AutoSSL and WP Toolkit Issue
Figured I should dump this here after wasting a few hours on this.
I was setting up a new account via the WHM interface. When I jumped into the cpanel account for this new account I was given a pop up to use WP Toolkit to install WordPress. I usually install WordPress later after doing other things like setting up email accounts, etc. WordPress was installed successfully but I noticed that screen shot of the website in the WP Toolkit was for another website on the server. Took me a while to realize that this was due missing SSL certificates.
When I tried to kick AutoSSL with Let's Encrypt I hit a bunch of issues with the DCV checks. Getting 404 errors for the files under .well-known/acme-challenge/ One of the debugging steps was to write a test.txt file into that directory and see if it could be reached from a browser. I could see a directory list in the browser but it had nothing in it. Trying to access the file gave me a 404 error.
Guessing I was having a problem with the Apache config I started searching through the config directory. Eventually found a /etc/apache2/conf.d/userdata/std/2_4 which had a directory for a few recent accounts that have been added to the server, including the new account I was trying to setup. Under these directories is a file generated by WP Toolkit. In that file it adds rules to harden the WordPress security. Including a rule "Block directory browsing" which does "Options -Indexes" for everything under public_html.
Jumping back to WP Toolkit in cPanel you can see under the Status column an entry for security which if you click on the link shows you the rules that have been automatically enabled. Clicking on the checkbox for "Block directory browsing" and then hit the Revert button.
Kicked AutoSSL to run on the new account again and it completed the DCV checks without an issue.
As mentioned above I had seen a few other accounts having similar wp-toolkit.conf files under the Apache config directory. All of them had the "Block directory browsing" option enabled. My only thought is that when setting those up my delay in installing WordPress vial the WP Toolkit was delayed enough to allow AutoSSL to have completed. Not sure what this going to mean for certificate renewals on those accounts. I'll have to keep an eye on this.
Hopefully this will help out some others if they get caught by the same issue.
-
Hey there! That's interesting as I don't have any other reports of this behavior, and I wasn't able to reproduce on my end. Even though directory listings would be blocked in .htaccess, the AutoSSL check uses a direct link and doesn't need to "browse" a directory to find the verification file.
Were there any other errors in the AutoSSL log when this behavior happened?
0 -
Hey!
Thanks for the clarification. Oddly, I'm the only one experiencing this issue. I checked the AutoSSL logs, and no other errors were reported then; it was just the issue with the verification file. The directory listings being blocked via .htaccess shouldn't interfere, so I'm unsure what's causing it.
I'll check the logs and let you know if I see anything unusual. I appreciate your help troubleshooting this!
1
Please sign in to leave a comment.
Comments
2 comments