Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Questions about AutoSSL

Discussion in 'Security' started by Spork Schivago, Aug 21, 2017.

Tags:
  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Hi,

    I am currently manually generating my SSL certificate using Let's Encrypt certbot. This is a bit cumbersome and I was thinking of switching to the Let's Encrypt plugin. Originally, I couldn't make the switch because the AutoSSL cPanel feature didn't support the proxy-subdomains, but I believe that has changed.

    I have some questions first though. Just by looking at what's available in the WHM's AutoSSL section (without the Let's Encrypt plugin installed), I don't see many options. If I were to enable AutoSSL using the Comodo provider or install the Let's Encrypt plugin, written by cPanel, is there away to customize the various settings?

    I want these features enabled:
    Code:
    --staple-ocsp:    Enables OCSP Stapling. A valid OCSP response is
                            stapled to the certificate that the server offers
                            during TLS.
    
    --must-staple:    Adds the OCSP Must Staple extension to the
                            certificate. Autoconfigures OCSP Stapling for
                            supported setups (Apache version >= 2.3.3 ). (default:
                            False)
    
    --hsts:           Add the Strict-Transport-Security header to every HTTP
                            response. Forcing browser to always use SSL for the
                            domain. Defends against SSL Stripping. (default:
                            False)
    
    --rsa-key-size 2048
    
    These options are important to me. The plugins now support the proxy subdomains, right? cpanel.example.com, whm.example.com, etc, etc?

    The final thing that's really important is having an SSL certificate for the hostname. My memory is not good, and I don't remember why I need that SSL certificate for the hostname itself, but I do remember I need it. From what I've read, the current AutoSSL implementations don't generate an SSL certificate for the hostname. But maybe the documentation is now incorrect? Do they generate SSL certificates for the hostname?

    I could not find any documentation at all that showed how to configure the plugins (except for what I can already do in WHM). Are there config files somewheres on the hard drive that I can modify, much like the Apache templates or something like that? To fine tune the SSL certificates?

    Any help would be greatly appreciated.

    Thanks!
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,080
    Likes Received:
    1,364
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Yes, that's correct. Proxy subdomains are included with the domain names secured with the AutoSSL feature as of cPanel version 64.

    Yes, but it's only supported with Comodo (not Let's Encrypt):

    Free cPanel-Signed Hostname Certificate - cPanel Knowledge Base - cPanel Documentation

    It's not possible to configure AutoSSL features such as OCSP requirements or key size. I encourage you to open a feature request if you'd like to see that functionality added:

    Submit A Feature Request

    Thank you.
     
    Spork Schivago likes this.
  3. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Is OCSP enabled though when I use the Comodo provider? I see stuff in the /etc/apache2/conf/httpd.conf file that checks if the certificate is stapled, and if it is, it configures certain options. To me, this would imply that those Comodo certificates are being stapled. Is that not the case?

    Also, in my /etc/apache2/conf/httpd.conf, I see a virtual host entry for hostname.example.com, for port 80, but none for port 443. Is that normal? To get Let's Encrypt to work, I've had to manually create the virtualhost entries for the hostname in the post_virtualhost_global.conf file, for ports 80 and 443. I would have thought because cPanel creates an entry for the hostname on port 80, it should be creating one for port 443 as well. Makes me think something's wrong.

    What size are the keys going to be? Does it depend on different conditions or will they always be a certain size (ie, 1024 bits)? I'm okay with a size 2048 bits or higher, but I don't want to go any less.

    Thanks!
     
    #3 Spork Schivago, Aug 22, 2017
    Last edited: Aug 22, 2017
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,080
    Likes Received:
    1,364
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    They are setup using 2048-bit keys. It's not possible to change this at this time, but we do have a feature request open for a 4096-bit option at:

    AutoSSL with 4096 bit option

    This is the expected behavior. The free cPanel-signed SSL certificate for the server's hostname is not installed for Apache. You can manually install the hostname's certificate to Apache using the following option:

    "WHM Home » SSL/TLS »Install an SSL Certificate on a Domain"

    Yes, however keep in mind it's the web browser itself (e.g. Firefox) that directly connects to the OCSP server. Here's a recent thread where this resulted in a slight issue due to a Comodo outage:

    Comodo OCSP Outage

    Thank you.
     
