[CPANEL-25598] AutoSSL not always working
Why is this happening? Seems that AutoSSL can successfully encrypt everything for some domains and mostly nothing for other domains.
This is the notification e-mail I receive from AutoSSL:
All of my domains are run through Cloudflare, all of them have the exact same DNS entries, all of them are set to FULL crypto... any ideas of what is going on? This is rather variable, eg., sometimes it will work, sometimes it won't (I have to keep trying until I get full encryption on all subdomains).
-
By the way, I noticed something while trying to issue a certificate for a domain that was not getting validated in any way. Cloudflare was already enabled with full crypto, redirect to HTTPS and automatic HTTPS rewrites were on and the SSL log showed that the certificate was not issued because it won't allow redirects as it was trying to read a .TXT authentication file and Cloudflare was redirecting it from http to https. So it seems that the certificate cannot be issued while Cloudflare is HTTPs'ing the site. And that is weird because I never had any issues like this in this same scenario while using Plesk or other hosting solutions like Cloudways or Runcloud. 0 -
And right now I just confirmed the above: disabling Cloudflare's crypto allows the certificate to be issued correctly for all subdomains. Still, that doesn't answer why it could encrypt some subdomains and not others. Question now is: what will happen when the certificate needs to be renewed? Guess I'll have to wait 3 months to find out. 0 -
Hello @Denis Gomes Franco This occurs in most cases when the proxy subdomains are not properly added through CloudFlare. In order to allow them to route properly they need to be added in the CloudFlare configuration. Are the other domains listed in the initial screenshot using CloudFlare as well? To troubleshoot I'd compare the domains added on one of the working ones to the domains added on the one that isn't working properly. Thanks! 0 -
This occurs in most cases when the proxy subdomains are not properly added through CloudFlare
Hey Lauren, thanks for the reply. Yes I've added them, I know if I don't then I won't be able to open them up ;)0 -
Hi @Denis Gomes Franco I"m wondering about two items at this point: - Do the other domains listed there have cloudflare? I"d asked in my previous response but it is important for the next question.
- Do you have ipv6 enabled on the server?
0 -
1. Yes, all of my domains are on Cloudflare. They are all configured the same way, with the same entries as those set up by Cpanel's DNS server. 2. Yes, it is enabled on Vultr (it was enabled prior to installing Cpanel) but Cpanel does not seem to be using it, nor there are any DNS entries pointing to IPV6 addresses. Also I don't mind using IPV6 at all. In my reply (#3) I posited that the problem is completely gone when I turn off Cloudflare's crypto, HTTPS redirect and HTTPS automatic rewrites. Looks like AutoSSL is validating the certificate by looking for a file under . Then, AutoSSL complains that redirects were not allowed in validation so the certificate is never issued (or partially issued, which is even weirder). Thing is, I never had such issues when using Let's Encrypt on Plesk or other hosting platforms. They all worked flawlessly with my current Cloudflare settings. It should also be noted that Cloudflare can be configured to use 'flexible' encryption - that is, the server-to-CF communication is unencrypted but the CF-to-client communication is. I suppose many people use this option simply because it is the easiest way to add encryption to a website, so I believe AutoSSL should allow redirects to HTTPS when validating. EDIT: Just found out that pausing Cloudflare also allows the validation to proceed without any errors, so I don't need to disable HTTPS manually anymore. 0 -
Where it stands now, is If this is occurring on all the domains, I believe the internal case we have opened is relevant in this instance. If it's only happening for that one domain, I'd be more inclined to believe that there is something different with the configuration there. In the instance, it is the case we have and it's affecting all domains, until the internal case is resolved the workaround options are as follows: - Disable cloudflare cdn routing temporarily
- Disable IPv6 routing in CloudFlare (this is difficult on free cloudflare accounts as it requires the use of their API rather than a switch) How do I turn the Cloudflare IPv6 gateway on or off?
