AutoSSL for hostname service certificates (checkallsslcerts) fails since moving to Let's Encrypt when the server doesn't have a zone for itself
Hello,
Since cPanel has changed from Sectigo to Let's Encrypt "LE" for certificates applied to services (cPanel, Dovecot, Exim, ...) the process fails to obtain certificates when the server itself does not have an authoritative DNS zone for its own hostname.
This became apparent when a few service certificates expired and clients noticed security warnings either when trying to get into cPanel/WHM or using email when the server hostname is the IMAP/SMTP address.
When running `checkallsslcerts` it shows that it will attempt to fetch a certificate for FQDNs of which are not all accessible via HTTP. This means LE will fail to sign, because the process is asking for all FQDNs collectively in a single issue. (LE won't sign for just the FQDNs that worked: they either all work as a unit or all fail as a unit.) This causes LE to fall back to DNS based verification, however this will fail if the server does not host an authoritative zone for its own hostname. This scenario can be very common when hosting providers supply you with an IP rDNS based hostname.
I raised this in Discord a couple of days ago, whereby a partner suggested this was a bug with the `checkallsslcerts` not accounting for how LE works compared to Sectigo. To me it seems that a sensible resolution would be for the process to check if it has an authoritative DNS zone (really authoritative, not just a zone that exists) for its own hostname, then if not, only request a certificate for HTTP accessible FQDNs. It may also be necessary for the process to scan the output from LE to check which FQDNs worked, then follow up with a secondary request of just the working FQDNs it knows will succeed.
(An obvious but pricier alternative would be to purchase a commercial certificate for the server hostname and relevant FQDNs.)
Example output from `/usr/local/cpanel/bin/checkallsslcerts`:
The system will check for the certificate for the “cpanel” service.
The system will attempt to replace the self-signed certificate for the “cpanel” service with a signed certificate from the “Let’s Encrypt™” provider.
The system will attempt to install a certificate for the “cpanel” service from the system SSL storage.
None of the certificates in the system SSL storage were acceptable to use for the “cpanel” service.
The system will attempt to get a new certificate for the domains: servername.example.com, autoconfig.servername.example.com, autodiscover.servername.example.com, cpanel.servername.example.com, cpcalendars.servername.example.com, cpcontacts.servername.example.com, ipv6.servername.example.com, mail.servername.example.com, webdisk.servername.example.com, webmail.servername.example.com, whm.servername.example.com, www.servername.example.com
The system failed to validate domain control for the domain “webmail.servername.example.com” using the “HTTP” DCV method: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (2a01:xxxx:xxxx:xxxx::1:1: Invalid response from http://webmail.servername.example.com/.well-known/acme-challenge/miBLs34BR6CGv5AfGoTe_1ZLoQBR-_zF-H8zxJ7KnEw: 400)
The system failed to validate domain control for the domain “whm.servername.example.com” using the “HTTP” DCV method: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (2a01:xxxx:xxxx:xxxx::1:1: Invalid response from http://whm.servername.example.com/.well-known/acme-challenge/eTIzyozu1dJ5HuHa1bag4ttpjqCTrF3fSK6Yb9G0Jig: 400)
The system failed to validate domain control for the domain “autoconfig.servername.example.com” using the “HTTP” DCV method: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (2a01:xxxx:xxxx:xxxx::1:1: Invalid response fromhttp://autoconfig.servername.example.com/.well-known/acme-challenge/zTz6CLImT4zf-whBs1e1D-XRbSpk8UP83Fb9xWp-N5E: 400)
The system failed to validate domain control for the domain “cpcalendars.servername.example.com” using the “HTTP” DCV method: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (2a01:xxxx:xxxx:xxxx::1:1: Invalid response from http://cpcalendars.servername.example.com/.well-known/acme-challenge/oA9dMTdvW3YAd_iz0xRPPog7r-0oJP0Pj5qF2_3zHLM: 400)
The system failed to validate domain control for the domain “webdisk.servername.example.com” using the “HTTP” DCV method: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (2a01:xxxx:xxxx:xxxx::1:1: Invalid response from http://webdisk.servername.example.com/.well-known/acme-challenge/6uvSOp5xdXNLjLMbg50vhX8i7VKxG6WerlHBNgC5guc: 400)
The system failed to validate domain control for the domain “cpanel.servername.example.com” using the “HTTP” DCV method: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (2a01:xxxx:xxxx:xxxx::1:1: Invalid response from http://cpanel.servername.example.com/.well-known/acme-challenge/4qHoo4vkX3SysLLAFluPay90HaM5TOCzREpvsDYbiiU: 400)
The system failed to validate domain control for the domain “cpanel.servername.example.com” using the “HTTP” DCV method: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (2a01:xxxx:xxxx:xxxx::1:1: Invalid response from http://cpanel.servername.example.com/.well-known/acme-challenge/4qHoo4vkX3SysLLAFluPay90HaM5TOCzREpvsDYbiiU: 400)
The system failed to validate domain control for the domain “autodiscover.servername.example.com” using the “HTTP” DCV method: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (2a01:xxxx:xxxx:xxxx::1:1: Invalid response from http://autodiscover.servername.example.com/.well-known/acme-challenge/LhDwB_GuakkJXY7TI9enoMbxvVyumHN192O1fdDHCpM: 400)
The system failed to validate domain control for the domain “cpcontacts.servername.example.com” using the “HTTP” DCV method: 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (2a01:xxxx:xxxx:xxxx::1:1: Invalid response from http://cpcontacts.servername.example.com/.well-known/acme-challenge/BeR2TfiwjBffMM6j9my4iIQPTyhaBeMAZ7UVYrMwY7Q: 400)
warn [checkallsslcerts] Cpanel::DnsUtils::Install::Processor::_add_error: There is no zone file on this system that can contain “_acme-challenge.whm.servername.example.com.”.