    Spork Schivago likes this.
  5. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Thank you @cPanelMichael! I think I'm going to make the switch then to the AutoSSL. I feel it's about time. It's been very cumbersome manually creating the Let's Encrypt certificates. I've tried automating it as best I can, but something will change with cPanel or Let's Encrypt, and things break, then I have to figure out what broke and why it broke. If this AutoSSL works as well as I think it will, it'll be a headache I can forget about.

    I still have one last question. I'm getting a developers license and I'm going to have cPanel installed at my house, on my server, in the basement. On my production server (that has a paid-for license), I'm going to configure the DNS server to point one of the subdomains to my server in the basement (git.example.com). I shouldn't have any trouble using the AutoSSL feature on both cPanel installations, correct? On the development server, it'll just check to see what IP address belongs to git.example.com, and so long as it matches the machine it's running on, it should be able to create a certificate just fine?

    Thanks!
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,080
    Likes Received:
    1,364
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    AutoSSL would work in this scenario as long as the domain name resolves to the IP address associated with the cPanel server it's added to. For the "git" subdomain, you'd want to exclude it from the AutoSSL feature on the production server using the following option (available as of cPanel 66):

    66 Release Notes - Version 66 Documentation - cPanel Documentation

    The "git" subdomain could receive the AutoSSL certificate on the cPanel server it's hosted on.

    Thank you.
     
  7. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    @cPanelMichael,
    ***************************************EDIT***************************************
    * I have made the transition to AutoSSL but am still having some issues. This was a long post and
    * most of the questions in it I have now found answers to. The next post shows the only troubles
    * I'm having.
    **********************************************************************************

    I'm having trouble with the migration a bit. I think it's because I'm on the preloading list.

    So I log into my server via SSH and I run:
    Code:
    mkdir -p /root/backup/etc
    cp -pR /etc/letsencrypt /root/backup/etc
    
    root@franklin:[/etc/letsencrypt]# rm -rf /etc/letsencrypt/live/www.example.com
    root@franklin:[/etc/letsencrypt]# rm -rf /etc/letsencrypt/renewal/www.example.com.conf
    root@franklin:[/etc/letsencrypt]# rm -rf /etc/letsencrypt/archive/www.example.com
    
    Then I log into WHM and turn on AutoSSL.

    I then reset the SSL certificates under Manaage Service SSL Certficates.

    My server shows it's still using the Let's Encrypt certificates. So, I go into WHM -> Manage SSL Hosts and I delete the SSL hosts. It takes forever. Some go through eventually, saying they been deleted, some error out about some lock file or something.

    Anyway, I go back to the SSH server and I run:
    Code:
    root@franlink:[/scripts]# ./ssl_crt_status --verbose
    [info] SSL root: /etc/ssl
    Ok: franklin.example.com SSL crt verified
    Ok: ipv4.example.com SSL crt verified
    Ok: ipv6.example.com SSL crt verified
    Ok: example.com SSL crt verified
    
    When I go to WHM -> Manage Service SSL Certificates I see I'm using self-signed certificates for the services. But when I browser for an SSL certificate, I still see the valid Let's Encrypt certificate listed under user sporkschivago. How do I go about removing that certficate completely, so it doesn't show up under there?


