[BUG] SSL fails in 2.3.4

[SaJeTek-Developer]

After upgrading to 2.3.4 - commit: 2b7c8104b47669c609a28e468bbd435ec2192827 the SSL is failing when issued via https://domain.com:8090/manageSSL/manageSSL.

On further investigation, the logs are being flooded with DNS challenges for Cloudflare. It seems that the regular SSL is being passed through sslv2 which should not be the case as they should be separated.

To Reproduce What steps did you take when the issue occurred?

1. Ex.: Go to https://domain.com:8090/manageSSL/manageSSL.
2. Ex.: Click on "Issue SSL".
3. Ex.: Track logs via "tail -f /root/.acme.sh/acme.sh.log".

Expected behavior SSL should be issued via the http method as before the SSLv2 was introduced.

Operating system: Centos 7.9

CyberPanel version: 2.3.4

[usmannasir]

Share CyberPanel main log file as it revert to normal SSL when dns try failed.

[SaJeTek-Developer]

After waiting a couple minutes, you get these errors but acme is still trying the DNS in the backend and still logging. There is no indication of a success or failure to the user. At the point of posting the logs, the acme was still trying the DNS which was over 10 minutes.

acme.sh.log

[usmannasir]

actually I need logs from CyberPanel log file not acme logs

[SaJeTek-Developer]

See attached. Truncated from this morning right before another test. A valid certificate is never assigned. It falls back to self signed.

error-logs.txt

[jcn50]

@SaJeTek-Developer : for which domain are you reporting this bug?.. I have just checked and there are no DNS records for the hostname ttpost.quovizweb.com

[SaJeTek-Developer]

gidc.quovizweb.com

[jodhpurlaxman]

As i see there are lot of things as following

1. Right now, the domain is not hosted on cloudflare.
2. [05.09.2023_10-32-15] grep SAVED_CF_Key= /root/.acme.sh/account.conf | cut -d= -f2 | tr -d "'" -- cyberpanel is looking for the cloudflare Key and associated Email.
3. No such file or directory: '/usr/local/lsws/conf/vhosts/estatements.quovizweb.com/vhost.conf' [installSSLForDomain]] -- The domain vhost file is not exist as per log and requested for the SSL. 4.[05.09.2023_12-14-44] touch /usr/local/lsws/Example/html/.well-known/acme-challenge/ttpost.quovizweb.com [05.09.2023_12-14-44] Status Code: 404 for: http://www.ttpost.quovizweb.com/.well-known/acme-challenge/ttpost.quovizweb.com. Error: <!DOCTYPE html> -- the file created on server but not fetched via http. it seem .well-known context not created or vhost file not there.

[SaJeTek-Developer]

Those other domains are inactive, the active domain is gidc.quovizweb.com it also does not have an alias for www.

Only points 1 and 2 are applicable to this issue as the domain is not hosted in cloud flare.

From the screenshot earlier, you would see that from the backend I would have tried to issue a certificate for that domain with the errors.

gidc.quovizweb.com was used for testing

[jodhpurlaxman]

1. You mean other subdomain is created on hosting server but not available in DNS?
2. can you share below command output? /root/.acme.sh/acme.sh --issue -d gidc.quovizweb.com --cert-file /etc/letsencrypt/live/gidc.quovizweb.com/cert.pem --key-file /etc/letsencrypt/live/gidc.quovizweb.com/privkey.pem --fullchain-file /etc/letsencrypt/live/gidc.quovizweb.com/fullchain.pem -w /usr/local/lsws/Example/html -k ec-256 --force --server letsencrypt --staging --debug

[SaJeTek-Developer]

1. There are many domains/subdomains on the server, none of which are associated with cloudflare.
2. The certificate was successfully issued when running your command.

[SaJeTek-Developer]

Update:

I ran the acme script you gave and got a certificate at 8:14am.

I then proceeded to do the following:

Ex.: Go to https://domain.com:8090/manageSSL/manageSSL. Ex.: select gidc.quovizweb.com Ex.: Click on "Issue SSL". Ex.: Track logs via "tail -f /root/.acme.sh/acme.sh.log".

I got the following errors https://user-images.githubusercontent.com/8119344/237071715-d37a6d87-f6a3-4408-9053-2acd6cd6a3e8.png https://user-images.githubusercontent.com/8119344/237071882-33acdffc-d8ef-4846-a26d-db19de81af8e.png

Another certificate was however issued at 8:44am No indication of success was given.

It seems that the main issues is that the "Issue Certificate" in the frontend times out because cloudflare is not used. However: Previously (before posting the bug), I would have ran the "Issue SSL" again because it failed but acme was already running and every time I try to reissue a certificate after it gives an error, it would just open another script all of which runs for approximately 30 minutes and increases the number of attempts to letsencrypt which then blocks the issuance of a certificate for the domain.

I think a simple checkbox to bypass cloudflare/DNS checks would fix the issue from the frontend side as the issue is not pertaining to acme.

[packetdog]

I'm having a related issue, @usmannasir please let me know if you want a separate issue for it. I saw a Facebook post about "Are the 2.3.x SSL issues resolved" and I thought I'd go check one of my sites. It looks like the SSL may have regenerated for domain.com but does not contain an CN designation for www.domain.com. This fails on all of our Wordpress sites because the CMS forces the user to www. and https protocol.

I logged into CyberPanel and reissued it, and it looks to me in the logs that it's not even requesting the www. See scrubbed log attached to this post. [Tue May 16 075905 PM UTC 2023] SSLv2 ISSUE.txt

EDIT: The error in multiple browsers is NET::ERR_CERT_COMMON_NAME_INVALID when I go to https://www.MYDOMAIN.com. Also, reissuing this with the regular Manage SSL (not v2) does issue a certificate, but the same way. This only seems to be affecting one domain so far, others are ok? I don't even know how that's possible, lol.