warn [checkallsslcerts] Cpanel::DnsUtils::Install::Processor::_add_error: There is no zone file on this system that can contain “_acme-challenge.cpcontacts.servername.example.com.”.
warn [checkallsslcerts] Cpanel::DnsUtils::Install::Processor::_add_error: There is no zone file on this system that can contain “_acme-challenge.webmail.servername.example.com.”.
warn [checkallsslcerts] Cpanel::DnsUtils::Install::Processor::_add_error: There is no zone file on this system that can contain “_acme-challenge.webdisk.servername.example.com.”.
warn [checkallsslcerts] Cpanel::DnsUtils::Install::Processor::_add_error: There is no zone file on this system that can contain “_acme-challenge.cpcalendars.servername.example.com.”.
warn [checkallsslcerts] Cpanel::DnsUtils::Install::Processor::_add_error: There is no zone file on this system that can contain “_acme-challenge.autodiscover.servername.example.com.”.
warn [checkallsslcerts] Cpanel::DnsUtils::Install::Processor::_add_error: There is no zone file on this system that can contain “_acme-challenge.cpanel.servername.example.com.”.
warn [checkallsslcerts] Cpanel::DnsUtils::Install::Processor::_add_error: There is no zone file on this system that can contain “_acme-challenge.autoconfig.servername.example.com.”.
Cpanel::DnsUtils::Install::Processor:678: There is no zone file on this system that can contain “_acme-challenge.whm.servername.example.com.”.
Cpanel::DnsUtils::Install::Processor:678: There is no zone file on this system that can contain “_acme-challenge.cpcontacts.servername.example.com.”.
Cpanel::DnsUtils::Install::Processor:678: There is no zone file on this system that can contain “_acme-challenge.webmail.servername.example.com.”.
Cpanel::DnsUtils::Install::Processor:678: There is no zone file on this system that can contain “_acme-challenge.webdisk.servername.example.com.”.
Cpanel::DnsUtils::Install::Processor:678: There is no zone file on this system that can contain “_acme-challenge.cpcalendars.servername.example.com.”.
Cpanel::DnsUtils::Install::Processor:678: There is no zone file on this system that can contain “_acme-challenge.autodiscover.servername.example.com.”.
Cpanel::DnsUtils::Install::Processor:678: There is no zone file on this system that can contain “_acme-challenge.cpanel.servername.example.com.”.
Cpanel::DnsUtils::Install::Processor:678: There is no zone file on this system that can contain “_acme-challenge.autoconfig.servername.example.com.”. at /usr/local/cpanel/Cpanel/DnsUtils/Batch.pm line 243.
Thanks,
Adam Reece | WebBox
-
Hey there! Let me do some testing on this and I'll get back to you soon!
0 -
I've contacted our developers about this through case CPANEL-45609, although I don't have a workaround I can provide at this time. You can follow along with the following support article at https://support.cpanel.net/hc/en-us/articles/23945386906263-cPanel-s-hostname-certificate-tool-tries-to-secure-service-subdomains-which-will-never-succeed as we'll post an update there once we have one. I'll also update this thread with more details as I get them.
1 -
cPRex Add us to the list of affected use-cases. We run cPanel in a University setting, and it's pretty common that servers in our environments (and I presume other enterprise settings) are not allowed authoritative DNS. An update on this topic would be greatly appreciated as one of our servers has now lost its hostname SSL coverage.
UPDATE: Nevermind!! Although checksslcerts threw a bunch of errors upon closer inspection it appears it did actually pull successfully after a manual run; confirmed via WHM.
1 -
Is there an update available for this? This is still a big problem.
To try and work around it I made one of our servers authoritative for its own hostname, that didn't resolve it though.
0
Please sign in to leave a comment.
Comments
4 comments