Auto SSL problem


#1

For the past few days, I’ve been receiving this message from my cpanel:

AutoSSL did not renew the certificate for “silverpetticoatreview.com”. You must take action to keep this site secure.

The “cPanel” AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems:

:no_entry: www.silverpetticoatreview.com [ Last AutoSSL Run at “2017-12-07 at 03:56:14 UTC” ]

The validation required 1 HTTP redirect, but the AutoSSL provider “cPanel (powered by Comodo)” does not permit HTTP redirects. When the system accessed the “http://www.silverpetticoatreview.com/.well-known/pki-validation/FF667E03790A2AB72A92305CF480347A.txt” URL, it redirected to the “https://www.silverpetticoatreview.com/.well-known/pki-validation/FF667E03790A2AB72A92305CF480347A.txt” URL.

:no_entry: silverpetticoatreview.com [ Last AutoSSL Run at “2017-12-07 at 03:56:14 UTC” ]

The validation required 1 HTTP redirect, but the AutoSSL provider “cPanel (powered by Comodo)” does not permit HTTP redirects. When the system accessed the “http://silverpetticoatreview.com/.well-known/pki-validation/4C2659FCB4505EA3C49CFC1A6FE25968.txt” URL, it redirected to the “https://silverpetticoatreview.com/.well-known/pki-validation/4C2659FCB4505EA3C49CFC1A6FE25968.txt” URL.

For the most current status, navigate to the “SSL/TLS Status” interface. You can also exclude domains from future renewal attempts, which would cease future notifications.

My hosting tried to resolve the issue but they said if what they tried to fix with .htaccess didn’t work that it was likely to be a cloudflare issue.

Now, I do have a Full Strict certificate with cloudflare. And I do have Always use HTTPS turned on. Not sure if that’s what’s causing the issue.

Anyway, not sure what to do since it won’t renew in a few days. And my hosting says I should have this Auto SSL plus Cloudflare. Anyone know how to fix this? Thanks!


#2

This could be an incompatibility between cPanel DCV and Cloudflare.

The easiest way that I could think of to solve this issue, is to simply use Cloudflare Origin CA in place to the cPanel AutoSSL for the www subdomain and the root domain. Therefore, you can keep the SSL mode at Full (Strict).

If you use something like the mail subdomain, please ensure that AutoSSL remains on for the respective subdomain, so you shouldn’t face any error when visiting the subdomain.


EDIT
This appears to be a similar issue:


#3

Thanks for your reply! I find all of this a bit like reading a different language. Should I create a certificate with Origin CA? Reading through the second thread with the similar issue someone says there’s a known issue between Auto SSL and Cloudflare.

And to disable Cloudflare to force Auto SSL and then later come up with a rule that would bypass the need to disable every 90 days.

And then another person said this:

I’m assuming you already have “Use a Global DCV Passthrough instead of .htaccess modification (requires EA4)” enabled under the “Domains” tab in “WHM >> Tweak Settings”. If so, here are a couple of rules you could add to the .htaccess file that have worked for others facing the same issue:

Code:

RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$

I have no idea what this person is saying and what to do or how to fix the problem. Any suggestions or help? Thanks!


#4

As I have previously mentioned, the easiest method would be to generate a Cloudflare Origin CA certificate. If you’re willing to do so, here’s an instruction, replacing example.com with your domain:

Then, you’ll get something like this:

Afterwards, open cPanel at a new tab and click SSL/TLS and then Manage SSL Sites. Then change the Domain to your domain, copy and paste the Origin Certificate to Certificate, the Private Key to Private Key and fill the Certificate Authority Bundle with the RSA root found here:

Now, Cloudflare Origin CA should be set up already. Back at cPanel Menu, select SSL/TLS Status. Ensure that yourdomain.tld and www.yourdomain.tld is excluded from AutoSSL.


#5

Thanks for your reply. I will try to do this. How does one exclude things from Auto SSL?


#6

In the SSL/TLS Status at cPanel, there should be a button to exclude the subdomain from cPanel AutoSSL.


#7

Okay, thanks. Crossing fingers this all works. But I’ll update to let you know. Thanks for your help.


#8

I think I followed your instructions and it said the certificate was a success when I added the key, etc…and installed. Though it now says all the ones I included have unknown security certificates. And silverpetticoatreview.com and www.silverpetticoatreview.com have the same unknown errors.

Now saying:

Unknown Certificate Type

An error occurred the last time AutoSSL ran, on December 7, 2017:

The validation required 1 HTTP redirect, but the AutoSSL provider “cPanel (powered by Comodo)” does not permit HTTP redirects. When the system accessed the “http://silverpetticoatreview.com/.well-known/pki-validation/7AD7518E69FA9AB99E83CAFB8D7E976F.txt” URL, it redirected to the “https://silverpetticoatreview.com/.well-known/pki-validation/7AD7518E69FA9AB99E83CAFB8D7E976F.txt” URL.

And when I go to SSL/TLS Status in Cpanel, I don’t see yourdomain.tld and www.yourdomain.tld

I just see the regular .com ones.

So what do I exclude? Or maybe I did something wrong. That’s VERY possible.

EDIT: I think this may be way over my head at this point, so I sent an email to Cloudflare support. So, hopefully, they respond quickly so I can resolve it. But thank you for your help.


#9

You should see something like this in SSL/TLS Status: