Questions about AutoSSL
Hi,
I am currently manually generating my SSL certificate using Let's Encrypt certbot. This is a bit cumbersome and I was thinking of switching to the Let's Encrypt plugin. Originally, I couldn't make the switch because the AutoSSL cPanel feature didn't support the proxy-subdomains, but I believe that has changed.
I have some questions first though. Just by looking at what's available in the WHM's AutoSSL section (without the Let's Encrypt plugin installed), I don't see many options. If I were to enable AutoSSL using the Comodo provider or install the Let's Encrypt plugin, written by cPanel, is there away to customize the various settings?
I want these features enabled:
These options are important to me. The plugins now support the proxy subdomains, right? cpanel.example.com, whm.example.com, etc, etc? The final thing that's really important is having an SSL certificate for the hostname. My memory is not good, and I don't remember why I need that SSL certificate for the hostname itself, but I do remember I need it. From what I've read, the current AutoSSL implementations don't generate an SSL certificate for the hostname. But maybe the documentation is now incorrect? Do they generate SSL certificates for the hostname? I could not find any documentation at all that showed how to configure the plugins (except for what I can already do in WHM). Are there config files somewheres on the hard drive that I can modify, much like the Apache templates or something like that? To fine tune the SSL certificates? Any help would be greatly appreciated. Thanks!
--staple-ocsp: Enables OCSP Stapling. A valid OCSP response is
stapled to the certificate that the server offers
during TLS.
--must-staple: Adds the OCSP Must Staple extension to the
certificate. Autoconfigures OCSP Stapling for
supported setups (Apache version >= 2.3.3 ). (default:
False)
--hsts: Add the Strict-Transport-Security header to every HTTP
response. Forcing browser to always use SSL for the
domain. Defends against SSL Stripping. (default:
False)
--rsa-key-size 2048
These options are important to me. The plugins now support the proxy subdomains, right? cpanel.example.com, whm.example.com, etc, etc? The final thing that's really important is having an SSL certificate for the hostname. My memory is not good, and I don't remember why I need that SSL certificate for the hostname itself, but I do remember I need it. From what I've read, the current AutoSSL implementations don't generate an SSL certificate for the hostname. But maybe the documentation is now incorrect? Do they generate SSL certificates for the hostname? I could not find any documentation at all that showed how to configure the plugins (except for what I can already do in WHM). Are there config files somewheres on the hard drive that I can modify, much like the Apache templates or something like that? To fine tune the SSL certificates? Any help would be greatly appreciated. Thanks!
-
Hello, The plugins now support the proxy subdomains, right? cpanel.example.com, whm.example.com, etc, etc?
Yes, that's correct. Proxy subdomains are included with the domain names secured with the AutoSSL feature as of cPanel version 64.From what I've read, the current AutoSSL implementations don't generate an SSL certificate for the hostname. But maybe the documentation is now incorrect? Do they generate SSL certificates for the hostname?
Yes, but it's only supported with Comodo (not Let's Encrypt): Free cPanel-Signed Hostname Certificate - cPanel Knowledge Base - cPanel DocumentationAre there config files somewheres on the hard drive that I can modify, much like the Apache templates or something like that? To fine tune the SSL certificates?
It's not possible to configure AutoSSL features such as OCSP requirements or key size. I encourage you to open a feature request if you'd like to see that functionality added:0 -
Hello, ... It's not possible to configure AutoSSL features such as OCSP requirements or key size. I encourage you to open a feature request if you'd like to see that functionality added: Submit A Feature Request Thank you.