At this point, this site is effectively offline. Can anyone suggest how to renew this correctly?

Lastly, the VHOST.conf shows the www as an alias at the top: docRoot $VH_ROOT/public_html vhDomain $VH_NAME vhAliases www.$VH_NAME

[wayan107]

I also have same issue as @packetdog have, SSL only issued for domain.com not the CN www.domain.com, i've followed this tutorial with no success : https://community.cyberpanel.net/t/how-to-fix-ssl-issues-in-cyberpanel/90

Below is what is says on cyberpanel log

[05.15.2023_06-45-38] /root/.acme.sh/acme.sh --issue -d wayanbaliweb.com -d *.wayanbaliweb.com --cert-file /etc/letsencrypt/live/wayanbaliweb.com/cer> [05.15.2023_06-45-50] Failed to obtain SSL for: wayanbaliweb.com and: www.wayanbaliweb.com [05.15.2023_06-45-50] Trying to obtain SSL for: wayanbaliweb.com [05.15.2023_06-45-50] /root/.acme.sh/acme.sh --issue -d wayanbaliweb.com --cert-file /etc/letsencrypt/live/wayanbaliweb.com/cert.pem --key-file /etc/> [05.15.2023_06-45-59] Successfully obtained SSL for: wayanbaliweb.com

if i try to issue SSL from CMD it says _on_issue_success and below is the log:

