Skip to main content

AutoSSL no longer working with Cloudflare

Comments

12 comments

  • cPRex Jurassic Moderator
    Hey there! Can you let me know what entires you're seeing in the log? Just make sure to remove any public domains for security reasons.
    0
  • dstana
    Hey there! Can you let me know what entires you're seeing in the log? Just make sure to remove any public domains for security reasons.

    Here's the log: Log for the AutoSSL run for "user": Wednesday, February 23, 2022 9:06:58 AM GMT-0700 (cPanel (powered by Sectigo)) 9:06:58 AM AutoSSL"s configured provider is "cPanel (powered by Sectigo)". This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log. Analyzing "user""s domains " 9:06:58 AM Analyzing "domain" (website) " 9:06:58 AM TLS Status: Ready for Renewal WARN Certificate expiry: 3/3/22, 12:00 AM UTC (7.33 days from now) 9:06:58 AM Attempting to ensure the existence of necessary CAA records " 9:06:58 AM No CAA records were created. 9:06:58 AM Verifying 8 domains" management status " Verifying "cPanel (powered by Sectigo)""s authorization on 8 domains via DNS CAA records " 9:06:58 AM "webdisk.domain" is managed. "cpanel.domain" is managed. "mail.domain" is managed. "www.domain" is managed. "domain" is managed. "webmail.domain" is managed. "cpcontacts.domain" is managed. "cpcalendars.domain" is managed. All of this user"s 8 domains are managed. CA authorized: "domain" CA authorized: "www.domain" CA authorized: "webdisk.domain" CA authorized: "webmail.domain" CA authorized: "mail.domain" 9:06:59 AM CA authorized: "cpcalendars.domain" CA authorized: "cpanel.domain" CA authorized: "cpcontacts.domain" "cPanel (powered by Sectigo)" is authorized to issue certificates for 8 of this user"s 8 domains. 9:06:59 AM Performing HTTP DCV (Domain Control Validation) on 8 domains " 9:06:59 AM WARN Local HTTP DCV error (domain): The system queried for a temporary file at "http://domain/.well-known/pki-validation/8689F67E995C9C4B36F273168C851F63.txt", but the web server responded with the following error: 502 (Bad Gateway). A DNS (Domain Name System) or web server misconfiguration may exist. The domain "domain" resolved to an IP address "104.21.76.183" that does not exist on this server. Local HTTP DCV OK: www.domain WARN Local HTTP DCV error (mail.domain): The system failed to fetch the DCV (Domain Control Validation) file at "http://mail.domain/.well-known/pki-validation/CD018EAC09228C662865FD0E9D15514F.txt" because of an error (cached): Could not connect to '2606:4700:3036:0000:0000:0000:6815:4cb7:80': Network is unreachable. Local HTTP DCV OK: cpanel.domain Local HTTP DCV OK: webdisk.domain Local HTTP DCV OK: webmail.domain Local HTTP DCV OK: cpcontacts.domain Local HTTP DCV OK: cpcalendars.domain 9:06:59 AM Verifying local authority for 2 domains " 9:06:59 AM No local authority: "domain" No local authority: "mail.domain" 9:06:59 AM No local DNS DCV is necessary. 9:06:59 AM Processing "user""s local DCV results " 9:06:59 AM Analyzing "domain""s DCV results " 9:06:59 AM ERROR Impediment: SECURED_DOMAIN_DCV_FAILURE: One or more currently-secured domains failed DCV. 9:06:59 AM The system has completed "user""s AutoSSL check.
    0
  • cPRex Jurassic Moderator
    Thanks for that - if you place a file in the /home/username/public_html/.well-known/pki-validation directory, are you able to visit that normally in a browser outside of the AutoSSL check tool? Just visiting it in a browser would let us know if the issue is with the site configuration, DNS, or AutoSSL.
    0
  • dstana
    Thanks for that - if you place a file in the /home/username/public_html/.well-known/pki-validation directory, are you able to visit that normally in a browser outside of the AutoSSL check tool? Just visiting it in a browser would let us know if the issue is with the site configuration, DNS, or AutoSSL.

    Yep, works just fine. I did notice that directory was empty though, usually there's some files in there from AutoSSL doing its thing. Could that be the issue?
    0
  • cPRex Jurassic Moderator
    That likely is not related - in more recent versions of AutoSSL, we remove the temporary files after the check completes so they don't just linger forever. Could you open a ticket with our team so we can check that on our side? It seems odd that a normal browser request would work but AutoSSL can't.
    0
  • dstana
    Request opened.
    0
  • cPRex Jurassic Moderator
    Great - do you have that ticket number?
    0
  • elmister
    Did you resolve the issue, i'm having the same issue with other domains using Cloudflare when trying to validate the SSL for mail.domain.com it fails resolving with a different IP than the one configured in cloudflare ADVERTENCIA Local HTTP DCV error (mail.vinilos.info): The system failed to fetch the DCV (Domain Control Validation) file at " because of an error (cached): Could not connect to '2606:4700:3032:0000:0000:0000:ac43:b8cd:80': Network is unreachable. In cloudflare the subdomain mail is not pointing to 2606:4700:3032:0000:0000:0000:ac43:b8cd and it's not resolving to that IP in my tests
    0
  • Regs
    Did you resolve the issue, i'm having the same issue with other domains using Cloudflare when trying to validate the SSL for mail.domain.com it fails resolving with a different IP than the one configured in cloudflare ADVERTENCIA Local HTTP DCV error (mail.vinilos.info): The system failed to fetch the DCV (Domain Control Validation) file at " because of an error (cached): Could not connect to '2606:4700:3032:0000:0000:0000:ac43:b8cd:80': Network is unreachable. In cloudflare the subdomain mail is not pointing to 2606:4700:3032:0000:0000:0000:ac43:b8cd and it's not resolving to that IP in my tests

    Having the exact same issue here :(
    0
  • cPRex Jurassic Moderator
    Can you run this command to see what IP address gets returned for the domain in question? /scripts/cpdig domain.com A
    0
  • elmister
    # /scripts/cpdig domain.info A 172.67.184.x 104.21.76.x << both are cloudflare ips [root@servidor ~]# /scripts/cpdig mail.domain.info A X.X.X.X. server IP, not hidden by cloudflare # /scripts/cpdig mail.domain.info AAAA nothing for last command, no answer
    0
  • cPRex Jurassic Moderator
    That's interesting - I'm afraid I don't have much else to provide from my end, so it might be best if our team checked out that server directly. Could you submit a support ticket?
    0

Please sign in to leave a comment.