    I try to run the AutoSSL again, and now I see in the log these warnings:
    Code:
        [2017-08-22T20:55:26Z] The domain “www.example.com” failed domain control validation: The system failed to fetch the <abbr title="Domain Control Validation">DCV</abbr> file at “<a href="http://www.example.com/.well-known/pki-validation/830CF2A6C037482584B0160B4D1761F8.txt">http://www.example.com/.well-known/pki-validation/830CF2A6C037482584B0160B4D1761F8.txt</a>” because of an error: The system failed to send an <abbr title="Hypertext Transfer Protocol">HTTP</abbr> “GET” request to “http://www.example.com/.well-known/pki-validation/830CF2A6C037482584B0160B4D1761F8.txt” because of an error: Could not connect to 'www.example.com:80': Connection refused
    ....
        [2017-08-22T20:51:00Z] The domain “webmail.example.com” failed domain control validation: The system failed to fetch the <abbr title="Domain Control Validation">DCV</abbr> file at “<a href="http://webmail.example.com/.well-known/pki-validation/45C9DF99696CABE2C33722B7C313EE38.txt">http://webmail.example.com/.well-known/pki-validation/45C9DF99696CABE2C33722B7C313EE38.txt</a>” because of an error: The system failed to send an <abbr title="Hypertext Transfer Protocol">HTTP</abbr> “GET” request to “http://webmail.example.com/.well-known/pki-validation/45C9DF99696CABE2C33722B7C313EE38.txt” because of an error: Could not connect to 'webmail.example.com:80': Connection refused
    
    This is what my .htaccess file looks like in /home/sporkschivago/public_html
    Code:
    # Tell the browser to check for index.html and index.php, in that order.
    # if either exist, load that file by default.
    DirectoryIndex index.php index.html
    
    <IfModule mod_headers.c>
    # Turn off caching for Google Chrome.
      Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate, post-check=0, pre-check=0"
      Header set Pragma "no-cache"
      Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
    
    # Add P3P Privacy Headers to the site (this causes infinite redirects for some reason).
    #  Header set P3P "policyref="/w3c/p3p.xml""
    </IfModule>
    
    <IfModule mod_rewrite.c>
    # Turn RewriteMod on.
      RewriteEngine On
    
    # Allow .well-known through for Comodo.
      RewriteCond %{REQUEST_URI} !^/\.well\-known/pki-validation/
    
    # Redirect all other users to the https version of our website,
    # because we have SSL certs now.
      RewriteCond %{HTTPS} !=on
      RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
    </IfModule>
    
    # php -- BEGIN cPanel-generated handler, do not edit
    # NOTE this account's php is controlled via FPM and the vhost, this is a place holder.
    # Do not edit. This next line is to support the cPanel php wrapper (php_cli).
    # AddType application/x-httpd-ea-php71 .php .phtml
    # php -- END cPanel-generated handler, do not edit
    
    Any ideas what's going wrong here? I thought WHM would have modified my .htaccess file. I checked Tweak Settings to make sure the option that prevents modification of users .htaccess files wasn't turned on, and it's turned off. So it should be modifying the .htaccess file...

    **EDIT:

    I just noticed Apache2 is no longer running. So I check and see this:
    Code:
    systemctl status httpd -l
    
    SSLCertificateFile: file '/var/cpanel/ssl/cpanel/mycpanel.pem' does not exist or is empty
    
    
    It was because of my post_virtualhost_global.conf, so I fixed that and got Apache running again.

    How can I manually generate those AutoSSL certs from the SSH shell?

    Thanks!
     
    #7 Spork Schivago, Aug 22, 2017
    Last edited: Aug 23, 2017
  8. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Okay, I got further....but still having some issues. I can generate the SSL certificates using WHM now, or using a remote SSH shell by running:
    Code:
    /usr/local/cpanel/bin/autossl_check --all
    I can now log into WHM, webmail, etc.

    I see in cPanel though, under cpanel -> SSL/TLS Status, that almost all the subdomains / proxies are now using the AutoSSL certificate...except for one:

    ipv6.example.com, which has no A record, just an AAAA record. Not sure how to generate an AutoSSL certificate for a subdomain with just an AAAA record. I can't create an A record for that domain, because it's supposed to only have an AAAA record.