[Wed 17 May 2023 09:49:43 AM WITA] Lets find script dir. [Wed 17 May 2023 09:49:43 AM WITA] SCRIPT='/root/.acme.sh/acme.sh' [Wed 17 May 2023 09:49:43 AM WITA] _script='/root/.acme.sh/acme.sh' [Wed 17 May 2023 09:49:43 AM WITA] _script_home='/root/.acme.sh' [Wed 17 May 2023 09:49:43 AM WITA] Using config home:/root/.acme.sh https://github.com/acmesh-official/acme.sh v3.0.6 [Wed 17 May 2023 09:49:43 AM WITA] Running cmd: issue [Wed 17 May 2023 09:49:43 AM WITA] _main_domain='wayanbaliweb.com' [Wed 17 May 2023 09:49:43 AM WITA] _alt_domains='www.wayanbaliweb.com' [Wed 17 May 2023 09:49:43 AM WITA] Using config home:/root/.acme.sh [Wed 17 May 2023 09:49:43 AM WITA] default_acme_server='https://acme-v02.api.letsencrypt.org/directory' [Wed 17 May 2023 09:49:43 AM WITA] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Wed 17 May 2023 09:49:43 AM WITA] DOMAIN_PATH='/root/.acme.sh/wayanbaliweb.com_ecc' [Wed 17 May 2023 09:49:43 AM WITA] Le_NextRenewTime='1689092313' [Wed 17 May 2023 09:49:43 AM WITA] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory [Wed 17 May 2023 09:49:43 AM WITA] _init api for server: https://acme-v02.api.letsencrypt.org/directory [Wed 17 May 2023 09:49:43 AM WITA] GET [Wed 17 May 2023 09:49:43 AM WITA] url='https://acme-v02.api.letsencrypt.org/directory' [Wed 17 May 2023 09:49:43 AM WITA] timeout= [Wed 17 May 2023 09:49:43 AM WITA] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g ' [Wed 17 May 2023 09:49:44 AM WITA] ret='0' [Wed 17 May 2023 09:49:44 AM WITA] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change' [Wed 17 May 2023 09:49:44 AM WITA] ACME_NEW_AUTHZ [Wed 17 May 2023 09:49:44 AM WITA] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order' [Wed 17 May 2023 09:49:44 AM WITA] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct' [Wed 17 May 2023 09:49:44 AM WITA] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert' [Wed 17 May 2023 09:49:44 AM WITA] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf' [Wed 17 May 2023 09:49:44 AM WITA] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce' [Wed 17 May 2023 09:49:44 AM WITA] Using CA: https://acme-v02.api.letsencrypt.org/directory [Wed 17 May 2023 09:49:44 AM WITA] _on_before_issue [Wed 17 May 2023 09:49:44 AM WITA] _chk_main_domain='wayanbaliweb.com' [Wed 17 May 2023 09:49:44 AM WITA] _chk_alt_domains='www.wayanbaliweb.com' [Wed 17 May 2023 09:49:44 AM WITA] Le_LocalAddress [Wed 17 May 2023 09:49:44 AM WITA] d='wayanbaliweb.com' [Wed 17 May 2023 09:49:44 AM WITA] Check for domain='wayanbaliweb.com' [Wed 17 May 2023 09:49:44 AM WITA] _currentRoot='/usr/local/lsws/Example/html' [Wed 17 May 2023 09:49:44 AM WITA] d='www.wayanbaliweb.com' [Wed 17 May 2023 09:49:44 AM WITA] Check for domain='www.wayanbaliweb.com' [Wed 17 May 2023 09:49:44 AM WITA] _currentRoot='/usr/local/lsws/Example/html' [Wed 17 May 2023 09:49:44 AM WITA] d [Wed 17 May 2023 09:49:44 AM WITA] _saved_account_key_hash is not changed, skip register account. [Wed 17 May 2023 09:49:44 AM WITA] Read key length:ec-256 [Wed 17 May 2023 09:49:44 AM WITA] _createcsr [Wed 17 May 2023 09:49:45 AM WITA] Multi domain='DNS:wayanbaliweb.com,DNS:www.wayanbaliweb.com' [Wed 17 May 2023 09:49:45 AM WITA] Getting domain auth token for each domain [Wed 17 May 2023 09:49:45 AM WITA] d='www.wayanbaliweb.com' [Wed 17 May 2023 09:49:45 AM WITA] d [Wed 17 May 2023 09:49:45 AM WITA] url='https://acme-v02.api.letsencrypt.org/acme/new-order' [Wed 17 May 2023 09:49:45 AM WITA] payload='{"identifiers": [{"type":"dns","value":"wayanbaliweb.com"},{"type":"dns","value":"www.wayanbaliweb.com"}]}' [Wed 17 May 2023 09:49:45 AM WITA] RSA key [Wed 17 May 2023 09:49:45 AM WITA] HEAD [Wed 17 May 2023 09:49:45 AM WITA] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce' [Wed 17 May 2023 09:49:45 AM WITA] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g -I ' [Wed 17 May 2023 09:49:46 AM WITA] _ret='0' [Wed 17 May 2023 09:49:46 AM WITA] POST [Wed 17 May 2023 09:49:46 AM WITA] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order' [Wed 17 May 2023 09:49:46 AM WITA] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g ' [Wed 17 May 2023 09:49:47 AM WITA] _ret='0' [Wed 17 May 2023 09:49:47 AM WITA] code='201' [Wed 17 May 2023 09:49:47 AM WITA] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/740158687/182659208097' [Wed 17 May 2023 09:49:47 AM WITA] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/740158687/182659208097' [Wed 17 May 2023 09:49:47 AM WITA] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/228451229207' [Wed 17 May 2023 09:49:47 AM WITA] payload [Wed 17 May 2023 09:49:47 AM WITA] POST [Wed 17 May 2023 09:49:47 AM WITA] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/228451229207' [Wed 17 May 2023 09:49:47 AM WITA] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g ' [Wed 17 May 2023 09:49:48 AM WITA] _ret='0' [Wed 17 May 2023 09:49:48 AM WITA] code='200' [Wed 17 May 2023 09:49:48 AM WITA] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/228451229217' [Wed 17 May 2023 09:49:48 AM WITA] payload [Wed 17 May 2023 09:49:48 AM WITA] POST [Wed 17 May 2023 