Is OCSP enabled though when I use the Comodo provider? I see stuff in the /etc/apache2/conf/httpd.conf file that checks if the certificate is stapled, and if it is, it configures certain options. To me, this would imply that those Comodo certificates are being stapled. Is that not the case? Also, in my /etc/apache2/conf/httpd.conf, I see a virtual host entry for hostname.example.com, for port 80, but none for port 443. Is that normal? To get Let's Encrypt to work, I've had to manually create the virtualhost entries for the hostname in the post_virtualhost_global.conf file, for ports 80 and 443. I would have thought because cPanel creates an entry for the hostname on port 80, it should be creating one for port 443 as well. Makes me think something's wrong. What size are the keys going to be? Does it depend on different conditions or will they always be a certain size (ie, 1024 bits)? I'm okay with a size 2048 bits or higher, but I don't want to go any less. Thanks!0 -
What size are the keys going to be? Does it depend on different conditions or will they always be a certain size (ie, 1024 bits)? I'm okay with a size 2048 bits or higher, but I don't want to go any less.
They are setup using 2048-bit keys. It's not possible to change this at this time, but we do have a feature request open for a 4096-bit option at: AutoSSL with 4096 bit optionAlso, in my /etc/apache2/conf/httpd.conf, I see a virtual host entry for hostname.example.com, for port 80, but none for port 443. Is that normal? To get Let's Encrypt to work, I've had to manually create the virtualhost entries for the hostname in the post_virtualhost_global.conf file, for ports 80 and 443. I would have thought because cPanel creates an entry for the hostname on port 80, it should be creating one for port 443 as well. Makes me think something's wrong.
This is the expected behavior. The free cPanel-signed SSL certificate for the server's hostname is not installed for Apache. You can manually install the hostname's certificate to Apache using the following option: "WHM Home " SSL/TLS "Install an SSL Certificate on a Domain"Is OCSP enabled though when I use the Comodo provider? I see stuff in the /etc/apache2/conf/httpd.conf file that checks if the certificate is stapled, and if it is, it configures certain options. To me, this would imply that those Comodo certificates are being stapled. Is that not the case?
Yes, however keep in mind it's the web browser itself (e.g. Firefox) that directly connects to the OCSP server. Here's a recent thread where this resulted in a slight issue due to a Comodo outage: Comodo OCSP Outage Thank you.0 -
Thank you @cPanelMichael! I think I'm going to make the switch then to the AutoSSL. I feel it's about time. It's been very cumbersome manually creating the Let's Encrypt certificates. I've tried automating it as best I can, but something will change with cPanel or Let's Encrypt, and things break, then I have to figure out what broke and why it broke. If this AutoSSL works as well as I think it will, it'll be a headache I can forget about. I still have one last question. I'm getting a developers license and I'm going to have cPanel installed at my house, on my server, in the basement. On my production server (that has a paid-for license), I'm going to configure the DNS server to point one of the subdomains to my server in the basement (git.example.com). I shouldn't have any trouble using the AutoSSL feature on both cPanel installations, correct? On the development server, it'll just check to see what IP address belongs to git.example.com, and so long as it matches the machine it's running on, it should be able to create a certificate just fine? Thanks! 0 -
I still have one last question. I'm getting a developers license and I'm going to have cPanel installed at my house, on my server, in the basement. On my production server (that has a paid-for license), I'm going to configure the DNS server to point one of the subdomains to my server in the basement (git.example.com). I shouldn't have any trouble using the AutoSSL feature on both cPanel installations, correct? On the development server, it'll just check to see what IP address belongs to git.example.com, and so long as it matches the machine it's running on, it should be able to create a certificate just fine?
