCV.

example error messages:
Code: 
www.[REDACTED].org (checked on Nov 15, 2018 at 4:46:36 AM UTC)
DNS DCV: The DNS query to “_cpanel-dcv-test-record.[REDACTED].org” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=[REDACTED][REDACTED][REDACTED][REDACTED]”.; HTTP DCV: “www.[REDACTED].org” does not resolve to any IPv4 addresses on the internet.

mail.[REDACTED].net (checked on Nov 15, 2018 at 4:46:36 AM UTC)
DNS DCV: The DNS query to “_cpanel-dcv-test-record.[REDACTED].net” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=[REDACTED][REDACTED][REDACTED][REDACTED]”.; HTTP DCV: “mail.[REDACTED].net” does not resolve to any IPv4 addresses on the internet.

[REDACTED].org (checked on Nov 15, 2018 at 4:46:36 AM UTC)
DNS DCV: The DNS query to “_cpanel-dcv-test-record.[REDACTED].org” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=[REDACTED][REDACTED][REDACTED][REDACTED]”.; HTTP DCV: “[REDACTED].org” does not resolve to any IPv4 addresses on the internet.
and so on for the .com, .net, and .org of this parked (alias) domain..

WHM v76.0.7
 
Last edited by a moderator:
cPanelLauren

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,274
1,286
313
Houston
Hi @PPNSteve

The issue here is that both the HTTP DCV and DNS DCV checks are failing.

HTTP DCV: “www.[REDACTED].org” does not resolve to any IPv4 addresses on the internet.

DNS DCV: The DNS query to “_cpanel-dcv-test-record.[REDACTED].org” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=[REDACTED][REDACTED][REDACTED][REDACTED]”.

To allow you time to resolve this issue cPanel is deferring the renewal of the domain that DID pass the DCV until Nov 17, 2018 so potentially you can get all the domains secured. If you don't want these domains secured or attempted to be secured you can exclude them from the autossl check through cPanel.


Thanks!
 
  • Like
Reactions: LeonirLopes
cPanelLauren

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,274
1,286
313
Houston
Well, first of all, you'll need to identify why the DNS and HTTP DCV checks are failing. HTTP DCV is the primary method the DNS DCV is just a fallback.

Typically what I do, to get an idea of what is going wrong is to run a curl request against the failing domain:

Code: 
curl -kvv domain.tld
The output of this typically tells me the issue right away - you can even run the request against the full path if you place a text file in the user's .well-known/pki-validation/ (comodo) or .well-known/acme-challenge (Let's Encrypt) directory
 
  • Like
Reactions: LeonirLopes
PPNSteve

PPNSteve

Well-Known Member
Mar 13, 2003
421
8
168
Somewhere in Ilex Forest
cPanel Access Level
Root Administrator
Twitter
Ok I get html or a test txt message I placed in the suggested full path folder when checking via curl.

Code: 
[email protected] [~]# curl -kvv [REDACTED].com/.well-known/pki-validation/test.txt
* About to connect() to [REDACTED].com port 80 (#0)
*   Trying 2607:[REDACTED]::2... connected
* Connected to [REDACTED].com (2607:[REDACTED]::2) port 80 (#0)
> GET /.well-known/pki-validation/test.txt HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: [REDACTED].com
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 16 Nov 2018 00:19:02 GMT
< Server: Apache
< Last-Modified: Fri, 16 Nov 2018 00:17:51 GMT
< Accept-Ranges: bytes
< Content-Length: 78
< Content-Type: text/plain
<
* Connection #0 to host [REDACTED].com left intact
* Closing connection #0
NOTE: this is a test file used for curl testing.. see, it works properly here.
[email protected] [~]#
so the dns / http request IS working correctly but the AutoSSL DCV isn't seeing / processing this one domain group.
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,245
463
Hello @PPNSteve,

We'd like to take a closer look at your system to verify there's not an issue with the AutoSSL feature stemming from recent changes in cPanel & WHM version 76. Could you open a support ticket and then post the ticket number here? I'll link this thread to the ticket and ensure it's promptly investigated.

Thank you.
 
Status
Not open for further replies.
Thread starter Similar threads Forum Replies Date
N HELP: Potential reduced AutoSSL coverage Security 3
B Potential reduced AutoSSL coverage for subdomain that doesn't exist? Security 4
keat63 Is there anything which would block potential web hacker Security 11
G Help with Finding Disk Exceeded Error and Potential Hacker Security 6
J Potential security issue with cPanel. Security 0
Similar threads
HELP: Potential reduced AutoSSL coverage
Potential reduced AutoSSL coverage for subdomain that doesn't exist?
Is there anything which would block potential web hacker
Help with Finding Disk Exceeded Error and Potential Hacker
Potential security issue with cPanel.
Top Bottom