09:49:48 AM WITA] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/228451229217' [Wed 17 May 2023 09:49:48 AM WITA] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g ' [Wed 17 May 2023 09:49:49 AM WITA] _ret='0' [Wed 17 May 2023 09:49:49 AM WITA] code='200' [Wed 17 May 2023 09:49:49 AM WITA] d='wayanbaliweb.com' [Wed 17 May 2023 09:49:49 AM WITA] Getting webroot for domain='wayanbaliweb.com' [Wed 17 May 2023 09:49:49 AM WITA] _w='/usr/local/lsws/Example/html' [Wed 17 May 2023 09:49:49 AM WITA] _currentRoot='/usr/local/lsws/Example/html' [Wed 17 May 2023 09:49:49 AM WITA] entry='"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/228451229207/Zao5lw","token":"5QjJ_yxLD47mgjattHCB3Ae1euqaP3QTV3dn2C2Wzy8"' [Wed 17 May 2023 09:49:49 AM WITA] token='5QjJ_yxLD47mgjattHCB3Ae1euqaP3QTV3dn2C2Wzy8' [Wed 17 May 2023 09:49:49 AM WITA] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/228451229207/Zao5lw' [Wed 17 May 2023 09:49:49 AM WITA] keyauthorization='5QjJ_yxLD47mgjattHCB3Ae1euqaP3QTV3dn2C2Wzy8.ESvmZQCgraNNh8otPiUnBpS5CQGY6896hEPd12i6ot0' [Wed 17 May 2023 09:49:49 AM WITA] dvlist='wayanbaliweb.com#5QjJ_yxLD47mgjattHCB3Ae1euqaP3QTV3dn2C2Wzy8.ESvmZQCgraNNh8otPiUnBpS5CQGY6896hEPd12i6ot0#https://acme-v02.api.letsencrypt.org/acme/chall-v3/228451229207/Zao5lw#http-01#/usr/local/lsws/Example/html' [Wed 17 May 2023 09:49:49 AM WITA] d='www.wayanbaliweb.com' [Wed 17 May 2023 09:49:49 AM WITA] Getting webroot for domain='www.wayanbaliweb.com' [Wed 17 May 2023 09:49:49 AM WITA] _w='/usr/local/lsws/Example/html' [Wed 17 May 2023 09:49:49 AM WITA] _currentRoot='/usr/local/lsws/Example/html' [Wed 17 May 2023 09:49:49 AM WITA] entry='"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/228451229217/AT2O9g","token":"5J7kyyUfmNtj-AQefjZFnI9Nkr1qJGiOtXUfP2drR60"' [Wed 17 May 2023 09:49:49 AM WITA] token='5J7kyyUfmNtj-AQefjZFnI9Nkr1qJGiOtXUfP2drR60' [Wed 17 May 2023 09:49:49 AM WITA] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/228451229217/AT2O9g' [Wed 17 May 2023 09:49:49 AM WITA] keyauthorization='5J7kyyUfmNtj-AQefjZFnI9Nkr1qJGiOtXUfP2drR60.ESvmZQCgraNNh8otPiUnBpS5CQGY6896hEPd12i6ot0' [Wed 17 May 2023 09:49:49 AM WITA] dvlist='www.wayanbaliweb.com#5J7kyyUfmNtj-AQefjZFnI9Nkr1qJGiOtXUfP2drR60.ESvmZQCgraNNh8otPiUnBpS5CQGY6896hEPd12i6ot0#https://acme-v02.api.letsencrypt.org/acme/chall-v3/228451229217/AT2O9g#http-01#/usr/local/lsws/Example/html' [Wed 17 May 2023 09:49:49 AM WITA] d [Wed 17 May 2023 09:49:49 AM WITA] vlist='wayanbaliweb.com#5QjJ_yxLD47mgjattHCB3Ae1euqaP3QTV3dn2C2Wzy8.ESvmZQCgraNNh8otPiUnBpS5CQGY6896hEPd12i6ot0#https://acme-v02.api.letsencrypt.org/acme/chall-v3/228451229207/Zao5lw#http-01#/usr/local/lsws/Example/html,www.wayanbaliweb.com#5J7kyyUfmNtj-AQefjZFnI9Nkr1qJGiOtXUfP2drR60.ESvmZQCgraNNh8otPiUnBpS5CQGY6896hEPd12i6ot0#https://acme-v02.api.letsencrypt.org/acme/chall-v3/228451229217/AT2O9g#http-01#/usr/local/lsws/Example/html,' [Wed 17 May 2023 09:49:49 AM WITA] d='wayanbaliweb.com' [Wed 17 May 2023 09:49:49 AM WITA] d='www.wayanbaliweb.com' [Wed 17 May 2023 09:49:49 AM WITA] ok, let's start to verify [Wed 17 May 2023 09:49:49 AM WITA] Verifying: wayanbaliweb.com [Wed 17 May 2023 09:49:49 AM WITA] d='wayanbaliweb.com' [Wed 17 May 2023 09:49:49 AM WITA] keyauthorization='5QjJ_yxLD47mgjattHCB3Ae1euqaP3QTV3dn2C2Wzy8.ESvmZQCgraNNh8otPiUnBpS5CQGY6896hEPd12i6ot0' [Wed 17 May 2023 09:49:49 AM WITA] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/228451229207/Zao5lw' [Wed 17 May 2023 09:49:49 AM WITA] _currentRoot='/usr/local/lsws/Example/html' [Wed 17 May 2023 09:49:49 AM WITA] wellknown_path='/usr/local/lsws/Example/html/.well-known/acme-challenge' [Wed 17 May 2023 09:49:49 AM WITA] writing token:5QjJ_yxLD47mgjattHCB3Ae1euqaP3QTV3dn2C2Wzy8 to /usr/local/lsws/Example/html/.well-known/acme-challenge/5QjJ_yxLD47mgjattHCB3Ae1euqaP3QTV3dn2C2Wzy8 [Wed 17 May 2023 09:49:49 AM WITA] Changing owner/group of .well-known to root:root [Wed 17 May 2023 09:49:49 AM WITA] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/228451229207/Zao5lw' [Wed 17 May 2023 09:49:49 AM WITA] payload='{}' [Wed 17 May 2023 09:49:49 AM WITA] POST [Wed 17 May 2023 09:49:49 AM WITA] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/228451229207/Zao5lw' [Wed 17 May 2023 09:49:49 AM WITA] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g ' [Wed 17 May 2023 09:49:50 AM WITA] _ret='0' [Wed 17 May 2023 09:49:50 AM WITA] code='200' [Wed 17 May 2023 09:49:50 AM WITA] trigger validation code: 200 [Wed 17 May 2023 09:49:50 AM WITA] Pending, The CA is processing your order, please just wait. (1/30) [Wed 17 May 2023 09:49:50 AM WITA] sleep 2 secs to verify again [Wed 17 May 2023 09:49:53 AM WITA] checking [Wed 17 May 2023 09:49:53 AM WITA] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/228451229207/Zao5lw' [Wed 17 May 2023 09:49:53 AM WITA] payload [Wed 17 May 2023 09:49:53 AM WITA] POST [Wed 17 May 2023 09:49:53 AM WITA] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/228451229207/Zao5lw' [Wed 17 May 2023 09:49:53 AM WITA] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g ' [Wed 17 May 2023 09:49:54 AM WITA] _ret='0' [Wed 17 May 2023 09:49:54 AM WITA] code='200' [Wed 17 May 2023 09:49:54 AM WITA] Success [Wed 17 May 2023 09:49:54 AM WITA] pid [Wed 17 May 2023 09:49:54 AM WITA] Debugging, skip removing: /usr/local/lsws/Example/html/.well-known/acme-challenge/5QjJ_yxLD47mgjattHCB3Ae1euqaP3QTV3dn2C2Wzy8 [Wed 17 May 2023 09:49:54 AM WITA] Verifying: www.wayanbaliweb.com [Wed 17 May 2023 09:49:54 AM WITA] d='www.wayanbaliweb.com' [Wed 17 May 2023 09:49:54 AM WITA] keyauthorization='5J7kyyUfmNtj-AQefjZFnI9Nkr1qJGiOtXUfP2drR60.ESvmZQCgraNNh8otPiUnBpS5CQGY6896hEPd12i6ot0' [Wed 17 May 2023 09:49:54 AM WITA] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/228451229217/AT2O9g' [Wed 17 May 2023 09:49:54 AM WITA] _currentRoot='/usr/local/lsws/Example/html' [Wed 17 May 2023 09:49:54 AM WITA] wellknown_path='/usr/local/lsws/Example/html/.well-known/acme-challenge' [Wed 17 May 2023 09:49:54 AM WITA] writing token:5J7kyyUfmNtj-AQefjZFnI9Nkr1qJGiOtXUfP2drR60 to /usr/local/lsws/Example/html/.well-known/acme-challenge/5J7kyyUfmNtj-AQefjZFnI9Nkr1qJGiOtXUfP2drR60 [Wed 17 May 2023 09:49:54 AM WITA] Changing owner/group of .well-known to root:root [Wed 17 May 2023 09:49:54 AM WITA] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/228451229217/AT2O9g' [Wed 17 May 2023 09:49:54 AM WITA] payload='{}' [Wed 17 May 2023 09:49:54 AM WITA] POST [Wed 17 May 2023 09:49:54 AM WITA] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/228451229217/AT2O9g' [Wed 17 May 2023 09:49:54 AM WITA] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g ' [Wed 17 May 2023 09:49:55 AM WITA] _ret='0' [Wed 17 May 2023 09:49:55 AM WITA] code='200' [Wed 17 May 2023 09:49:55 AM WITA] trigger validation code: 200 [Wed 17 May 2023 09:49:55 AM WITA] Pending, The CA is processing your order, please just wait. (1/30) [Wed 17 May 2023 09:49:55 AM WITA] sleep 2 secs to verify again [Wed 17 May 2023 09:49:58 AM WITA] checking [Wed 17 May 2023 09:49:58 AM WITA] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/228451229217/AT2O9g' [Wed 17 May 2023 09:49:58 AM WITA] payload [Wed 17 May 2023 09:49:58 AM WITA] POST [Wed 17 May 2023 09:49:58 AM WITA] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/228451229217/AT2O9g' [Wed 17 May 2023 09:49:58 AM WITA] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g ' [Wed 17 May 2023 09:49:59 AM WITA] _ret='0' [Wed 17 May 2023 09:49:59 AM WITA] code='200' [Wed 17 May 2023 09:49:59 AM WITA] Success [Wed 17 May 2023 09:49:59 AM WITA] pid [Wed 17 May 2023 09:49:59 AM WITA] Debugging, skip removing: /usr/local/lsws/Example/html/.well-known/acme-challenge/5J7kyyUfmNtj-AQefjZFnI9Nkr1qJGiOtXUfP2drR60 [Wed 17 May 2023 09:49:59 AM WITA] pid [Wed 17 May 2023 09:49:59 AM WITA] No need to restore nginx, skip. [Wed 17 May 2023 09:49:59 AM WITA] _clearupdns [Wed 17 May 2023 09:49:59 AM WITA] dns_entries [Wed 17 May 2023 09:49:59 AM WITA] skip dns. [Wed 17 May 2023 09:49:59 AM WITA] Verify finished, start to sign. [Wed 17 May 2023 09:49:59 AM WITA] i='2' [Wed 17 May 2023 09:49:59 AM WITA] j='8' [Wed 17 May 2023 09:49:59 AM WITA] Lets finalize the order. [Wed 17 May 2023 09:49:59 AM WITA] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/740158687/182659208097' [Wed 17 May 2023 09:49:59 AM WITA] url='https://acme-v02.api.letsencrypt.org/acme/finalize/740158687/182659208097' [Wed 17 May 2023 09:49:59 AM WITA] payload='{"csr": "MIIBOTCB4AIBADAbMRkwFwYDVQQDDBB3YXlhbmJhbGl3ZWIuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExGHil3D6JPtg0MMoh3Cjs_jjc0EI3S7kyZWGACGviv8HrvjjoiLp1M6uQSpKmHBn68E_m-FRHMA2Wt_MCtKTVqBjMGEGCSqGSIb3DQEJDjFUMFIwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDEGA1UdEQQqMCiCEHdheWFuYmFsaXdlYi5jb22CFHd3dy53YXlhbmJhbGl3ZWIuY29tMAoGCCqGSM49BAMCA0gAMEUCICNH-YP7_pCWqY6me9jYkQ_dv_xa0gC5avMEWfeMWKx9AiEAioJi3jZESoymp61Hf0yEHKyOR0UQrDHW2weraOEOLRE"}' [Wed 17 May 2023 09:49:59 AM WITA] POST [Wed 17 May 2023 09:49:59 AM WITA] _post_url='https://acme-v02.api.letsencrypt.org/acme/finalize/740158687/182659208097' [Wed 17 May 2023 09:49:59 AM WITA] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g ' [Wed 17 May 2023 09:50:01 AM WITA] _ret='0' [Wed 17 May 2023 09:50:01 AM WITA] code='200' [Wed 17 May 2023 09:50:01 AM WITA] Order status is valid. [Wed 17 May 2023 09:50:01 AM WITA] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/045106b178a6a2ece0ebd3a36c63c28c303d' [Wed 17 May 2023 09:50:01 AM WITA] Downloading cert. [Wed 17 May 2023 09:50:01 AM WITA] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/045106b178a6a2ece0ebd3a36c63c28c303d' [Wed 17 May 2023 09:50:01 AM WITA] url='https://acme-v02.api.letsencrypt.org/acme/cert/045106b178a6a2ece0ebd3a36c63c28c303d' [Wed 17 May 2023 09:50:01 AM WITA] payload [Wed 17 May 2023 09:50:01 AM WITA] POST [Wed 17 May 2023 09:50:01 AM WITA] _post_url='https://acme-v02.api.letsencrypt.org/acme/cert/045106b178a6a2ece0ebd3a36c63c28c303d' [Wed 17 May 2023 09:50:01 AM WITA] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g ' [Wed 17 May 2023 09:50:02 AM WITA] _ret='0' [Wed 17 May 2023 09:50:02 AM WITA] code='200' [Wed 17 May 2023 09:50:02 AM WITA] Found cert chain [Wed 17 May 2023 09:50:02 AM WITA] _end_n='26'

[Wed 17 May 2023 09:50:02 AM WITA] Your cert is in: /root/.acme.sh/wayanbaliweb.com_ecc/wayanbaliweb.com.cer [Wed 17 May 2023 09:50:02 AM WITA] Your cert key is in: /root/.acme.sh/wayanbaliweb.com_ecc/wayanbaliweb.com.key [Wed 17 May 2023 09:50:02 AM WITA] The intermediate CA cert is in: /root/.acme.sh/wayanbaliweb.com_ecc/ca.cer [Wed 17 May 2023 09:50:02 AM WITA] And the full chain certs is there: /root/.acme.sh/wayanbaliweb.com_ecc/fullchain.cer [Wed 17 May 2023 09:50:02 AM WITA] Installing cert to: /etc/letsencrypt/live/wayanbaliweb.com/cert.pem [Wed 17 May 2023 09:50:02 AM WITA] Installing key to: /etc/letsencrypt/live/wayanbaliweb.com/privkey.pem [Wed 17 May 2023 09:50:02 AM WITA] Installing full chain to: /etc/letsencrypt/live/wayanbaliweb.com/fullchain.pem [Wed 17 May 2023 09:50:02 AM WITA] _on_issue_success

[packetdog]

[05.15.2023_06-45-38] /root/.acme.sh/acme.sh --issue -d wayanbaliweb.com -d *.wayanbaliweb.com --cert-file /etc/letsencrypt/live/wayanbaliweb.com/cer>

It looks to me like yours is trying to issue for domain.com and *.domain.com, which I think is incorrect syntax. cPanel issues separate SSL for each sub domain. Not sure how Webuzo handled this... Why do I need wildcard SSL certs? I don't see the use case for this.

I'm pretty sure I can figure out the acme.sh command to run to reissue the corrected SSL.. anyone know how to get it into OLS?

Thanks, -pd

[usmannasir]

Steps to get SSL

1. Get SSL from Cloudflare if key is there (skip if not used) - wild card ssl www included
2. Get SSL from local CyberPanel DNS (skip if local dns not used - wild card ssl www included
3. If 1 and 2 fails it falls back to the old SSL system which only issues SSL for www.domain.com and domain.com

But I can't see anyone sharing CyberPanel main logs.

[packetdog]

I was able to get the site working by running the following command, with changes in bold, and restarting OLS:

/root/.acme.sh/acme.sh --issue -d MYDOMAIN.com -d www.MYDOMAIN.com --cert-file /etc/letsencrypt/live/MYDOMAIN.com/cert.pem --key-file /etc/letsencrypt/live/MYDOMAIN.com/privkey.pem --fullchain-file /etc/letsencrypt/live/MYDOMAIN.com/fullchain.pem --dns dns_pdns -k ec-256 --force --server letsencrypt

But I can't see anyone sharing CyberPanel main logs.

I think this is the relevant log entry for this issue. The domain is trying to obtain a wildcard cert incorrectly as far as I know. I don't think you can specify MYDOMAIN.com AND *.MYDOMAIN.com. I think it's one or the other.

[05.16.2023_19-59-03] /root/.acme.sh/acme.sh --issue -d MYDOMAIN.com -d *.MYDOMAIN.com --cert-file /etc/letsencrypt/live/MYDOMAIN.com/cert.pem --key-file /etc/letsencrypt/live/MYDOMAIN.com/privkey.pem --fullchain-file /etc/letsencrypt/live/MYDOMAIN.com/fullchain.pem --dns dns_pdns -k ec-256 --force --server letsencrypt [05.16.2023_19-59-05] Failed to obtain SSL for: MYDOMAIN.com and: www.MYDOMAIN.com [05.16.2023_19-59-05] Trying to obtain SSL for: MYDOMAIN.com [05.16.2023_19-59-05] /root/.acme.sh/acme.sh --issue -d MYDOMAIN.com --cert-file /etc/letsencrypt/live/MYDOMAIN.com/cert.pem --key-file /etc/letsencrypt/live/MYDOMAIN.com/privkey.pem --fullchain-file /etc/letsencrypt/live/MYDOMAIN.com/fullchain.pem --dns dns_pdns -k ec-256 --force --server letsencrypt [05.16.2023_19-59-18] Successfully obtained SSL for: MYDOMAIN.com

EDIT: Also, we don't need/want wildcard domains- this seems to have been added as an update. Having a cert with the main domain and the www domain together is fine. We're not using email on the host at all, so maybe that's what you're trying to solve for- I see that separate certs are being issued for mail.MYDOMAIN.com, which we aren't using.

Thanks, -pd

[SaJeTek-Developer]

But I can't see anyone sharing CyberPanel main logs.

I've shared my logs above.

[cagivacode]

I just checked and none of my domains have any SANs (no www). They were all updated after the latest commit.

I have wondered why CP does not use SANs for the mail domains as well.

I also prefer not to have wildcard certs, But, a cert with SAN (example.com, www.example.com, mail.example.com, webmail.example.com) would be very useful.

[wayan107]

@usmannasir i've shared my cyberpanel main log as well above and here i share it again:

[05.15.2023_06-45-38] /root/.acme.sh/acme.sh --issue -d wayanbaliweb.com -d *.wayanbaliweb.com --cert-file /etc/letsencrypt/live/wayanbaliweb.com/cer> [05.15.2023_06-45-50] Failed to obtain SSL for: wayanbaliweb.com and: www.wayanbaliweb.com [05.15.2023_06-45-50] Trying to obtain SSL for: wayanbaliweb.com [05.15.2023_06-45-50] /root/.acme.sh/acme.sh --issue -d wayanbaliweb.com --cert-file /etc/letsencrypt/live/wayanbaliweb.com/cert.pem --key-file /etc/> [05.15.2023_06-45-59] Successfully obtained SSL for: wayanbaliweb.com

Please let me know any logs you need to be able to fix this issue

[usmannasir]

[05.15.2023_06-45-59] Successfully obtained SSL for: wayanbaliweb.com

@usmannasir i've shared my cyberpanel main log as well above and here i share it again:

[05.15.2023_06-45-38] /root/.acme.sh/acme.sh --issue -d wayanbaliweb.com -d *.wayanbaliweb.com --cert-file /etc/letsencrypt/live/wayanbaliweb.com/cer> [05.15.2023_06-45-50] Failed to obtain SSL for: wayanbaliweb.com and: www.wayanbaliweb.com [05.15.2023_06-45-50] Trying to obtain SSL for: wayanbaliweb.com [05.15.2023_06-45-50] /root/.acme.sh/acme.sh --issue -d wayanbaliweb.com --cert-file /etc/letsencrypt/live/wayanbaliweb.com/cert.pem --key-file /etc/> [05.15.2023_06-45-59] Successfully obtained SSL for: wayanbaliweb.com

Please let me know any logs you need to be able to fix this issue

Looks like SSL was success for wayanbaliweb.com, www.wayanbaliweb.com also points to your server?

[wayan107]

[05.15.2023_06-45-59] Successfully obtained SSL for: wayanbaliweb.com

@usmannasir i've shared my cyberpanel main log as well above and here i share it again: [05.15.2023_06-45-38] /root/.acme.sh/acme.sh --issue -d wayanbaliweb.com -d *.wayanbaliweb.com --cert-file /etc/letsencrypt/live/wayanbaliweb.com/cer> [05.15.2023_06-45-50] Failed to obtain SSL for: wayanbaliweb.com and: www.wayanbaliweb.com [05.15.2023_06-45-50] Trying to obtain SSL for: wayanbaliweb.com [05.15.2023_06-45-50] /root/.acme.sh/acme.sh --issue -d wayanbaliweb.com --cert-file /etc/letsencrypt/live/wayanbaliweb.com/cert.pem --key-file /etc/> [05.15.2023_06-45-59] Successfully obtained SSL for: wayanbaliweb.com Please let me know any logs you need to be able to fix this issue

Looks like SSL was success for wayanbaliweb.com, www.wayanbaliweb.com also points to your server?

SSL only issued for wayanbaliweb.com, but for CN www failed. Yes www.wayanbaliweb.com also pointed to the same server IP as wayanbaliweb.com, please note that this issue are not only happen to this specific domain, but to all domains in my cyberpanel server that have CN www, i'm 100% sure that all those www CNs are pointed to the correct IP because before the update to CP 2.3.4 i didn't have this issue with SSL

[usmannasir]

Please check this, issued just before the commend: https://www.sslshopper.com/ssl-checker.html#hostname=almaapache.cyberpanel.net

[wayan107]

Please check this, issued just before the commend: https://www.sslshopper.com/ssl-checker.html#hostname=almaapache.cyberpanel.net

i did the check and the www.wayanbaliweb.com was not on the SANs but now it does. can you please explain what's happen? i didn't make any change, did you do something?

i just trying to issue SSL for another domain ( eeriejewelry.com ), and SSL for the CN www still failed, below is the cyberpanel main log

[05.19.2023_09-07-03] /root/.acme.sh/acme.sh --issue -d eeriejewelry.com -d *.eeriejewelry.com --cert-file /etc/letsencrypt/live/eeriejewelry.com/cert.pem --key-file /etc/letsencrypt/live/eeriejewelry.com/privkey.pem --fullchain-file /etc/letsencrypt/live/eeriejewelry.com/fullchain.pem --dns dns_pdns -k ec-256 --force --server letsencrypt [05.19.2023_09-07-03] [Errno 2] No such file or directory: '/home/cyberpanel/adminEmail' [05.19.2023_09-07-10] Failed to obtain SSL for: eeriejewelry.com and: www.eeriejewelry.com [05.19.2023_09-07-10] [Errno 2] No such file or directory: '/home/cyberpanel/adminEmail' [05.19.2023_09-07-10] Trying to obtain SSL for: eeriejewelry.com [05.19.2023_09-07-10] [Errno 2] No such file or directory: '/home/cyberpanel/adminEmail' [05.19.2023_09-07-10] /root/.acme.sh/acme.sh --issue -d eeriejewelry.com --cert-file /etc/letsencrypt/live/eeriejewelry.com/cert.pem --key-file /etc/letsencrypt/live/eeriejewelry.com/privkey.pem --fullchain-file /etc/letsencrypt/live/eeriejewelry.com/fullchain.pem --dns dns_pdns -k ec-256 --force --server letsencrypt [05.19.2023_09-07-10] [Errno 2] No such file or directory: '/home/cyberpanel/adminEmail' [05.19.2023_09-07-17] Successfully obtained SSL for: eeriejewelry.com

[packetdog]

I wanted to write in again because this issue still seems to be happening on our server. Here's a recap from above, I manually installed SSL certs with acme.sh commands on 2023/05/16:

I was able to get the site working by running the following command, with changes in bold, and restarting OLS:

/root/.acme.sh/acme.sh --issue -d MYDOMAIN.com -d www.MYDOMAIN.com --cert-file /etc/letsencrypt/live/MYDOMAIN.com/cert.pem --key-file /etc/letsencrypt/live/MYDOMAIN.com/privkey.pem --fullchain-file /etc/letsencrypt/live/MYDOMAIN.com/fullchain.pem --dns dns_pdns -k ec-256 --force --server letsencrypt

Following that, I was up and running. Guess what? SSL was reissued for MYDOMAIN.com without the WWW CN in the certificate. This was approximately 3 days after I ran these manual commands. SO, the site is showing as insecure again. Note: This only seems to be happening with one site that I can tell, and I'm not sure why. The other sites are not renewing the SSL (which is correct, they're not due) so I presume that if I forced one of them to renew it would renew incorrectly. Not sure. I really don't want to try it and break other sites.

Next, I heard that the reissuance issue was fixed in the 'latest update' on Facebook, so I ran the update script and specified 2.3.4 and restarted the server. So IF the 'too early issuance' bug was fixed, then that might be a non-issue.