AutoSSL would work in this scenario as long as the domain name resolves to the IP address associated with the cPanel server it's added to. For the "git" subdomain, you'd want to exclude it from the AutoSSL feature on the production server using the following option (available as of cPanel 66): 66 Release Notes - Version 66 Documentation - cPanel Documentation The "git" subdomain could receive the AutoSSL certificate on the cPanel server it's hosted on. Thank you.0 -
@cPanelMichael, ***************************************EDIT*************************************** * I have made the transition to AutoSSL but am still having some issues. This was a long post and * most of the questions in it I have now found answers to. The next post shows the only troubles * I'm having. ********************************************************************************** I'm having trouble with the migration a bit. I think it's because I'm on the preloading list. So I log into my server via SSH and I run: mkdir -p /root/backup/etc cp -pR /etc/letsencrypt /root/backup/etc root@franklin:[/etc/letsencrypt]# rm -rf /etc/letsencrypt/live/www.example.com root@franklin:[/etc/letsencrypt]# rm -rf /etc/letsencrypt/renewal/www.example.com.conf root@franklin:[/etc/letsencrypt]# rm -rf /etc/letsencrypt/archive/www.example.com
Then I log into WHM and turn on AutoSSL. I then reset the SSL certificates under Manaage Service SSL Certficates. My server shows it's still using the Let's Encrypt certificates. So, I go into WHM -> Manage SSL Hosts and I delete the SSL hosts. It takes forever. Some go through eventually, saying they been deleted, some error out about some lock file or something. Anyway, I go back to the SSH server and I run:root@franlink:[/scripts]# ./ssl_crt_status --verbose [info] SSL root: /etc/ssl Ok: franklin.example.com SSL crt verified Ok: ipv4.example.com SSL crt verified Ok: ipv6.example.com SSL crt verified Ok: example.com SSL crt verified
When I go to WHM -> Manage Service SSL Certificates I see I'm using self-signed certificates for the services. But when I browser for an SSL certificate, I still see the valid Let's Encrypt certificate listed under user sporkschivago. How do I go about removing that certficate completely, so it doesn't show up under there? I try to run the AutoSSL again, and now I see in the log these warnings:[2017-08-22T20:55:26Z] The domain "www.example.com" failed domain control validation: The system failed to fetch the DCV file at "http://www.example.com/.well-known/pki-validation/830CF2A6C037482584B0160B4D1761F8.txt" because of an error: The system failed to send an HTTP "GET" request to "http://www.example.com/.well-known/pki-validation/830CF2A6C037482584B0160B4D1761F8.txt" because of an error: Could not connect to 'www.example.com:80': Connection refused .... [2017-08-22T20:51:00Z] The domain "webmail.example.com" failed domain control validation: The system failed to fetch the DCV file at "http://webmail.example.com/.well-known/pki-validation/45C9DF99696CABE2C33722B7C313EE38.txt" because of an error: The system failed to send an HTTP "GET" request to "http://webmail.example.com/.well-known/pki-validation/45C9DF99696CABE2C33722B7C313EE38.txt" because of an error: Could not connect to 'webmail.example.com:80': Connection refused
This is what my .htaccess file looks like in /home/sporkschivago/public_html# Tell the browser to check for index.html and index.php, in that order. # if either exist, load that file by default. DirectoryIndex index.php index.html # Turn off caching for Google Chrome. Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate, post-check=0, pre-check=0" Header set Pragma "no-cache" Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT" # Add P3P Privacy Headers to the site (this causes infinite redirects for some reason). # Header set P3P "policyref="/w3c/p3p.xml"" # Turn RewriteMod on. RewriteEngine On # Allow .well-known through for Comodo. RewriteCond %{REQUEST_URI} !^/\.well\-known/pki-validation/ # Redirect all other users to the https version of our website, # because we have SSL certs now. RewriteCond %{HTTPS} !=on RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L] # php -- BEGIN cPanel-generated handler, do not edit # NOTE this account's php is controlled via FPM and the vhost, this is a place holder. # Do not edit. This next line is to support the cPanel php wrapper (php_cli). # AddType application/x-httpd-ea-php71 .php .phtml # php -- END cPanel-generated handler, do not edit
