[CPANEL-25899] checkallsslcerts fails when the hostname is assigned an IPv6 address

k2tec

• February 25, 2019 04:42

2 of my vps having problems with the manage service SSL. The servers are running for a longer time without problems, but now SSL won't renew it certificates. Both vps are running:

• CENTOS 6.10 kvm [vps]
• 
  root@vps [~]# dig a vps.eq5.myserver.com root@vps [~]# dig a vps.eq5.myserver.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> a vps.eq5.myserver.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54963 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;vps.eq5.myserver.com. IN A ;; ANSWER SECTION: vps.eq5.myserver.com. 7200 IN A 111.222.333.444 ;; Query time: 4 msec ;; SERVER: 111.222.333.888#53(111.222.333.888) ;; WHEN: Sat Feb 23 12:00:21 2019 ;; MSG SIZE rcvd: 57
  

• 

  cPanelMichael

  • February 25, 2019 16:53

  Hello @k2tec, Can you verify if you are using any third-party web server applications on this system? A recent report notes a similar problem and workaround when using Nginx: Thank you.

  0
• 

  k2tec

  • February 25, 2019 17:05

  Hello Michael, In all the years it is running no other server applications are installed. The server are all installed with CSF, Letsencrypt. The thread with the nginx I have read. Maybe it is the old mixed setup with Letsencrypt. But I can't verify this.

  0
• 

  cPanelMichael

  • February 26, 2019 18:10

  Hello @k2tec, Can you open a

  0
• 

  k2tec

  • February 27, 2019 14:41

  Your support request ID: 11539333

  0
• 

  k2tec

  • February 28, 2019 07:41

  The problem was the IPv6 IP range. [QUOTE]After taking a look at your server I noticed that your servers shared IPv6 address is not a single IPv6 address but rather an entire /64.
  [QUOTE]I believe this is the root cause of the issue and you will need to add a single IPv6 address(aka a /128) from the range you have to the server and set that as your shared IPv6 address. You can read more about how to properly configure IPv6 for cPanel servers at the link below. **************************************************************************

  0
• 

  cPanelMichael

  • February 28, 2019 16:43

  Hello @k2tec, Edit. Here's the most recent update on this issue: The /usr/local/cpanel/bin/checkallsslcerts warnings appear because HTTP domain control validation will fail for the server's hostname when it's assigned an IPv6 address (the corresponding IPv6 virtual host entry isn't setup by default). Case CPANEL-25611 will address this issue. As a temporary workaround until the case is published, you can remove the AAAA DNS record for the server's hostname, manually run /usr/local/cpanel/bin/checkallsslcerts to ensure DCV (domain control validation) succeeds, and then re-add the AAAA DNS record for the server's hostname. Thank you.

  0
• 

  k2tec

  • February 28, 2019 16:55

  Thanks Michael, So far the solution above has created a certificat for both VPSen. Placed back the IPv6 on the server-services and the IPv6 on all users. regards, Tom

  0
• 

  AlanB

  • March 03, 2019 16:23

  I have the same issue and all the hoops we have to jump thru to "maybe " fix it is scary for some. How do we even know what IPv6 range to add ? This happened to me about a month ago and is still and issue. The following cPanel service generated warnings from the checkallsslcerts script. ? cpanel The system failed to acquire a signed certificate from the cPanel Store because of the following error: Neither HTTP nor DNS DCV preflight checks succeeded! This notice is the result of a request from "/usr/local/cpanel/bin/checkallsslcerts".

  0
• 

  cPanelMichael

  • March 04, 2019 20:44

  Hello @AlanB, The /usr/local/cpanel/bin/checkallsslcerts warnings appear because HTTP domain control validation will fail for the server's hostname when it's assigned an IPv6 address (the corresponding IPv6 virtual host entry isn't setup by default). Case CPANEL-25611 will address this issue. As a temporary workaround until the case is published, you can remove the AAAA DNS record for the server's hostname, manually run /usr/local/cpanel/bin/checkallsslcerts to ensure DCV (domain control validation) succeeds, and then re-add the AAAA DNS record for the server's hostname. Thank you.

  0
• 

  cPanelMichael

  • March 05, 2019 20:22

  I have an open ticket with cPanel support, but so far they have not been able to resolve the issue.

  
  Hi @jmig, Can you share the ticket number? Thank you.

