AutoSSL provider could not renew the SSL certificate
It seems like the last month or so I am getting multiple e-mails from customers asking why subdomains like those mentioned (autodiscover/webmail/cpanel/webdisk) are failing AutoSSL renewal.
Indeed even in personal and test accounts I have I am getting mails like this:
AutoSSL did not renew the certificate for my-domain". You must take action to keep this site secure.
Same for autodiscover and webdisk too. For multiple accounts on different servers. All servers are EA4 and I've checked Global rewrite is on. (Use a Global DCV Passthrough instead of .htaccess modification (requires EA4) [?] On) Did some digging and changed a few things (I had for example .htaccess optimization off, switched it to home, had Indexes OFF, switched it On) but with no luck. Still subdomains are failing DCV and I from console I am getting: AutoSSL will defer the renewal of "my-domain""s certificate because 4 domains (cpanel.my-domain, webdisk.my-domain, webmail.my-domain, and autodiscover.my-domain) that the current certificate secures failed DCV. If AutoSSL renewed the certificate now, those domains would lose SSL coverage. AutoSSL will defer "my-domain""s certificate renewal until 12/11/17 No engintron or any other plugins on domains. Pure EasyApache 4 only. All cPanel servers are on stable tier.v68.0.19
The "cPanel" AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems:
webmail.my-domain [ Last AutoSSL Run at "2017-12-08 at 22:35:12 UTC" ]
The system failed to fetch the DCV (Domain Control Validation) file at "http://webmail./.well-known/pki-validation/00DA63E2744526D6F1D135BFD1485184.txt" because of an error: The system failed to send an HTTP (Hypertext Transfer Protocol) "GET" request to "http://webmail./.well-known/pki-validation/00DA63E2744526D6F1D135BFD1485184.txt" because of an error: Unexpected end of stream while looking for line
cpanel.my-domain [ Last AutoSSL Run at "2017-12-08 at 22:35:12 UTC" ]
The system failed to fetch the DCV (Domain Control Validation) file at "http://cpanel./.well-known/pki-validation/280FCD577ACB51C8EC3BCCB375C453AF.txt" because of an error: The system failed to send an HTTP (Hypertext Transfer Protocol) "GET" request to "http://cpanel/.well-known/pki-validation/280FCD577ACB51C8EC3BCCB375C453AF.txt" because of an error: Unexpected end of stream while looking for line
.
Same for autodiscover and webdisk too. For multiple accounts on different servers. All servers are EA4 and I've checked Global rewrite is on. (Use a Global DCV Passthrough instead of .htaccess modification (requires EA4) [?] On) Did some digging and changed a few things (I had for example .htaccess optimization off, switched it to home, had Indexes OFF, switched it On) but with no luck. Still subdomains are failing DCV and I from console I am getting: AutoSSL will defer the renewal of "my-domain""s certificate because 4 domains (cpanel.my-domain, webdisk.my-domain, webmail.my-domain, and autodiscover.my-domain) that the current certificate secures failed DCV. If AutoSSL renewed the certificate now, those domains would lose SSL coverage. AutoSSL will defer "my-domain""s certificate renewal until 12/11/17 No engintron or any other plugins on domains. Pure EasyApache 4 only. All cPanel servers are on stable tier.v68.0.19
-
If the dns entries are missing for the proxy subdomains, you can run force them to be added with the following command /scripts/checkproxysubdomains --force
# /scripts/checkproxysubdomains --help Usage: checkproxysubdomains [options] Options: --help Brief help message --man Full help message --force Rerun configuration even if previously done0 -
Hello there. That's not the issue. I've checked all the subdomains, they work. After ~10 tries with "./autossl_check --user=user-here" it worked for all subdomains except one, webdisk, which of course it exists. With the same error because of an error: Unexpected end of stream while looking for line . at /usr/local/cpanel/Cpanel/SSL/Auto/Provider/cPanel.pm line 302. But that's not the only issue, customers are wondering what is this notification and why it's failing filling multiple support tickets. I disabled notifications as a "solution" just wondering if this happened again before. 0 -
Hello @chrismfz, Here's a link to a blog post and forums thread where the new AutoSSL notifications in cPanel version 68 are discussed: New SSL Notifications in v68 | cPanel Blog SSL Notifications in cPanel 68 As far as the AutoSSL validation failures, do you have any custom Mod_Security rules enabled on this system? If so, check to see if it's a Mod_Security rule that's blocking the AutoSSL validation request. For instance, in the AutoSSL failure notification, you will see a reference to a .txt file (e.g. 00DA63E2744526D6F1D135BFD1485184.txt in the example you posted). You can search for the specific file name in your /etc/apache2/logs/modsec_audit.log file with a command like this: grep 00DA63E2744526D6F1D135BFD1485184.txt /etc/apache2/logs/modsec_audit.log
This should help determine if it's a Mod_Security rule that's blocking the request. Feel free to open a support ticket using the link in my signature if you can't find anything and would like us to take a closer look. Thank you.0 -
I am not getting any output on error_log / modsec log. [root@saturn logs]# grep "1BE66A1525109767BBCAA2860264E7FE.txt" * grep: archive: Is a directory grep: domlogs: Is a directory grep: lsapisock: Is a directory grep: mod_evasive: Is a directory grep: modsec_audit: Is a directory [root@saturn logs]# grep "1BE66A1525109767BBCAA2860264E7FE.txt" */*
I am getting 404 for those .txt files. The requested URL /.well-known/pki-validation/1BE66A1525109767BBCAA2860264E7FE.txt was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. And if modsec was enabled or a rule is blocking the certification it would block it everywhere. I am usually see only cPanel's domains blocked (autodiscover,mail,webmail,cpanel). Eventually I will get the CRT but not for all subdomains. But all other subdomains are valid, has A/CNAME records and they are working. Example, in the screenshot all subdomains are working. But most of them didn't get a certificate.0 -
Hello, Could you open a support ticket using the link in my signature so we can take a closer look? Thank you. 0
Please sign in to leave a comment.
Comments
5 comments