Any ideas what's going wrong here? I thought WHM would have modified my .htaccess file. I checked Tweak Settings to make sure the option that prevents modification of users .htaccess files wasn't turned on, and it's turned off. So it should be modifying the .htaccess file... **EDIT: I just noticed Apache2 is no longer running. So I check and see this:systemctl status httpd -l SSLCertificateFile: file '/var/cpanel/ssl/cpanel/mycpanel.pem' does not exist or is empty
It was because of my post_virtualhost_global.conf, so I fixed that and got Apache running again. How can I manually generate those AutoSSL certs from the SSH shell? Thanks!0 -
Okay, I got further....but still having some issues. I can generate the SSL certificates using WHM now, or using a remote SSH shell by running: /usr/local/cpanel/bin/autossl_check --all
I can now log into WHM, webmail, etc. I see in cPanel though, under cpanel -> SSL/TLS Status, that almost all the subdomains / proxies are now using the AutoSSL certificate...except for one: ipv6.example.com, which has no A record, just an AAAA record. Not sure how to generate an AutoSSL certificate for a subdomain with just an AAAA record. I can't create an A record for that domain, because it's supposed to only have an AAAA record. I also see there's no certificate for cpcontacts.example.com and cpcalander.example.com. So I'm missing three cPanel signed certificates, for these subdomains:cpcontacts cpcalendars ipv6
How does the /usr/local/cpanel/bin/autossl_check binary determine what domains / subdomains to generate certificates for? Where does it obtain the list? I don't think it's grabbing it from /var/named/example.com.db's zone file. If it was, it'd be generating a certificate for git.example.com. I don't want it to generate a certificate for git.example.com, because I'm eventually going to point it to my server in the basement, but right now, git.example.com points to the same IP address as example.com. AutoSSL generates a certificate for example.com, but not git.example.com.... Also, I now, for whatever reason, have two certificates. There's a separate certificate for ipv4.example.com. This I don't think is right. I think it should have generated one big certificate for all of the domains / subdomains. What's a bit odder (and I think maybe a bug), under WHM -> Manage SSL Hosts, it lists ipv4.example.com, but it lists it twice, one with the IPv4 address, one with the IPv6 address. There's no AAAA record for ipv4.example.com, so not sure why cPanel thinks it's bound to an IPv6 address. I have that Use a Global DCV Passthrough instead of .htaccess modification (requires EA4) enabled in Tweak Settings. I create a test file, /home/sporkschivago/public_html/.well-known/pki-validation/test.txt I try to visit it using curl:curl --user-agent "COMODO DCV" --insecure --max-time 10 --retry 0 http://ipv6.example.com/.well-known/pki-validation/test.txt
It displays the test file...if I disable my .htaccess rewrite command that allows .well-known/pki-validation stuff through without redirecting it to the secure version of my site, the DCV in /etc/apache2/conf/httpd.conf doesn't seem to work. It gets redirected to port 443. This is what I see with my rewrite rule disabled:curl --user-agent "COMODO DCV" --insecure --max-time 10 --retry 0 http://ipv6.example.com/.well-known/pki-validation/test.txt 301 Moved PermanentlyMoved Permanently
The document has moved here.
# With my rewrite rule enabled: curl --user-agent "COMODO DCV" --insecure --max-time 10 --retry 0 http://ipv6.example.com/.well-known/pki-validation/test.txt just a test.
it seems that the autossl_check binary is only looking for the IPv4 address. I'm not sure where it's pulling this address from, but I suspect it might be with one of those userdata files....for whatever reasons, that contains an IPv4 address for ipv6.example.com, and I cannot figure out how to remove it (without it coming back whenever the userdata files are rebuilt).0 -
Hello, Could you verify which version of cPanel is installed on this system? Thank you. 0 -
66.0.14 for cPanel. Centos 7.3.1611 (Core) for the OS, running inside KVM. 0 -
This is the output of autossl_check --all ./autossl_check --all This system has AutoSSL set to use "cPanel (powered by Comodo)". Checking websites for "sporkschivago" " The website "ipv6.example.com", owned by "sporkschivago", has no SSL certificate. AutoSSL will attempt to obtain a new certificate and install it. The domain "ipv6.example.com" failed domain control validation: "ipv6.example.com" does not resolve to any IPv4 addresses on the internet. The system has completed the AutoSSL check for "sporkschivago". The system has finished checking 1 user.
