Skip to main content

Neither HTTP nor DNS DCV preflight checks succeeded

f1alan
We have been running v78.0.46 for around a year and recently started getting the following warning on a daily basis: "The system failed to acquire a signed certificate from the cPanel Store because of the following error: Neither HTTP nor DNS DCV preflight checks succeeded!" We did recently start getting other warnings for several SSL certificates like this one: "The SSL certificate for "exim" on "******.******.com" will expire in less than 30 days" Thinking that it might be related, we manually renewed these certificates. However, we are still getting this "preflight check" warning. Is there an explanation for it? It doesn't seem to be causing any problems but we can't understand why it has just started when we haven't changed anything.

Comments

14 comments

Date Votes
  • cPanelLauren
    Can you provide the output of the following (be sure to remove the actual domain name): /usr/local/cpanel/bin/checkallsslcerts --verbose --allow-retry
    0
  • f1alan
    Can you provide the output of the following (be sure to remove the actual domain name): /usr/local/cpanel/bin/checkallsslcerts --verbose --allow-retry

    Thank you for getting back to me. Here is the requested output: The system will check for the certificate for the "cpanel" service. The system will attempt to replace the self-signed certificate for the "cpanel" service with a signed certificate from the cPanel Store. The system will attempt to install a certificate for the "cpanel" service from the system ssl storage. None of the certificates in the system ssl storage were acceptable to use for the "cpanel" service. The system will attempt to install a certificate for the "cpanel" service from the cPanel store. Received error "X::NoCertificate" from cPanel Store; requesting new certificate " Setting up HTTP DCV (/var/www/html/.well-known/pki-validation/F6534ADAF09B61B8D15CBA54434F5254.txt) " " complete. Setting up DNS DCV (CNAME _f6534adaf09b61b8d15cba54434f5254.*****************) " " complete. Attempting DNS DCV preflight check " FAILED: The DNS DCV check (_f6534adaf09b61b8d15cba54434f5254.***************** IN CNAME) did not return the expected value (864eaf5d1456be06c820c9f2a7d13e82.1a38f0d21e882e135fd1180ca1f96afa****odoca****). Attempting HTTP DCV preflight check " FAILED: Cpanel::Exception/(XID 9kdz7n) The system queried for a temporary file at "http://*****************/.well-known/pki-validation/F6534ADAF09B61B8D15CBA54434F5254.txt", but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 404. Cpanel::SSL::DCV::__ANON__(Cpanel::Exception::HTTP::Server=HASH(0x31a3758)) called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 118 Try::Tiny::try(CODE(0x31ce878), Try::Tiny::Catch=REF(0x2db5980)) called at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 464 Cpanel::SSL::DCV::_verify_http("http://*****************/.well-known/pki-validation/F6534ADAF"..., "864eaf5d1456be06c820c9f2a7d13e821a38f0d21e882e135fd1180ca1f96"..., "COMODO DCV", 4, ARRAY(0x3114c28)) called at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 306 Cpanel::SSL::DCV::verify_http("http://*****************/.well-known/pki-validation/F6534ADAF"..., "864eaf5d1456be06c820c9f2a7d13e821a38f0d21e882e135fd1180ca1f96"..., "COMODO DCV") called at /usr/local/cpanel/Cpanel/Market/Provider/cPStore/Utils.pm line 88 Cpanel::Market::Provider::cPStore::Utils::imitate_http_dcv_check_locally("*****************", ".well-known/pki-validation/F6534ADAF09B61B8D15CBA54434F5254.txt", "864eaf5d1456be06c820c9f2a7d13e821a38f0d21e882e135fd1180ca1f96"...) called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert/DCV.pm line 193 eval {...} called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert/DCV.pm line 189 Cpanel::cPStore::HostnameCert::DCV::set_up("-----BEGIN CERTIFICATE REQUEST-----\x{a}MIICkDCCAXgCAQAwHDEaMBgGA"...) called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert.pm line 159 Cpanel::cPStore::HostnameCert::_request_new_certificate(Cpanel::cPStore::HostnameCert=HASH(0x2670830)) called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert.pm line 129 Cpanel::cPStore::HostnameCert::get_hostname_cert_from_store(Cpanel::cPStore::HostnameCert=HASH(0x2670830)) called at bin/checkallsslcerts.pl line 528 bin::checkallsslcerts::_get_certificate_pem_from_store(bin::checkallsslcerts=HASH(0x1e240f8)) called at bin/checkallsslcerts.pl line 450 bin::checkallsslcerts::__ANON__() called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 97 eval {...