  0
• 

  bellwood

  • March 18, 2019 12:06

  If you're comfortable editing httpd.conf, on/around line 305 is the default vhost for your servers' IPv4 address. If you copy that virtualhost block and change the IPv4 to your servers main IPv6 and insert it directly after (so you now have both a default IPv4 and IPv6 vhost) and then restart apache you'll be able to run /usr/local/cpanel/bin/checkallsslcerts and receive a certificate without issue. While this is way easier than messing with DNS, you can bork up your Apache config and it's not supported by cPanel. Note: After /usr/local/cpanel/bin/checkallsslcerts completes, it will rebuild and restart Apache - removing the new vhost block you added - so there's no need to go back in and change/remove it.

  0
• 

  cPanelMichael

  • March 18, 2019 16:43

  Hello Everyone, The following case was included in cPanel & WHM version 78.0.15: Implemented case CPANEL-25899: Fallback to IPv4 DCV when IPv6 DCV fails for known proxies. This should address the issue reported in this thread. Additionally, case CPANEL-25611 is still planned for publication in an upcoming version 78 build to ensure the IPv6 virtual host for the server's main shared IPv6 address is setup when the httpd.conf file is built. I'll update this thread again when this case is published. Thank you.

  0
• 

  bellwood

  • March 18, 2019 17:13

  Heeey we got a back port! Someone at cPanel scream "thanks Benny" across the office ;)

  0
• 

  cPanelMichael

  • April 02, 2019 14:29

  Hello Everyone, The additional case (CPANEL-25611) was published as part of cPanel & WHM version 78.0.20 (now available on the CURRENT release tier): Fixed case CPANEL-25611: Fix checkallsslcerts for servers with an IPv6 address. Let us know of any additional issues after upgrading to version 78.0.20 or higher. Thanks!

  0
• 

  ericc06

  • May 01, 2019 11:34

  Hello, Logged as root in WHM v.78.0.21, I renewed 2 self-signed SSL certificates yesterday. This morning we received this email from the system: The following cPanel service generated warnings from the checkallsslcerts script. The system failed to acquire a signed certificate from the cPanel Store because of the following error: Neither HTTP nor DNS DCV preflight checks succeeded! This notice is the result of a request from "/usr/local/cpanel/bin/checkallsslcerts". The system generated this notice on Tuesday, April 30, 2019 at 11:20:04 PM UTC. Is this warning related to the present case [CPANEL-25899]? What can I do to fix this? There is no AAAA record in the DNS. The web server is Apache/2.4.39 (cPanel) OpenSSL/1.0.2r mod_bwlimited/1.4 I opened a ticket for this. Support Request ID: 12154123 Thank you.

  0
• 

  ericc06

  • May 01, 2019 17:03

  Hello, Logged as root in WHM v.78.0.21, I renewed 2 self-signed SSL certificates yesterday. This morning we received this email from the system: The following cPanel service generated warnings from the checkallsslcerts script. The system failed to acquire a signed certificate from the cPanel Store because of the following error: Neither HTTP nor DNS DCV preflight checks succeeded! This notice is the result of a request from "/usr/local/cpanel/bin/checkallsslcerts". The system generated this notice on Tuesday, April 30, 2019 at 11:20:04 PM UTC. Is this warning related to the present case [CPANEL-25899]? What can I do to fix this? There is no AAAA record in the DNS. The web server is Apache/2.4.39 (cPanel) OpenSSL/1.0.2r mod_bwlimited/1.4 I opened a ticket for this. Support Request ID: 12154123 Thank you.

  
  In my case it seems that the problem comes from a DNS configuration issue. To be confirmed...

  0
• 

  AlanB

  • May 03, 2019 14:34

  Still not working. failed to acquire a signed certificate same error since my first post and I have done all requested but the AAA is not applicable .

  0
• 

  cPanelMichael

  • May 06, 2019 17:20

  Still not working. failed to acquire a signed certificate same error since my first post and I have done all requested but the AAA is not applicable .

  
  Hello @AlanB, Can you open a

  0
• 

  AlanB

  • May 30, 2019 14:12

  Hello Everyone, The additional case (CPANEL-25611) was published as part of cPanel & WHM version 78.0.20 (now available on the CURRENT release tier): Fixed case CPANEL-25611: Fix checkallsslcerts for servers with an IPv6 address. Let us know of any additional issues after upgrading to version 78.0.20 or higher. Thanks!

  
  Problem continues and is very annoying. Moving away from GoDaddy and or cPanel to see if it stops.

  0
• 

  cPanelMichael

  • May 30, 2019 16:24

  Problem continues and is very annoying. Moving away from GoDaddy and or cPanel to see if it stops.

  
  Hi @AlanB, Feel free to open a

  0

Please sign in to leave a comment.