This makes me think AutoSSL doesn't support IPv6 only sub-domains / domains.0 -
Could someone run a simple test for me? Create a subdomain, with just an AAAA record, and no A record, then see if they can generate an SSL certificate for it, using AutoSSL with Comodo with the provider? I read a post about a place where they're only assigned IPv6 addresses. I'm thinking this might be an issue with AutoSSL not assigning certificates for IPv6 only domains / subdomains. Thanks. 0 -
This makes me think AutoSSL doesn't support IPv6 only sub-domains / domains.
Hello, This is correct. IPv6-only domain names (or subdomains) are not currently supported with the AutoSSL feature. You'd have to setup a temporary "A" record that resolves to an IPv4 address to allow the domain validation process to succeed. Once it succeeds, you can remove the "A" record until the next AutoSSL renewal attempt. Thank you.0 -
Is there anyway to use iptables to block the transmission control protocol for IPv4 addresses for that subdomain? Maybe just allow Comodo addresses through, so I don't have to create the A address each time AutoSSL renews? Also, is IPv6 only support being planned to be added, or should I submit that as a feature request? Thanks cPanelMichael. 0 -
Maybe something like this? iptables -A INPUT -d ipv6.example.com -m state --state INVALID -j DROP iptables -A INPUT -d ipv6.example.com -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -i lo -d ipv6.example.com -j ACCEPT iptables -A INPUT -d ipv6.example.com -s -j ACCEPT iptables -P INPUT -d ipv6.example.com DROP # Drop everything we don't accept
Would something like this work? I wonder if I could use just the last two lines there:iptables -A INPUT -d ipv6.example.com -s -j ACCEPT iptables -P INPUT -d ipv6.example.com DROP # Drop everything we don't accept
ConfigureServer Firewall generally handles the ipv4 firewall and the ipv6 firewall. Obviously, I'd have to insert these rules at the beginning of the chain. Because I'm not touching the IPv6 table at all, IPv6 connections should still be allowed, but any IPv4 connection not coming from Comodo should be dropped, right?0 -
Hello, Yes, I recommend opening a new feature request to allow IPv6-only support with the AutoSSL feature. As far as the workaround, here's the command you can run from the cPanel server to determine if the domain name resolves to a valid IPv4 address: /usr/local/cpanel/3rdparty/bin/perl -MCpanel::DnsRoots -e 'use Data::Dumper; print Dumper(Cpanel::DnsRoots::Resolver->new(debug => 1)->recursive_query("domain.tld","A"));'
As long as you can get the correct IPv4 address with this command from the cPanel server, and Comodo's IP addresses can access the domain name, then domain validation should succeed. Thank you.0 -
Thank you, but are my iptable commands good to block IPv4 traffic to and from the server for everyone who isn't Comodo? I use the ipv6 only subdomains a lot of times when I need to make sure the software I'm using at home is using an IPv6 address, and not accidently falling back to IPv4, without me knowing. Do you think those IPv4 iptable commands will work? The 2nd one, to me, seems like it'd block traffic to ipv6.mydomain.com for everyone, regardless of the type of connection, except for comodo, or if it's coming from an IPv6 address, then, the ipv6 iptables chain comes through... 0 -
Well, this sucks. If I'm understanding the level two technician correctly, AutoSSL does not support whm, cpcontacts, and cpcalendars proxy subdomains. This cannot be correct. I can understand the cpcontacts and cpcalendars I guess, but whm? Surely I must be misunderstanding the technician. Here's the ticket number, @cPanelMichael, 8812401. Maybe I'm misunderstanding him? Surely, other people are having certificates generated for whm.theirdomain.com, aren't they? I cannot see why we'd have valid certs generated for only cpanel, webdisk, and webmail. That just doesn't make sense to me. 0 -
Well, the level 2 tech thinks we might be right and whm should be included in the AutoSSL provisioning process. He's now escalated me to a level 3 tech. I have some ideas on how to fix the issue, but I don't want to mess things up while they're working. I asked the level 2 tech if I could try some things while we wait for the level 3 tech. 0 -
We know what's going on now. I had no idea there was a hurricane, I don't get much time to watch TV, let alone the news channel, anymore. I am so sorry and I hope everyone down there is okay. Please let me know if there's anything I can do to help you guys. 0 -