} called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 88 Try::Tiny::try(CODE(0x223f940), Try::Tiny::Catch=REF(0x1e95180)) called at bin/checkallsslcerts.pl line 454 bin::checkallsslcerts::_replace_cert_with_ca_signed_cert_from_cpstore(bin::checkallsslcerts=HASH(0x1e240f8), "cpanel") called at bin/checkallsslcerts.pl line 310 bin::checkallsslcerts::_check_notify_and_auto_renew_cert_for_service(bin::checkallsslcerts=HASH(0x1e240f8), "cpanel") called at bin/checkallsslcerts.pl line 86 bin::checkallsslcerts::run(bin::checkallsslcerts=HASH(0x1e240f8)) called at bin/checkallsslcerts.pl line 50 Undoing HTTP DCV setup " " complete. Undoing DNS DCV setup " " complete. [WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: Neither HTTP nor DNS DCV preflight checks succeeded! The system will check for the certificate for the "dovecot" service. The system will attempt to replace the self-signed certificate for the "dovecot" service with a signed certificate from the cPanel Store. The system will attempt to install a certificate for the "dovecot" service from the system ssl storage. None of the certificates in the system ssl storage were acceptable to use for the "dovecot" service. The system will check for the certificate for the "exim" service. The system will attempt to replace the self-signed certificate for the "exim" service with a signed certificate from the cPanel Store. The system will attempt to install a certificate for the "exim" service from the system ssl storage. None of the certificates in the system ssl storage were acceptable to use for the "exim" service. The system will check for the certificate for the "ftp" service. The system will attempt to replace the self-signed certificate for the "ftp" service with a signed certificate from the cPanel Store. The system will attempt to install a certificate for the "ftp" service from the system ssl storage. None of the certificates in the system ssl storage were acceptable to use for the "ftp" service.
    0
  • cPanelLauren
    There are two separate checks that are done for DCV DNS and HTTP The DNS DCV check looks for a record added to your domain and only works if DNS is local The HTTP check looks for the presence of a txt file using a curl request In your case the output from the preflight checks (there is a check done before it's submitted to the CA) shows that neither of these is successful: Attempting DNS DCV preflight check " FAILED: The DNS DCV check (_f6534adaf09b61b8d15cba54434f5254.***************** IN CNAME) did not return the expected value (864eaf5d1456be06c820c9f2a7d13e82.1a38f0d21e882e135fd1180ca1f96afa****odoca****). Attempting HTTP DCV preflight check " FAILED: Cpanel::Exception/(XID 9kdz7n) The system queried for a temporary file at "http://*****************/.well-known/pki-validation/F6534ADAF09B61B8D15CBA54434F5254.txt", but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 404.
    Two questions you need to ask are: 1. Is DNS hosted locally on the server 2. If DNS is not local can I place a .txt file in /home/$user/.well-known/pki-validation/
    and perform a request similar to the following: curl -kvv -A "COMODO DCV" http://domain.tld/.well-known/pki-validation/file.txt
    0
  • f1alan
    There are two separate checks that are done for DCV DNS and HTTP The DNS DCV check looks for a record added to your domain and only works if DNS is local The HTTP check looks for the presence of a txt file using a curl request In your case the output from the preflight checks (there is a check done before it's submitted to the CA) shows that neither of these is successful: Attempting DNS DCV preflight check " FAILED: The DNS DCV check (_f6534adaf09b61b8d15cba54434f5254.***************** IN CNAME) did not return the expected value (864eaf5d1456be06c820c9f2a7d13e82.1a38f0d21e882e135fd1180ca1f96afa****odoca****). Attempting HTTP DCV preflight check " FAILED: Cpanel::Exception/(XID 9kdz7n) The system queried for a temporary file at "http://*****************/.well-known/pki-validation/F6534ADAF09B61B8D15CBA54434F5254.txt", but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 404.
    Two questions you need to ask are: 1. Is DNS hosted locally on the server 2. If DNS is not local can I place a .txt file in /home/$user/.well-known/pki-validation/
    and perform a request similar to the following: curl -kvv -A "COMODO DCV" http://domain.tld/.well-known/pki-validation/file.txt

    In answer to your first question, our DNS is hosted externally. Therefore, I followed your instructions and here is the output of the command: curl -kvv -A "COMODO DCV" http://*****************/.well-known/pki-validation/file.txt * About to connect() to ***************** port 80 (#0) * Trying 91.109.4.253... connected * Connected to ***************** (91.109.4.253) port 80 (#0) > GET /.well-known/pki-validation/file.txt HTTP/1.1 > User-Agent: COMODO DCV > Host: ***************** > Accept: */* > < HTTP/1.1 404 Not Found < Date: Fri, 28 Feb 2020 09:06:17 GMT < Server: Apache/2.4.38 (cPanel) OpenSSL/1.0.2r mod_bwlimited/1.4 < Content-Length: 352 < Content-Type: text/html; charset=iso-8859-1 < 404 Not Found

    Not Found

    The requested URL /.well-known/pki-validation/file.txt was not found on this server.