    I also see there's no certificate for cpcontacts.example.com and cpcalander.example.com. So I'm missing three cPanel signed certificates, for these subdomains:
    Code:
    cpcontacts
    cpcalendars
    ipv6
    
    How does the /usr/local/cpanel/bin/autossl_check binary determine what domains / subdomains to generate certificates for? Where does it obtain the list? I don't think it's grabbing it from /var/named/example.com.db's zone file. If it was, it'd be generating a certificate for git.example.com. I don't want it to generate a certificate for git.example.com, because I'm eventually going to point it to my server in the basement, but right now, git.example.com points to the same IP address as example.com. AutoSSL generates a certificate for example.com, but not git.example.com....

    Also, I now, for whatever reason, have two certificates. There's a separate certificate for ipv4.example.com. This I don't think is right. I think it should have generated one big certificate for all of the domains / subdomains.

    What's a bit odder (and I think maybe a bug), under WHM -> Manage SSL Hosts, it lists ipv4.example.com, but it lists it twice, one with the IPv4 address, one with the IPv6 address. There's no AAAA record for ipv4.example.com, so not sure why cPanel thinks it's bound to an IPv6 address.

    I have that Use a Global DCV Passthrough instead of .htaccess modification (requires EA4) enabled in Tweak Settings. I create a test file, /home/sporkschivago/public_html/.well-known/pki-validation/test.txt

    I try to visit it using curl:
    Code:
    curl --user-agent "COMODO DCV" --insecure --max-time 10 --retry 0 http://ipv6.example.com/.well-known/pki-validation/test.txt
    
    It displays the test file...if I disable my .htaccess rewrite command that allows .well-known/pki-validation stuff through without redirecting it to the secure version of my site, the DCV in /etc/apache2/conf/httpd.conf doesn't seem to work. It gets redirected to port 443.

    This is what I see with my rewrite rule disabled:
    Code:
     curl --user-agent "COMODO DCV" --insecure --max-time 10 --retry 0 http://ipv6.example.com/.well-known/pki-validation/test.txt
    
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>301 Moved Permanently</title>
    </head><body>
    <h1>Moved Permanently</h1>
    <p>The document has moved <a href="https://ipv6.example.com/.well-known/pki-validation/test.txt">here</a>.</p>
    </body></html>
    
    
    # With my rewrite rule enabled:
     curl --user-agent "COMODO DCV" --insecure --max-time 10 --retry 0 http://ipv6.example.com/.well-known/pki-validation/test.txt
    
    just a test.
    
    it seems that the autossl_check binary is only looking for the IPv4 address. I'm not sure where it's pulling this address from, but I suspect it might be with one of those userdata files....for whatever reasons, that contains an IPv4 address for ipv6.example.com, and I cannot figure out how to remove it (without it coming back whenever the userdata files are rebuilt).
     
    #8 Spork Schivago, Aug 22, 2017
    Last edited: Aug 23, 2017
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,080
    Likes Received:
    1,364
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you verify which version of cPanel is installed on this system?

    Thank you.
     
  10. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    66.0.14 for cPanel. Centos 7.3.1611 (Core) for the OS, running inside KVM.
     
  11. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    This is the output of autossl_check --all
    Code:
    ./autossl_check --all
    This system has AutoSSL set to use “cPanel (powered by Comodo)”.
    Checking websites for “sporkschivago” …
            The website “ipv6.example.com”, owned by “sporkschivago”, has no SSL certificate. AutoSSL will attempt to obtain a new certificate and install it.
            The domain “ipv6.example.com” failed domain control validation: “ipv6.example.com” does not resolve to any IPv4 addresses on the internet.
    The system has completed the AutoSSL check for “sporkschivago”.
    
    The system has finished checking 1 user.
    
    This makes me think AutoSSL doesn't support IPv6 only sub-domains / domains.
     
  12. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Could someone run a simple test for me? Create a subdomain, with just an AAAA record, and no A record, then see if they can generate an SSL certificate for it, using AutoSSL with Comodo with the provider?

    I read a post about a place where they're only assigned IPv6 addresses. I'm thinking this might be an issue with AutoSSL not assigning certificates for IPv6 only domains / subdomains.

    Thanks.
     
