cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

AutoSSL DCV validation by HTTPS too

Will Harrison shared this idea 4 years ago
Completed

As a server administrator, I would like DCV validation to try HTTPS as well as HTTP, preventing failure when a customer has a valid (but expiring) certificate, and have set all traffic to redirect to https (typical if they have an existing cert). For example.


  1. 1.2.3.4 - - [16/Aug/2016:17:23:30 +0100] "GET /D7684D0EB222FFBDA2E5CC113A6A8015.txt HTTP/1.1" 302 1123 "-" "COMODO DCV"
  2. 1.2.3.4 - - [16/Aug/2016:17:23:30 +0100] "GET /D7684D0EB222FFBDA2E5CC113A6A8015.txt HTTP/1.1" 302 1123 "-" "COMODO DCV"
  3. 1.2.3.4 - - [16/Aug/2016:18:00:11 +0100] "GET /D7684D0EB222FFBDA2E5CC113A6A8015.txt HTTP/1.1" 302 1123 "-" "COMODO DCV"
  4. 1.2.3.4 - - [16/Aug/2016:18:00:11 +0100] "GET /D7684D0EB222FFBDA2E5CC113A6A8015.txt HTTP/1.1" 302 1123 "-" "COMODO DCV"
  5. 1.2.3.4 - - [16/Aug/2016:19:31:36 +0100] "GET /D7684D0EB222FFBDA2E5CC113A6A8015.txt HTTP/1.1" 302 1123 "-" "COMODO DCV"
  6. 1.2.3.4 - - [16/Aug/2016:19:31:36 +0100] "GET /D7684D0EB222FFBDA2E5CC113A6A8015.txt HTTP/1.1" 302 1123 "-" "COMODO DCV"

Best Answer
photo

While this specific request doesn't get directly answered in cPanel & WHM Version 80, I'm going to go ahead and mark this as complete because the spirit of the request is answered. We did add force HTTPS redirect functionality in v80, which you can read more about in the Version 80 release notes, and more about 80 overall on the Release Site.


Comments (8)

photo
1

Wow I hope this will be fixed soon ! Most of our customers have redirects from http to https ! Isn't this a bug ?

photo
1

I do believe so, but I'm reaching out internally. I believe the whole problem with redirects is being addressed, but I need to double check.

photo
1

Any chance of getting an update sooner than later so we don't have to deal with customer's SSL expiring. Does this happen with both let's encrypt and comodo ?

photo
1

Currently it's unlikely that we'll get this specific request answered anytime soon, but I wanted to share one change we are making, and one thing that might help. Adjusting to https verification would be a significant amount of development time (our current estimation is 2 sprints of development time, which is around a month for us).

However, to help rectify the problem we have added some functionality in version 60 that will help with this. We'll be excluding redirects specifically for the verification files, which we've described a bit in this forum post.

We’ll be doing this automatically in version 60 for any domain that fails verification. If you have questions about that change, let me know in an email (not in comments here, since it's completely unrelated to this request).

photo
1

Hello Benny

I'm not sure those alone will solve the problem, they will only act on the first rule encountered so you would have to place them before the redirect to ssl rule.

What is rearly required is a rule that prevents any other rules from being used.

I haven't fully tested the rule below yet but it gives an idea of what I would like to add to the beginning of the .htaccess files or even better in a virtualhost include.

This makes my new .htacess rule:


  1. RewriteEngine On
  2. RewriteCond %{REQUEST_URI} /[A-F0-9]{32}\.txt$ [OR]
  3. RewriteCond %{REQUEST_URI} /\.well\-known\/acme\-challenge
  4. RewriteCond %{REQUEST_FILENAME} -f
  5. RewriteRule (.*) $1 [L]

This rule works on the sites I have tested it on (with LiteSpeed webserver) but should also work with Apache. To test, place it at the begginning of an accounts .htaccess file that has a http to https redirect in it, create a demo file (for example 012345678901234567890123456789AB.txt) and try and access it with http:// and not https:// in the URL.

Reminder, this is not a cPanel provided rule, so apply with caution.

photo
1

We've currently got a ticket open with cPanel support about this, it has caused huge issues us, and editing .htaccess files is not an acceptable solution.


cPanel support gave us a line to automaticaly add rewritecond lines to .htaccess files before any rewriterule lines.

This broke all WordPress and Joomla websites.


Here are our reasons to not fix this problem with .htaccess :


  • You can't be sure that you won't cause problems with some exsiting scripts and some existing .htaccess files
  • Some customers have tools that inform them when the .htaccess file is edited causing customer support requets
  • We can not legally edit customers files without their consent.


The only viable solution to this problem is :


  • Run local check for both http and https URLs
  • If http fails but https doesn't specify to lets encrypt/comodo to run the check on the https version


We don't actually see with would be so complicated about doing this, it actually seems faster than testing your .htaccess editing system on all the different PHP scripts as well as dealing with all the issues that are caused by it.

photo
1

This is why we suggested allowing DNS challenge validation instead (via a separate feature request).

You can find the DNS challenge validation request at:

https://features.cpanel.net/topic/autossl-dns-challenge-validation

photo
1

cPanel support explaîed that some non https related redirects still blocked cert generation and this is what htaccess files would be edited.


We would like to have an option to disable cPanel editing .htaccess files, all we want is both http and https validation, and if both fail no .htaccess editing.

photo
1

While this specific request doesn't get directly answered in cPanel & WHM Version 80, I'm going to go ahead and mark this as complete because the spirit of the request is answered. We did add force HTTPS redirect functionality in v80, which you can read more about in the Version 80 release notes, and more about 80 overall on the Release Site.


Replies have been locked on this page!