Auto SSL error when engintron is enabled

[jrsarath]

Log for the AutoSSL run for “zoneshne”: Sunday, October 29, 2017 6:07:43 PM GMT+05-30 (cPanel (powered by Comodo))

6:07:43 PM This system has AutoSSL set to use “cPanel (powered by Comodo)”.
6:07:43 PM Checking websites for “zoneshne” …
6:07:43 PM WARN The certificate for the website “zonesh.net” will not contain the domains “zonesh.net”, “www.zonesh.net”, and “mail.zonesh.net” because the current configuration excludes these domains. at /usr/local/cpanel/Cpanel/SSL/Auto/Report.pm line 134.
6:07:43 PM The website “zonesh.net”, owned by “zoneshne”, has no SSL certificate. AutoSSL will attempt to obtain a new certificate and install it.
6:07:43 PM WARN The domain “cpanel.zonesh.net” failed domain control validation: The system failed to fetch the DCV file at “http://cpanel.zonesh.net/.well-known/pki-validation/D200348724F1615B7BC5A54627C42531.txt” because of an error: The system failed to send an HTTP “GET” request to “http://cpanel.zonesh.net/.well-known/pki-validation/D200348724F1615B7BC5A54627C42531.txt” because of an error: Size of response body exceeds the maximum allowed of 16384 .
6:07:43 PM WARN The domain “webdisk.zonesh.net” failed domain control validation: The system queried for a temporary file at “https://purple.intersite.us:2078/.well-known/pki-validation/8F1264A8A519054BF23B1E328957443D.txt”, which was redirected from “http://webdisk.zonesh.net/.well-known/pki-validation/8F1264A8A519054BF23B1E328957443D.txt”. The web server responded with the following error: 401 (Unauthorized). A DNS or web server misconfiguration may exist.
6:07:43 PM WARN The domain “webmail.zonesh.net” failed domain control validation: The system failed to fetch the DCV file at “http://webmail.zonesh.net/.well-known/pki-validation/2231B7C7FD1A2FCD1ABE0AC74E58ABA9.txt” because of an error: The system failed to send an HTTP “GET” request to “http://webmail.zonesh.net/.well-known/pki-validation/2231B7C7FD1A2FCD1ABE0AC74E58ABA9.txt” because of an error: Size of response body exceeds the maximum allowed of 16384 .
6:07:43 PM The system has completed the AutoSSL check for “zoneshne”.

================================================================
here is the complete log,
it only happens when engintron is enabled

[fevangelou]

That's because you have redirection enabled and htaccess login control for https://purple.intersite.us:2078/.well-known/pki-validation/8F1264A8A519054BF23B1E328957443D.txt - just click that link and you'll see. All subdomains for zonesh.net redirect back to port 2078. That's not even Engintron (which runs on port 80 & 443), that's purely cPanel's webserver.

Remove the redirections from Tweak Settings in WHM.

[jrsarath]

will give it a ry

[theraw]

@fevangelou

    # Proxy cPanel specific subdomains
    #if ($host ~* "^webmail\.") {
    #    set $PROXY_DOMAIN_OR_IP "127.0.0.1";
    #    set $PROXY_TO_PORT 2095;
    #}
    #if ($host ~* "^cpanel\.") {
    #    set $PROXY_DOMAIN_OR_IP "127.0.0.1";
    #    set $PROXY_TO_PORT 2082;
    #}
    #if ($host ~* "^whm\.") {
    #    set $PROXY_DOMAIN_OR_IP "127.0.0.1";
    #    set $PROXY_TO_PORT 2086;
    #}
    #if ($host ~* "^webdisk\.") {
    #    set $PROXY_DOMAIN_OR_IP "127.0.0.1";
    #    set $PROXY_TO_PORT 2077;
    #}
    #if ($host ~* "^(cpcalendars|cpcontacts)\.") {
    #    set $PROXY_DOMAIN_OR_IP "127.0.0.1";
    #    set $PROXY_TO_PORT 2079;
    #}

those are redirecting all subdomains of clients to cPanel Main hostname. which make the problem with SSL. (Got this output when Proxy subdomains was OFF)

