Failed to fetch the DCV file because of no NAT loopback error
Hello,
I just saw that the AutoSSL feature is not working on our server because of the following error:
This is because our server, which is publicly reachable with , is behind a firewall which does not support NAT loopback (Network address translation - Wikipedia). For this reason, the server cannot reach itself (and hence it cannot connect to its hosted virtual hosts) by using the public IP resolved by a normal DNS request for any of its hosted virtual host addresses. I think this is not an unusual situation, so I guess some way exists to fix this problem. Can anyone help me with this please? Thank you, Mauro
The system failed to fetch the DCV (Domain Control Validation) file at "http://mydomain.it/.well-known/pki-validation/BLABLABLA.txt" because of an error (cached): Could not connect to ':80': Connection timed out.This is because our server, which is publicly reachable with , is behind a firewall which does not support NAT loopback (Network address translation - Wikipedia). For this reason, the server cannot reach itself (and hence it cannot connect to its hosted virtual hosts) by using the public IP resolved by a normal DNS request for any of its hosted virtual host addresses. I think this is not an unusual situation, so I guess some way exists to fix this problem. Can anyone help me with this please? Thank you, Mauro
-
Hello, We do have a few internal cases on this issue in which our development has indicated that this is not something that we can provide a resolution for. There is in the works plans for DNS based DCV checks sometime in the future (hopefully v74) but until those are released servers with this configuration will fail the AutoSSL DCV check. 0 -
Hi, thanks for your support. IMHO this problem could be solved by using a DNS proxy that resolves to localhost (or to the internal IP address of the server) all addresses such as *.example.com, where exampe.com is any of the domains associated to WHM accounts, and fallback to the default DNS server for all the other requests. In the meanwhile, is there a way to disable SSL as a whole for all the accounts? Right now, I can connect to both http://www.example.com and https://www.example.com
, but the latter produces a client-side error because of the expired SSL certificate that AutoSSL cannot update. I would like to disablehttps://www.example.com
as a whole, so that each domain can be accessed only ashttp://www.example.com
Thanks in advance again, Mauro0 -
Hi @mauromol The best way to do this is to force the redirection to http. The best way to add this in this instance would be through the redirects UI in cPanel. 0 -
But this requires me to change each account one by one... :-( Isn't there a way to do this globally on WHM? 0 -
Hi @mauromol You could add a global rewrite in the apache configuration but this would mean that none of your sites would be able to be viewed over https which would be a security concern for those that potentially request/use logins or personal customer information. The following documentation goes over information about includes: Modify Apache Virtual Hosts with Include Files - EasyApache 4 - cPanel Documentation 0
Please sign in to leave a comment.
Comments
5 comments