    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

    * Connection #0 to host ***************** left intact * Closing connection #0
    I believe this is equivalent to the command run in your script. However, I changed it to use HTTPS rather than HTTP and got the following output: curl -kvv -A "COMODO DCV" https://*****************/.well-known/pki-validation/file.txt * About to connect() to ***************** port 443 (#0) * Trying 91.109.4.253... connected * Connected to ***************** (91.109.4.253) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * warning: ignoring value of ssl.verifyhost * skipping SSL peer certificate verification * SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: CN=*****************,E=ssl@***************** * start date: Feb 19 08:49:51 2020 GMT * expire date: Feb 18 08:49:51 2021 GMT * common name: ***************** * issuer: CN=*****************,E=ssl@***************** > GET /.well-known/pki-validation/file.txt HTTP/1.1 > User-Agent: COMODO DCV > Host: ***************** > Accept: */* > < HTTP/1.1 200 OK < Date: Fri, 28 Feb 2020 09:06:37 GMT < Server: Apache/2.4.38 (cPanel) OpenSSL/1.0.2r mod_bwlimited/1.4 < Last-Modified: Fri, 28 Feb 2020 09:04:18 GMT < ETag: "e25cf-0-59f9f1f60d368" < Accept-Ranges: bytes < Content-Length: 0 < Content-Type: text/plain < * Connection #0 to host ***************** left intact * Closing connection #0
    0
  • cPanelLauren
    Hello, You'd need to create the .txt file - I used file.txt as an example. Note that in this output you get a 404 error because it's not present. Also, the HTTP DCV check cannot be completed over HTTPS (it assumes you do not have a valid SSL and as such wouldn't have an SSL VirtualHost)
    0
  • f1alan
    Hello, You'd need to create the .txt file - I used file.txt as an example. Note that in this output you get a 404 error because it's not present. Also, the HTTP DCV check cannot be completed over HTTPS (it assumes you do not have a valid SSL and as such wouldn't have an SSL VirtualHost)

    Thanks. Just to confirm that I did indeed create file.txt in the test. It had the same permissions as the generated C2256B0463FB5735B559623759F600FD.txt.
    0
  • cPanelLauren
    That's my fault, I didn't even notice in the second attempt that you got a 200 response on that when performing the check over https as I stopped at HTTPS. The DCV check does not function over HTTPS and if you are forcing traffic to HTTPS for that domain or all domains you MUST add an exclusion for the HTTP DCV check.
    0
  • f1alan
    That's my fault, I didn't even notice in the second attempt that you got a 200 response on that when performing the check over https as I stopped at HTTPS. The DCV check does not function over HTTPS and if you are forcing traffic to HTTPS for that domain or all domains you MUST add an exclusion for the HTTP DCV check.

    Ok but I'm still unsure how to proceed. Our version of cPanel has been stable for over a year and this only started a few weeks ago. Therefore, I'm a bit confused by the difference between HTTP and HTTPS as your script can't have changed.
    0
  • f1alan
    Are there any other suggestions how we might track down this problem?
    0
  • f1alan
    That's my fault, I didn't even notice in the second attempt that you got a 200 response on that when performing the check over https as I stopped at HTTPS. The DCV check does not function over HTTPS and if you are forcing traffic to HTTPS for that domain or all domains you MUST add an exclusion for the HTTP DCV check.

    Any other ideas what has caused this?
    0
  • cPanelLauren
    The DCV check will not ever be performed over HTTPS - this assumes a certificate in place and neither comodo or the let's encrypt plugin perform the check over HTTPS. To accurately get an idea of whether or not your domain will successfully pass the DCV check you need to perform it over HTTP.
    0
  • f1alan
    The DCV check will not ever be performed over HTTPS - this assumes a certificate in place and neither comodo or the let's encrypt plugin perform the check over HTTPS. To accurately get an idea of whether or not your domain will successfully pass the DCV check you need to perform it over HTTP.

    I appreciate this but my concern still stands that we have been using v78.0.46 for a year with no changes to this configuration made. Why has it suddenly started giving these errors if nothing has been changed?
    0
  • cPanelLauren
    Not sure, and kind of what I was hoping to start getting a lead on...but with the information I have right now that's impossible. Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved. Thanks!
    0
  • f1alan
    Not sure, and kind of what I was hoping to start getting a lead on...but with the information I have right now that's impossible. Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved. Thanks!

    Thanks. I went through the ticket process was advised to raise a ticket with our ISP first so that is what I've done.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post