root@desk:~# curl -vvv webmail.example.com > c
* Rebuilt URL to: webmail.example.com/
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: webmail.example.com
> Accept: */*
> 
< HTTP/1.1 301 Moved
* Server nginx is not blacklisted
< Server: nginx
< Date: Sun, 05 Nov 2017 00:42:15 GMT
< Content-Type: text/html; charset="utf-8"
< Content-Length: 120
< Connection: keep-alive
< Location: https://cpanel.hostname.com:2096/
< Cache-Control: no-cache, no-store, must-revalidate, private
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Nginx-Cache-Status: MISS
< X-Server-Powered-By: Engintron
< 
{ [data not shown]
100   120  100   120    0     0     77      0  0:00:01  0:00:01 --:--:--    77
* Connection #0 to host webmail.example.com left intact

So should we remove those or turn off "Proxy subdomains" ?!

Tried to turn off Proxy subdomains but nginx was redirecting them again. after removing that what i said they doesn't redirect anymore but i'm having another problem. cPanel is failing for webmail, webdisk, cpanel and from curl

> GET /.well-known/pki-validation/772928941E6AACFE3E70A8E9167E2E6D.txt HTTP/1.1
> User-Agent: curl/7.35.0
> Host: webmail.example.com
> Accept: */*
> 
< HTTP/1.1 401 Access Denied
* Server nginx is not blacklisted
< Server: nginx
< Date: Sat, 04 Nov 2017 01:29:48 GMT
< Content-Type: text/html; charset="utf-8"
< Content-Length: 36284
< Connection: keep-alive
< Cache-Control: no-cache, no-store, must-revalidate, private
< Pragma: no-cache
< Cache-Control: no-cache, no-store, must-revalidate, private

also i got the same output on apache port..
weird

[Friends4U]

When you disable proxy subdomain creation, the proxy subdomains that are already there are not removed I think. And why would you want to remove them? Your customers use them...

I think it's the custom templates nginx has put in place that may be causing an issue with the verification of SSL certificates. Specifically the template [ /var/cpanel/templates/apache2_4/ea4_main.local ]. It would need to be updated to include the following:

=====
<IfModule rewrite_module>
# Global DCV Exclude
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/[0-9]+\..+\.cpaneldcv$ [OR]
RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$ [OR]
RewriteCond %{REQUEST_URI} ^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$

# Exclude proxy subdomains as we need rewrites to capture the DCV requests
RewriteCond %{HTTP_HOST} !^(?:autoconfig|autodiscover|cpanel|cpcalendars|cpcontacts|webdisk|webmail|whm)\.
RewriteRule ^ - [END]
</IfModule>
=====

[Friends4U]

However, you should modify one of the include files, perhaps @fevangelou can help here...

[herrerogarcia]

im have the same problem in cpanel, oly work ssl if im disable the engitron.

[Yetster]

I too am seeing this issue, any updates?

[jinbatsu]

For me, the main domain, www, and subdomain is work smooth.
The problem are these 3:

cpanel.example.com
webdisk.example.com
webmail.example.com

@Friends4U, where should I put those rewrite rule?
Can I just use it for each domain public_html/.htaccess file?
Or is there any global option for all accounts/domains?
Thank You

[teenhype902102]

Same problems here.

[virtuali1151]

I have the same problem as well, on the subdomains, cpanel, webdisk, and webmail.. they all fail auto ssl.

[ahmadmmughal]

I have the same problem, cpanel, webdisk, webmail and autodiscover subdomains fail auto ssl.

[teenhype902102]

@fevangelou it appears quite a few people need this functionality and are struggling with the subdomains cpanel, webdisk, webmail etc. including myself. We can't just turn this feature off in WHM as we actually need them. Is there anything you can do to help eliminate the error messages? Here's an example of the error I'm getting (I've replaced the domain name and file name in this error for security):

"The system failed to fetch the DCV (Domain Control Validation) file at “http://cpanel.domain.com/.well-known/pki-validation/XXXXXXXXXXXXXXXXXXXXXX.txt” because of an error: The system failed to send an HTTP (Hypertext Transfer Protocol) “GET” request to “http://cpanel.domain.com/.well-known/pki-validation/XXXXXXXXXXXXXXXXXXXXXX.txt” because of an error: Size of response body exceeds the maximum allowed of 16384"

[AdamiPL]

have exactly same problem.. it helps when I turn off engintron..

