SSL for DNSOnly Server Failing
Hello,
I recently installed cPanel DNSOnly on a new VPS. I am trying to get the free SSL certificate installed for WHM and related services.
When I run /usr/local/cpanel/bin/checkallsslcerts, both DNS and DCV validation fails. I would expect DNS to fail, because the server doesn't control it's own TLD DNS. However, I can't figure out why HTTP DVC is failing. Below is the error portion of of the output from the script.
I've validated that the txt file lands and that the file is accessible from the web via the path in the log.
FAILED: Cpanel::Exception/(XID 7cg2qg) The system failed to fetch the DCV (Domain Control Validation) file at "http://{FQDN}/.well-known/pki-validation/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.txt" because of an error: The system failed to send an HTTP (Hypertext Transfer Protocol) "GET" request to "http://{FQDN}/.well-known/pki-validation/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.txt" because of an error: Could not connect to '{FQDN}:80': Connection refused.
at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 393.
Cpanel::SSL::DCV::__ANON__(Cpanel::Exception::HTTP::Network=HASH(0x2a7f478)) called at /usr/local/cpanel/3rdparty/perl/530/lib/perl5/cpanel_lib/Try/Tiny.pm line 118
Try::Tiny::try(CODE(0x2a837b0), Try::Tiny::Catch=REF(0x248e520)) called at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 416
Cpanel::SSL::DCV::_verify_http("http://{FQDN}/.well-known/pki-validation/XXXXXXX"..., "XXXXXX"..., "COMODO DCV", 0, 6, ARRAY(0x2a955f8)) called at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 242
eval {...} called at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 242
Cpanel::SSL::DCV::verify_http_with_dns_lookups("http://{FQDN}/.well-known/pki-validation/XXXXXX"..., "XXXXXX"..., "COMODO DCV", 0, undef) called at /usr/local/cpanel/Cpanel/Market/Provider/cPStore/Utils.pm line 98
Cpanel::Market::Provider::cPStore::Utils::imitate_http_dcv_check_locally("catch.keencs.net", ".well-known/pki-validation/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.txt", "XXXXXX"...) called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert/DCV.pm line 193
eval {...} called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert/DCV.pm line 189
Cpanel::cPStore::HostnameCert::DCV::set_up("-----BEGIN CERTIFICATE REQUEST-----\x{a}XXXXXX"...) called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert.pm line 172
Cpanel::cPStore::HostnameCert::_request_new_certificate(Cpanel::cPStore::HostnameCert=HASH(0x1a33ce0)) called at /usr/local/cpanel/Cpanel/cPStore/HostnameCert.pm line 142
Cpanel::cPStore::HostnameCert::get_hostname_cert_from_store(Cpanel::cPStore::HostnameCert=HASH(0x1a33ce0)) called at bin/checkallsslcerts.pl line 542
bin::checkallsslcerts::_get_certificate_pem_from_store(bin::checkallsslcerts=HASH(0x16420c8)) called at bin/checkallsslcerts.pl line 464
bin::checkallsslcerts::__ANON__() called at /usr/local/cpanel/3rdparty/perl/530/lib/perl5/cpanel_lib/Try/Tiny.pm line 97
eval {...} called at /usr/local/cpanel/3rdparty/perl/530/lib/perl5/cpanel_lib/Try/Tiny.pm line 88
Try::Tiny::try(CODE(0x1a34028), Try::Tiny::Catch=REF(0x198cb00)) called at bin/checkallsslcerts.pl line 468
bin::checkallsslcerts::_replace_cert_with_ca_signed_cert_from_cpstore(bin::checkallsslcerts=HASH(0x16420c8), "cpanel") called at bin/checkallsslcerts.pl line 320
bin::checkallsslcerts::_check_notify_and_auto_renew_cert_for_service(bin::checkallsslcerts=HASH(0x16420c8), "cpanel") called at bin/checkallsslcerts.pl line 86
bin::checkallsslcerts::run(bin::checkallsslcerts=HASH(0x16420c8)) called at bin/checkallsslcerts.pl line 50
Any ideas would be appreciated.
Ryan
-
Based on this the connection over port 80 is being refused: Could not connect to '{FQDN}:80': Connection refused. at /usr/local/cpanel/Cpanel/SSL/DCV.pm line 393.
It's not just AutSSL either, I can't even reach the site:curl -kvv catch.youdomain.net * Trying port 80 failed: Connection refused * Trying ... * TCP_NODELAY set * Connected to catch.keencs.net () port 80 (#0) > GET / HTTP/1.1 > Host: catch.yourdomain.net > User-Agent: curl/7.64.1 > Accept: */* > < HTTP/1.1 403 Forbidden < Content-Length: 9062 < Content-Type: text/html; charset=UTF-8 < Cache-Control: no-cache < Connection: close < Proxy-Connection: close0 -
Looking over your connection, it looks like you did reach the site - you received a 403 error, is that correct? I would assume that would be normal for cPanel DNSOnly. Is the issue the refusal over ipv6? Perhaps the apache web server in cPanel DNSOnly doesn't respond on IPv6 addresses. If that is the case and the DCV script doesn't fallback to IPv4 then I am not sure I can fix this. 0 -
After researching further, i think that is the case. It appears the web-server that is serving /usr/local/apache/htdocs/ doesn't respond via IPv6. The HTTP DCV process doesn't seem to fall back to IPv4 when the refusal on IPv6 is received. I am searching for the config file to see if I can enable it to listen on IPv6. 0 -
It looks like /usr/local/cpanel/cpsrvd is serving the pages. It doesn't appear that that service is IPv6 compatible. I am uncertain how to correct this short of removing the IPv6 address from the server.. :( 0 -
I removed the IPv6 Address from the server and the certificate generated without issue. Ideally, I would like to re-enable ipv6 on this server, any solutions or alternative ideas would be appreciated. 0 -
I've reviewed both documents and completed all troubleshooting listed, I couldn't identify any problems with IPv6 on this server. I even went so far as to reinstall CentOS and cPanel from scratch and arrived at the same problem. From the server I can ping other IPv6 hosts, I can wget from other IPv6 servers and I can ping this server via IPv6 without issue. I can't see any IPv6 connectivity problems whatsoever. When looking at my other full cPanel servers, there is a setting in tweak settings " Listen on IPv6 Addresses " that is defaulted to off. This seems to control listening on IPv6. I don't see this setting in cPanel DNSOnly. Perhaps if there is a way to enable this, it would resolve my issue. 0 -
Also, I see there are several feature requests for enabling IPv6 for these services... Are you certain this should be working? 0
Please sign in to leave a comment.
Comments
8 comments