It seems the iptables rules didn't work. Even though I specified -d ipv6.mydomain.com, when I list the tables, it seems iptables looks at ipv6.mydomain.com as franklin.mydomain.com. It cannot tell the difference. So when I setup the iptables rules to block IPv4 traffic to ipv6.mydomain.com, it blocks it for all the cPanel services, franklin (the hostname), etc. Looks like there might not be a way to block ipv4 traffic to ipv6.mydomain.com, without removing the A rule from the DNS zone, but then AutoSSL won't work. There's already a feature request for cPanel to support IPv6 only addresses, because in some countries, I guess IPv6 addresses are the only ones they can get. It's been there for a while, and doesn't look like it's going to get implemented anytime soon. So we'll just have to wait until it gets implemented. I understand cPanel is extremely busy, and I understand that this probably isn't on their top list of things to do. Thanks for the help. 0 -
Hello, Regarding the proxy subdomains supported with the AutoSSL feature, here's the last response from the support ticket: At this time, AutoSSL will not handle those proxy subdomains. It currently only handles: 1) The domain.tld itself (no www) 2) www.domain.tld 3) cpanel.domain.tld 4) webmail.domain.tld 5) webdisk.domain.tld 6) whm.domain.tld (as long as the account is a reseller) I checked with the team that created the AutoSSL system and there are presently no plans to include cpcontacts or cpcalendars at this time. Adding a feature request is likely going to be your best option to get the ear of our development team.
Thank you.0 -
Thanks for confirming cPanel Michael. I have submitted a feature request. Now I just have to find a way to block IPv4 access to ipv6.example.com. One of the tech people opened a support ticket for me, but we're not really getting anymore. I might open a topic on the forums to see if anyone can help. 0 -
Hello, You may also want to consider setting up a custom deny/allow rule in the .htaccess file, or a mod_rewrite rule that uses a regular expression to block any non-IPv6 IP addresses. Thank you. 0 -
@cPanelMichael, that's a good idea, but that only blocks non-IPv6 access to Apache, right? The idea is to block all non-IPv6 to ipv6.example.com, so when I try something like ping ipv6.example.com, if I'm using the IPv4 protocol, ping should fail. I think with .htaccess and mod_rewrite rules, ping would still succeed. I don't think I can use iptables either to block access (I thought this was possible but didn't have a good enough understanding of iptables and now believe this is in fact impossible to do). I think my only true option is to wait until my feature request is implemented, if it ever is implemented. 0 -
Hello, That's correct. Deny or rewrite rules in the .htaccess file would only apply to access over Apache. With the requirements you mentioned, it does seem like a change to the product to support IPv6-only would be the best way to have this working as you intend. Here's a link to the feature request in-case anyone else sees this thread and would like to vote for it: Support IPv6-only Thank you. 0 -
It's too bad this wasn't a higher priority with cPanel. I understand how busy you guys are and everything, but my understanding is that in some countries, it's very hard to get IPv4 addresses, and in those countries, people cannot run cPanel at all. We know IPv4 addresses are pretty much used up, and granted, I'm sure there's ways to recover a good amount of the addresses out there (people being assigned class B networks, for example, when they only need a class C and maybe using NAT or something), etc. But in the end, we all need to move to IPv6 sooner or later. Eventually, cPanel will need to support IPv6-only I'd think. It'd be nice to see the change implemented. That request was submitted over three years ago, and from the people that I've talked to at cPanel, there's no current plans to implement IPv6 only addresses at this point in time. I doubt many people will vote for this feature request. The people that only have IPv6 addresses are probably not going to create an account to vote for it, having never tried cPanel before. All the other users that have accounts more than likely have cPanel installed, and have IPv4 addresses, so they probably won't care much. I think the only hope is if the cPanel developers decide to implement the feature. I don't think the general public is going to vote much for the feature request. 0
Please sign in to leave a comment.
Comments
26 comments