[mockdot]

We are experiencing the same problem but only with auto-discover. I am guessing the entries for auto-discover haven't been added to the latest version of Engintron?

[apocas]

cPanel 70.0.5 should fix this.

https://documentation.cpanel.net/display/CL/70+Change+Log
Fixed case CPANEL-18074: Allow proxy subdomain HTTP DCV to work over nonstandard non-SSL port.

[teenhype902102]

@apocas - Issue still remains on cPanel 70.0.10.

[herrerogarcia]

Hi im solved im my cpanel. Update to easyapache4 ans update reisntall engitron. cpanel v 7.012 easyapache4 *Enrique Herrero* *21988012676* 013 Conecte Estúdio Design Ltda - Todos os direitos reservados. Este email e seus anexos estão protegidos pela Lei 9.610 de 19 de fevereiro de 1998 não podendo ser copiado, editado, alterado ou mesmo manipulado por pessoa não autorizada pela Conecte Estúdio Design Ltda sob pena de violação de direitos autorais. Esta mensagem, incluindo seus anexos, pode conter informações privilegiadas e/ou de caráter confidencial, nao podendo ser retransmitida sem autorizacao do remetente. Se você não e o destinatário ou pessoa autorizada a recebe-la, informamos que o seu uso, divulgação, cópia ou arquivamento são proibidos. Portanto, se você recebeu esta mensagem por engano, por favor, nos informe respondendo imediatamente a este e-mail e em seguida apague-a. 2018-02-10 18:49 GMT-02:00 teenhype902102 <notifications@github.com>:

…

@apocas <https://github.com/apocas> - Issue still remains on cPanel 70.0.10. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#675 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AgB6dUqO9m25Ueu6g7L97rQWachsQzYtks5tTgDmgaJpZM4QKTer> .

[teenhype902102]

@herrerogarcia - no luck for me, even with easyapache4 and reinstalling engintron =/

[teenhype902102]

@fevangelou - any thoughts?

[fevangelou]

This is not an Engintron issue, it's a cPanel issue. A subdomain in the form cpanel.domain.tld points to a part in the disk that has nothing to do with the actual domain, that's why the validation fails.

[fevangelou]

Well, it's a tradeoff then. I can't fix every implementation. And Engintron's Nginx probably has the best reverse caching proxy configuration for a long time now. But it can't do miracles.

I explained the reason above. I don't know why it works with Nginx off and not when it's enabled. I mean, Nginx does not modify the routing.

[herrerogarcia]

My version its 7.012 of cpanel. *Enrique Herrero* *21988012676* 013 Conecte Estúdio Design Ltda - Todos os direitos reservados. Este email e seus anexos estão protegidos pela Lei 9.610 de 19 de fevereiro de 1998 não podendo ser copiado, editado, alterado ou mesmo manipulado por pessoa não autorizada pela Conecte Estúdio Design Ltda sob pena de violação de direitos autorais. Esta mensagem, incluindo seus anexos, pode conter informações privilegiadas e/ou de caráter confidencial, nao podendo ser retransmitida sem autorizacao do remetente. Se você não e o destinatário ou pessoa autorizada a recebe-la, informamos que o seu uso, divulgação, cópia ou arquivamento são proibidos. Portanto, se você recebeu esta mensagem por engano, por favor, nos informe respondendo imediatamente a este e-mail e em seguida apague-a. 2018-02-22 12:53 GMT-03:00 teenhype902102 <notifications@github.com>:

…

@herrerogarcia <https://github.com/herrerogarcia> - no luck for me, even with easyapache4 and reinstalling engintron =/ — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#675 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AgB6daz3Zi1bAFEdzL8Se_T7Uh0qnJF3ks5tXY2GgaJpZM4QKTer> .

[spopadiin]

# THE SOLUTION!
Go to Engintron management page and at the bottom hit reinstall.
It will recreate all rules and take into account newly added SSL domains.
If you add new domains with https, you need to reinstall again.