"AutoSSL did not renew- The validation required 1 HTTP redirect." How do I resolve this issue?

ssl

#1

Hi Cloudflarers,

I recently set up a new Wordpress site for a client on a new Hosting account. Everything was going well for about a month, up until we received this email:

cardosoboxing.com: The AutoSSL certificate expires on 2018-03-19 at 00:00:00 UTC. At the time of this notice, the certificate will expire in “9 days, 20 hours, 3 minutes, and 54 seconds”.
	

AutoSSL did not renew the certificate for “cardosoboxing.com”. You must take action to keep this site secure.

The “cPanel” AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems:
⛔ cardosoboxing.com [ Last AutoSSL Run at “2018-03-08 at 07:11:10 UTC” ]

The validation required 1 HTTP redirect, but the AutoSSL provider “cPanel (powered by Comodo)” does not permit HTTP redirects. When the system accessed the “http://cardosoboxing.com/.well-known/pki-validation/06947935ADBECF0DD4C90D98E916E659.txt” URL, it redirected to the “https://cardosoboxing.com/.well-known/pki-validation/06947935ADBECF0DD4C90D98E916E659.txt” URL.

⛔ mail.cardosoboxing.com [ Last AutoSSL Run at “2018-03-08 at 07:11:10 UTC” ]

The validation required 1 HTTP redirect, but the AutoSSL provider “cPanel (powered by Comodo)” does not permit HTTP redirects. When the system accessed the “http://mail.cardosoboxing.com/.well-known/pki-validation/D713CE4B57D13C16FE7657FD0C1C69A8.txt” URL, it redirected to the “https://mail.cardosoboxing.com/.well-known/pki-validation/D713CE4B57D13C16FE7657FD0C1C69A8.txt” URL.

⛔ www.cardosoboxing.com [ Last AutoSSL Run at “2018-03-08 at 07:11:10 UTC” ]

The validation required 1 HTTP redirect, but the AutoSSL provider “cPanel (powered by Comodo)” does not permit HTTP redirects. When the system accessed the “http://www.cardosoboxing.com/.well-known/pki-validation/019CC08238F214E9ACB56E50D93AC453.txt” URL, it redirected to the “https://www.cardosoboxing.com/.well-known/pki-validation/019CC08238F214E9ACB56E50D93AC453.txt” URL.

For the most current status, navigate to the “SSL/TLS Status” interface. You can also exclude domains from future renewal attempts, which would cease future notifications.

The following domains will lose SSL coverage when the certificate expires:

    autodiscover.cardosoboxing.com
    cardosoboxing.com
    cpanel.cardosoboxing.com
    mail.cardosoboxing.com
    webdisk.cardosoboxing.com
    webmail.cardosoboxing.com
    www.cardosoboxing.com 

The certificate that is installed on this website contains the following properties:
Expiration: 	2018-03-19 at 00:00:00 UTC
Domain Names: 	
cardosoboxing.com
autodiscover.cardosoboxing.com
cpanel.cardosoboxing.com
mail.cardosoboxing.com
webdisk.cardosoboxing.com
webmail.cardosoboxing.com
www.cardosoboxing.com
Subject: 	
commonName 	cardosoboxing.com
Issuer: 	
countryName 	US
stateOrProvinceName 	TX
localityName 	Houston
organizationName 	cPanel, Inc.
commonName 	cPanel, Inc. Certification Authority

To upgrade to an EV or OV certificate, navigate to the “SSL/TLS Wizard” interface.

The system generated this notice on 2018-03-09 at 03:56:05 UTC.

You can disable the “AutoSSL certificates expiring” type of notification through the cPanel interface: https://cardosoboxing.com:2083/?goto_app=ContactInfo_Change

Do not reply to this automated message. 

We use Cloudflare, and I suspect that the AutoSSL isn’t playing very well with it. Cloudflare settings:

Our Security Level: Medium
SSL: Full
Always use HTTPS: Off

Screenshot of the email

Any suggestions on how to resolve this? I do have an .htaccess file on the website with the following content- maybe I have to change something in .htaccess?:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

#2

If you’re using Cloudflare as a proxy for this domain (:orange:) then we’re presenting an SSL certificate on our edge. If you also want to have a cert on your server so that you can use Full or Full Strict on the crypto tab you can install our origin cert which is by default good for 15 years I think…

That works if that’s the only host name that virtual server needs to respond to (or if all of the other s would also be covered under our origin cert example.com, *example.com) and would also be proxied through Cloudflare.

If you have other host names there which would be hit directly (:grey:) then you should change to using DNS or email validation for the SSL.


#3

Hi cscharff-

Thanks for the quick response! I do have two :orange: clouds (screenshot here).

I’ll look into installing an Origin cert, but I don’t know if it’s the only host name that the virtual server needs to respond to. Is there any easy way to verify this?

Also- I’m not clear on how to change to using DNS for the SSL. Does my linked screenshot provide any additional details that can point me in the right direction? I only recently started using Cloudflare, so there’s a lot that I’m not familiar with.


#4

If whm and webmail are on the same server (for example) then you’d get a security warnign the origin cert from Cloudflare wasn’t trusted if you were hitting it with SSL. If it’s just you, or a small team of savvy admins this isn’t usually a problem as you can just trust the cert and move on. But if end users would be accessing those resources then you porobably want a real cert.

I’m not a Let’s encrypt guru, but I think something like this would allow for DNS validation of the certs… https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation


#5

Yeah I have no idea what any of that means or involves. Is there a less-technical resource where I can read up on this?


#6

My short attention span picked up on a couple of things:

  1. AutoSSL doesn’t like Cloudflare’s “Always Use HTTPS” setting. That setting forced AutoSSL to redirect from HTTP to HTTPS. See if turning off “Always Use HTTPS” lets you refresh AutoSSL. Then turn it back on.

  2. Cloudflare’s Origin Certs aren’t trusted by anybody but Cloudflare…unless you can install Cloudflare’s Root CA certificate as well. If cPanel lets you install this third “key,” that may help. But it can be a bit of a technical challenge.
    https://support.cloudflare.com/hc/en-us/articles/218689638-What-are-the-root-certificate-authorities-CAs-used-with-Cloudflare-Origin-CA-

If you can fix #1 or #2, things should be better.


#7

I had the same issue at a couple of hosts that used Varnish, but didn’t have an Nginix proxy.

The SSL cert does not terminate properly at the host and can’t be updated if you are using Cloudflare, as AutoSSL will not allow the hop, and the cert was issued under http.

The hosts told me to add the DCV code (that cPanel provides) to the very top of the .htaccess file. That won’t work. That code should be directly above every redirect in .htaccess.
It helps AutoSSL find the crypto files in the .wellknown folder so it can auto-renew the cert.

The fault is at the host, but they will blame it on Cloudflare.

The only temp solution is to disable Cloudflare for the day and force renewal of the cert at the host, if they have that option. Crappy solution, but it will work.


#8

Funny that you should mention that- because that is exactly what happened when I asked my Hosting provider about the issue.

Would it be enough to switch all of my DNS records on Cloudflare from DNS/HTTP proxy to DNS only? Because even though your temporary solution would probably work, the work is for a client and I don’t want to have to revisit this constantly!


#9

I sure would like to know if you get that DNS record change to work.


#10

This topic was automatically closed after 14 days. New replies are no longer allowed.