- Enable or fix IPv6 routing on the server
0 -
is If this is occurring on all the domains
Yes it is, at least for me...Disable cloudflare cdn routing temporarily
...until I used this workaround, which so far has worked flawlessly.the internal case we have opened
Thanks for the support so far, it's been much better than Plesk's, which never got around to open cases whenever I had a problem.0 -
Hi @Denis Gomes Franco Great, I think the portion where it was occurring on all domains was what I was missing, I was under the impression it was just the one domain that was having the issue. I'm really glad that the workaround listed in the case worked. The referenced case we have opened is being actively worked on and I'll update this thread when we release it to the product. Thanks! 0 -
I'm having the same problem. Cloudflare domains are not allowing an SSL renewal. These all used to work. It seems to have only just stopped working recently. The following error comes through via email when it attempts a renewal "The domain "domain.com.au" resolved to an IP address "2606:4700:30:0:0:0:6812:2ca8" that does not exist on this server.". It looks like cPanel is now verifying the IP exists on the server for some reason? 0 -
Hello @trsteel Please read above this is a known issue and the workarounds are listed in this thread. I'll update this thread when the issue is resolved. Thanks! 0 -
I'm running in to this same issue. Can you provide more guidance on how to implement this workaround: >Enable or fix IPv6 routing on the server 0 -
If you don't have IPv6 enabled or you don't have it configured properly this will cause issues with AutoSSL. The guide here should be helpful: Guide to IPv6 - How to Get Started With IPv6 - Version 68 Documentation - cPanel Documentation Thanks! 0 -
Hello @trsteel Please read above this is a known issue and the workarounds are listed in this thread. I'll update this thread when the issue is resolved. Thanks!
Can you tell me if a fix is coming soon? We a of certificate expiring in 5 days and wondering if we just wait. Would switching to the cPanel certificates over LetEncrypt resolve the issue?0 -
Hello @trsteel The current workarounds are listed in this thread, I've also included them here: until the internal case is resolved the workaround options are as follows:
0 -
Hello, I just wanted to let you guys know that the patch for v78 for this issue has been implemented in v78.0.15 Please let us know if the issue persists after you update to this version. Thanks! 0 -
When can we expect this to be available on the release tier? 0 -
Hello @Hazz This just went to CURRENT today so I would anticipate sometime next week for it to be moved to RELEASE. Thanks! 0 -
I found a workaround, I use my server as a nameserver. I do a sudo nano /etc/hosts I comment the actual nameserver and replace it with nameserver 127.0.0.1 Consequently, during the autossl renewal process, Whm/cpanel will not get the DNS entries from cloudflare by the DNS records from the Cpanel server itself. That's how i get the right _cpanel-dcv-test-record.mydomain.com 0 -
I also want to point out that it looks like v78.0.15 went to RELEASE today so the issue should be resolved once you update. Thanks! 0 -
Hey guys, I'm back. AutoSSL renewed some certificates that were about to expire and I got the REDUCED COVERAGE notice. I went to check the logs and AutoSSL says that the IP the domain is pointing to does not resolve to the server - of course, because the domain is being proxied by Cloudflare. That is bad because after that renovation the site started to show security warnings. A few weeks ago we had some downtime on Cloudflare that took most brazilian websites down. As a temporary measure we all disabled Cloudflare on all our sites, and ever since I've been wondering if it is really worth using Cloudflare at all. Anyway, I digress. Before on this thread I mentioned that temporarily disabling Cloudflare allowed the certificate to be issued. Now I have found another way to deal with this: by disabling the orange cloud on the domain's entries. That will disable CF's proxying and it will act only as a DNS server. Still not ideal, but at least it works this way. Also, Cpanel should really look into making this work WITH the orange cloud enabled. 0 -
By the way, an extremely easy way to solve this conundrum is to simply provide the admin with the ACME-CHALLENGE string so we can manually add it as an entry in Cloudflare's DNS section. AND MAKE THAT string unchangeable afterwards - because if it changes at every renewal.... 0 -
Hello @Denis Gomes Franco The issues with this should have been resolved. Which version of cPanel are you running? 0 -
Hey @cPanelLauren, I guess not, some certificates were up for renewal and I tried running AutoSSL manually on them after deleting them. They all failed precisely because when Cloudflare is proxying the domain, the domain will resolve to Cloudflare's IP and not my server's IP, thus causing the domain validation to fail. I understand Cpanel will also try file-based validation when IP-based validation fails but that won't work as expected either because it won't validate special subdomains like cpanel.domain.com or webmail.domain.com. Disabling the domain proxying (grey cloud on Cloudflare) solves the problem but then I have to remember doing this every 3 months or so for every domain, if I want to keep using Cloudflare's CDN. 0 -
Hi @Denis Gomes Franco That shouldn't be the case still. To rule out a separate issue can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved. Thanks! 0 -
Hey @cPanelLauren I was going to open a ticket but while writing about the problem in detail some ideas came up and I think I managed to fix the issue. Please also take this as a feedback for future versions, and of course I hope this helps someone out there in the same situation :) Here's the thing: - All my domains are on Cloudflare. - All subdomains, except for MAIL and FTP, are proxied (orange cloud). - I'm using Sectigo as an SSL provider. - The following options are enabled on Cloudflare for all domains: FULL ENCRYPTION, ALWAYS USE HTTPS and AUTOMATIC HTTPS REWRITES. - According to Cloudflare documentation, FULL ENCRYPTION means that Cloudflare will connect to my server via HTTPS even if the certificate is not valid or is self-signed. - But if there is no certificate (eg. deleted the certificate in order to issue a new one) then the file-based validation used by Cpanel will fail because the server will throw a 404 error even if the .TXT file is actually present. I tested this hypothesis by changing to FLEXIBLE ENCRYPTION and this makes the file accessible. FLEXIBLE means that Cloudflare will connect to your server via HTTP, but will still present HTTPS to the user. This is useful when you cannot or will not install an SSL certificate on the server. - However I unknowingly created another problem with the ALWAYS USE HTTPS option: with it enabled, all HTTP requests are changed into HTTPS requests - which is great to fix all those nasty MIXED CONTENT messages appearing on websites. But this also caused the Cpanel validation to fail: as it will first try to validate via HTTP, and Cloudflare will redirect it to HTTPS, the validation will fail with a REDIRECTIONS ARE NOT ALLOWED error in Cpanel. - Disabling ALWAYS USE HTTPS solves the problem. However, now I need to test if websites will throw up any mixed content errors. My take on this is: Cpanel *should* allow redirections during validation. I understand this is due to security reasons but a simple HTTP to HTTPS redirection with the exact same URL should not trigger this error. This would allow us to keep ALWAYS USE HTTPS enabled. 0 -
Hi @Denis Gomes Franco Thanks for sharing your findings! - However I unknowingly created another problem with the ALWAYS USE HTTPS option: with it enabled, all HTTP requests are changed into HTTPS requests - which is great to fix all those nasty MIXED CONTENT messages appearing on websites. But this also caused the Cpanel validation to fail: as it will first try to validate via HTTP, and Cloudflare will redirect it to HTTPS, the validation will fail with a REDIRECTIONS ARE NOT ALLOWED error in Cpanel.
The best way to resolve that issue would be to fix the resources that are loading insecurely. The only way that it's not being an error right now is the CloudFlare SSL is being applied to the cached version of your site. We do have a resource here on mixed content Tutorial - How to Fix Mixed Content WarningsMy take on this is: Cpanel *should* allow redirections during validation. I understand this is due to security reasons but a simple HTTP to HTTPS redirection with the exact same URL should not trigger this error. This would allow us to keep ALWAYS USE HTTPS enabled.
Unfortunately this is out of our control, Sectigo will not follow redirects which includes redirections to https.0 -
We do have a resource here on mixed content
I know about Really Simple SSL for Wordpress but I don't want to use it. It'll be one less plugin for me to deal with (BTW I host over 100 sites now).Sectigo will not follow redirects
They should allow this specific exception, IMHO.0
Please sign in to leave a comment.
Comments
28 comments