  13. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,080
    Likes Received:
    1,364
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    This is correct. IPv6-only domain names (or subdomains) are not currently supported with the AutoSSL feature. You'd have to setup a temporary "A" record that resolves to an IPv4 address to allow the domain validation process to succeed. Once it succeeds, you can remove the "A" record until the next AutoSSL renewal attempt.

    Thank you.
     
  14. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Is there anyway to use iptables to block the transmission control protocol for IPv4 addresses for that subdomain? Maybe just allow Comodo addresses through, so I don't have to create the A address each time AutoSSL renews?

    Also, is IPv6 only support being planned to be added, or should I submit that as a feature request? Thanks cPanelMichael.
     
  15. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Maybe something like this?
    Code:
    iptables -A INPUT -d ipv6.example.com -m state --state INVALID -j DROP
    iptables -A INPUT -d ipv6.example.com -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i lo -d ipv6.example.com -j ACCEPT
    iptables -A INPUT -d ipv6.example.com -s <Comodo IPv4 addresses> -j ACCEPT
    iptables -P INPUT -d ipv6.example.com DROP # Drop everything we don't accept
    
    Would something like this work? I wonder if I could use just the last two lines there:
    Code:
    iptables -A INPUT -d ipv6.example.com -s <comodo IPv4 addresses> -j ACCEPT
    iptables -P INPUT -d ipv6.example.com DROP # Drop everything we don't accept
    
    ConfigureServer Firewall generally handles the ipv4 firewall and the ipv6 firewall. Obviously, I'd have to insert these rules at the beginning of the chain. Because I'm not touching the IPv6 table at all, IPv6 connections should still be allowed, but any IPv4 connection not coming from Comodo should be dropped, right?
     
  16. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,080
    Likes Received:
    1,364
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Yes, I recommend opening a new feature request to allow IPv6-only support with the AutoSSL feature. As far as the workaround, here's the command you can run from the cPanel server to determine if the domain name resolves to a valid IPv4 address:

    Code:
    /usr/local/cpanel/3rdparty/bin/perl -MCpanel::DnsRoots -e 'use Data::Dumper; print Dumper(Cpanel::DnsRoots::Resolver->new(debug => 1)->recursive_query("domain.tld","A"));'
    As long as you can get the correct IPv4 address with this command from the cPanel server, and Comodo's IP addresses can access the domain name, then domain validation should succeed.

    Thank you.
     
  17. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Thank you, but are my iptable commands good to block IPv4 traffic to and from the server for everyone who isn't Comodo? I use the ipv6 only subdomains a lot of times when I need to make sure the software I'm using at home is using an IPv6 address, and not accidently falling back to IPv4, without me knowing.

    Do you think those IPv4 iptable commands will work? The 2nd one, to me, seems like it'd block traffic to ipv6.mydomain.com for everyone, regardless of the type of connection, except for comodo, or if it's coming from an IPv6 address, then, the ipv6 iptables chain comes through...
     
  18. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Well, this sucks.

    If I'm understanding the level two technician correctly, AutoSSL does not support whm, cpcontacts, and cpcalendars proxy subdomains.

    This cannot be correct. I can understand the cpcontacts and cpcalendars I guess, but whm? Surely I must be misunderstanding the technician. Here's the ticket number, @cPanelMichael, 8812401.

    Maybe I'm misunderstanding him? Surely, other people are having certificates generated for whm.theirdomain.com, aren't they? I cannot see why we'd have valid certs generated for only cpanel, webdisk, and webmail. That just doesn't make sense to me.
     
  19. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Well, the level 2 tech thinks we might be right and whm should be included in the AutoSSL provisioning process. He's now escalated me to a level 3 tech. I have some ideas on how to fix the issue, but I don't want to mess things up while they're working.

    I asked the level 2 tech if I could try some things while we wait for the level 3 tech.
     
  20. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    We know what's going on now. I had no idea there was a hurricane, I don't get much time to watch TV, let alone the news channel, anymore. I am so sorry and I hope everyone down there is okay. Please let me know if there's anything I can do to help you guys.
     
Loading...

Share This Page