SSL for DNSOnly Server Failing

Operating System & Version
CentOS 7
cPanel & WHM Version
88.0.13

keencs

Member
Feb 16, 2013
21
3
53
cPanel Access Level
Root Administrator
Hello,

I recently installed cPanel DNSOnly on a new VPS. I am trying to get the free SSL certificate installed for WHM and related services.

When I run /usr/local/cpanel/bin/checkallsslcerts, both DNS and DCV validation fails. I would expect DNS to fail, because the server doesn't control it's own TLD DNS. However, I can't figure out why HTTP DVC is failing. Below is the error portion of of the output from the script.

I've validated that the txt file lands and that the file is accessible from the web via the path in the log.

FAILED: Cpanel::Exception/(XID 7cg2qg) The system failed to fetch the DCV (Domain Control Validation) file at “http://{FQDN}/.well-known/pki-validation/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.txt” because of an error: The system failed to send an HTTP (Hypertext Transfer Protocol) “GET” request to “http://{FQDN}/.well-known/pki-validation/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.txt” because of an error: Could not connect to '{FQDN}:80': Connection refused.
at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 393.
Cpanel::SSL::DCV::__ANON__(Cpanel::Exception::HTTP::Network=HASH(0x2a7f478)) called at /usr/local/cpanel/3rdparty/perl/530/lib/perl5/cpanel_lib/Try/Tiny.pm line 118
Try::Tiny::try(CODE(0x2a837b0), Try::Tiny::Catch=REF(0x248e520)) called at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 416
Cpanel::SSL::DCV::_verify_http("http://{FQDN}/.well-known/pki-validation/XXXXXXX"..., "XXXXXX"..., "COMODO DCV", 0, 6, ARRAY(0x2a955f8)) called at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 242
eval {...} called at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 242
Cpanel::SSL::DCV::verify_http_with_dns_lookups("http://{FQDN}/.well-known/pki-validation/XXXXXX"..., "XXXXXX"..., "COMODO DCV", 0, undef) called at /usr/local/cpanel/Cpanel/Market/Provider/cPStore/Utils.pm line 98
Cpanel::Market::Provider::cPStore::Utils::imitate_http_dcv_check_locally("catch.keencs.net", ".well-known/pki-validation/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.txt", "XXXXXX"...) called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert/DCV.pm line 193
eval {...} called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert/DCV.pm line 189
Cpanel::cPStore::HostnameCert::DCV::set_up("-----BEGIN CERTIFICATE REQUEST-----\x{a}XXXXXX"...) called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert.pm line 172
Cpanel::cPStore::HostnameCert::_request_new_certificate(Cpanel::cPStore::HostnameCert=HASH(0x1a33ce0)) called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert.pm line 142
Cpanel::cPStore::HostnameCert::get_hostname_cert_from_store(Cpanel::cPStore::HostnameCert=HASH(0x1a33ce0)) called at bin/checkallsslcerts.pl line 542
bin::checkallsslcerts::_get_certificate_pem_from_store(bin::checkallsslcerts=HASH(0x16420c8)) called at bin/checkallsslcerts.pl line 464
bin::checkallsslcerts::__ANON__() called at /usr/local/cpanel/3rdparty/perl/530/lib/perl5/cpanel_lib/Try/Tiny.pm line 97
eval {...} called at /usr/local/cpanel/3rdparty/perl/530/lib/perl5/cpanel_lib/Try/Tiny.pm line 88
Try::Tiny::try(CODE(0x1a34028), Try::Tiny::Catch=REF(0x198cb00)) called at bin/checkallsslcerts.pl line 468
bin::checkallsslcerts::_replace_cert_with_ca_signed_cert_from_cpstore(bin::checkallsslcerts=HASH(0x16420c8), "cpanel") called at bin/checkallsslcerts.pl line 320
bin::checkallsslcerts::_check_notify_and_auto_renew_cert_for_service(bin::checkallsslcerts=HASH(0x16420c8), "cpanel") called at bin/checkallsslcerts.pl line 86
bin::checkallsslcerts::run(bin::checkallsslcerts=HASH(0x16420c8)) called at bin/checkallsslcerts.pl line 50

Any ideas would be appreciated.
Ryan
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,255
313
Houston
Based on this the connection over port 80 is being refused:

Code:
Could not connect to '{FQDN}:80': Connection refused.
at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 393.
It's not just AutSSL either, I can't even reach the site:

Code:
curl -kvv catch.youdomain.net
*   Trying <IPV6Address Removed)
* TCP_NODELAY set
* Connection failed
* connect to <IPV6Address Removed> port 80 failed: Connection refused
*   Trying <IPV4Address Removed>...
* TCP_NODELAY set
* Connected to catch.keencs.net (<IPV4Address Removed>) port 80 (#0)
> GET / HTTP/1.1
> Host: catch.yourdomain.net
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Content-Length: 9062
< Content-Type: text/html; charset=UTF-8
< Cache-Control: no-cache
< Connection: close
< Proxy-Connection: close
 
Last edited:

keencs

Member
Feb 16, 2013
21
3
53
cPanel Access Level
Root Administrator
Looking over your connection, it looks like you did reach the site - you received a 403 error, is that correct? I would assume that would be normal for cPanel DNSOnly.

Is the issue the refusal over ipv6? Perhaps the apache web server in cPanel DNSOnly doesn't respond on IPv6 addresses. If that is the case and the DCV script doesn't fallback to IPv4 then I am not sure I can fix this.
 

keencs

Member
Feb 16, 2013
21
3
53
cPanel Access Level
Root Administrator
After researching further, i think that is the case. It appears the web-server that is serving /usr/local/apache/htdocs/ doesn't respond via IPv6.
The HTTP DCV process doesn't seem to fall back to IPv4 when the refusal on IPv6 is received.
I am searching for the config file to see if I can enable it to listen on IPv6.
 

keencs

Member
Feb 16, 2013
21
3
53
cPanel Access Level
Root Administrator
It looks like /usr/local/cpanel/cpsrvd is serving the pages. It doesn't appear that that service is IPv6 compatible. I am uncertain how to correct this short of removing the IPv6 address from the server.. :(
 

keencs

Member
Feb 16, 2013
21
3
53
cPanel Access Level
Root Administrator
I removed the IPv6 Address from the server and the certificate generated without issue. Ideally, I would like to re-enable ipv6 on this server, any solutions or alternative ideas would be appreciated.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,255
313
Houston
The issue is that refusal over IPv6 Sectigo won't fallback. If you have IPv6 configured correctly it does respond as expected. There appears to be an issue with the IPv6 configuration on the server. You might want to look this documentation over:
 

keencs

Member
Feb 16, 2013
21
3
53
cPanel Access Level
Root Administrator
I've reviewed both documents and completed all troubleshooting listed, I couldn't identify any problems with IPv6 on this server. I even went so far as to reinstall CentOS and cPanel from scratch and arrived at the same problem.

From the server I can ping other IPv6 hosts, I can wget from other IPv6 servers and I can ping this server via IPv6 without issue. I can't see any IPv6 connectivity problems whatsoever.

When looking at my other full cPanel servers, there is a setting in tweak settings " Listen on IPv6 Addresses " that is defaulted to off. This seems to control listening on IPv6. I don't see this setting in cPanel DNSOnly. Perhaps if there is a way to enable this, it would resolve my issue.