After the update, I went into IssueSSL (v1?) and issued a new cert, and it's still without the www common name. So this issue still seems to persist even with getting the latest update to 2.3.4. I will be running the manual acme.sh commands again today Sunday 2023/05/21 to correct this issue, but I don't expect it to stay put.

Please let me know if I should be specifying 2.3.5-dev as the update option to receive the latest commits? Cheers.

[philipostling]

I'm having issues with www.MYDOMAIN.xx aswell.

From MAIN log:

[05.23.2023_06-33-13] https://api.github.com/repos/usmannasir/cyberpanel/commits?sha=v2.3.4 [05.23.2023_06-48-30] /root/.acme.sh/acme.sh --issue -d MYDOMAIN.se -d *.MYDOMAIN.se --cert-file /etc/letsencrypt/live/MYDOMAIN.se/cert.pem --key-file /etc/letsencrypt/live/MYDOMAIN.se/privkey.pem --fullchain-file /etc/letsencrypt/live/MYDOMAIN.se/fullchain.pem --dns dns_pdns -k ec-256 --force --server letsencrypt [05.23.2023_06-48-35] Failed to obtain SSL for: MYDOMAIN.se and: www.MYDOMAIN.se [05.23.2023_06-48-35] Trying to obtain SSL for: MYDOMAIN.se [05.23.2023_06-48-35] /root/.acme.sh/acme.sh --issue -d MYDOMAIN.se --cert-file /etc/letsencrypt/live/MYDOMAIN.se/cert.pem --key-file /etc/letsencrypt/live/MYDOMAIN.se/privkey.pem --fullchain-file /etc/letsencrypt/live/MYDOMAIN.se/fullchain.pem --dns dns_pdns -k ec-256 --force --server letsencrypt [05.23.2023_06-48-40] Successfully obtained SSL for: MYDOMAIN.se

(replaced actual domainname with MYDOMAIN for privacy reasons. But can confirm that both MYDOMAIN.se and www.MYDOMAIN.se points to the correct IP)

Everything worked fine for over a year prior to the latest updates of 2.3.4 (No changes have been made to the site or DNS)

[Arachnid84]

i also have the same issue with one of my websites as well as some of the mail domains (not in use) that were created while updating to 2.3.4.

as i can see on the output of the cyberpanel main log files the scriptlet invoking the acme.sh script is being passed a -d parameter for *. instead of the expected www.

[05.27.2023_22-01-25] Websites matching query does not exist. [installSSLForDomain:72] [05.27.2023_22-01-32] /root/.acme.sh/acme.sh --issue -d mail.sigsavvy.nl -d *.mail.sigsavvy.nl --cert-file /etc/letsencrypt/live/mail.sigsavvy.nl/cert.pem --key-file /etc/letsencrypt/live/mail.sigsavvy.nl/privkey.pem --fullchain-file /etc/letsencrypt/live/mail.sigsavvy.nl/fullchain.pem --dns dns_pdns -k ec-256 --force --server letsencrypt [05.27.2023_22-01-37] Failed to obtain SSL for: mail.sigsavvy.nl and: www.mail.sigsavvy.nl [05.27.2023_22-01-37] Trying to obtain SSL for: mail.sigsavvy.nl [05.27.2023_22-01-37] /root/.acme.sh/acme.sh --issue -d mail.sigsavvy.nl --cert-file /etc/letsencrypt/live/mail.sigsavvy.nl/cert.pem --key-file /etc/letsencrypt/live/mail.sigsavvy.nl/privkey.pem --fullchain-file /etc/letsencrypt/live/mail.sigsavvy.nl/fullchain.pem --dns dns_pdns -k ec-256 --force --server letsencrypt [05.27.2023_22-01-43] Successfully obtained SSL for: mail.sigsavvy.nl

by manually invoking the ache.sh script from the ssh console and replacing the *. by www. and restarting the openlitespeed services from the control panel seem to be a workaround. Not sure if it will hold when the next rollover interval hits though.

[Arachnid84]

Just to add my 5 cents, by going trough the code invoking the acme.sh script, it somehow appears that for some sites the sslv2 is being invoked instead of the old ssl module which should have been used as i dont have the sslv2 module.

[shbs9]

i just checked with the new server and i reproduced few cases point a domain issued SSL at domain deploy time then without DNS issued SSL after deploying from manage SSL all working well if still someone have issue please open ticket so we can check.

[SaJeTek-Developer]

I have upgraded to the latest commit this morning and the issue is still ongoing.

When SSL v2 fires first, it's trying to get a wildcard certificate (NONE of my domains has been associated with cloudflare nor do I have any DNS setup on my server), the problem is that the acme script is stuck retrying over and over and over to get a wildcard certificate which it never does or never will get because I have no association with cloudflare.

This means that the fallback to SSL v1 never really fires because acme.sh is stuck trying to get a wildcard certificate. When you run ps ax|grep acme this shows that the wildcard process is still running way after the error in the UI and console as initially stated above https://github.com/usmannasir/cyberpanel/issues/1063#issuecomment-1539945355

If I manually kill the acme script that's trying to get the wildcard certificate early enough, then SSL v1 fires and I get a certificate.

However: this should never be the case where I have to manually get involved in order to get a certificate.

Secondly: If I do not kill the process, then SSL v1 fires but it actually does not execute because when you check acme logs, it's still processing for the wildcard certificate so it's still waiting to be executed.

Eventually, when the wildcard stops checking, SSL v1 issues and this is approximately 1hr after first initiating the SSL issue.

[packetdog]

I would think we should have the option to switch or toggle certain sites (domains) to SSLv2 with wildcard support if we want to, otherwise we should be able to elect to stay on SSLv1 and have all of our subdomains passed to acme.sh. I personally prefer MYDOMAIN.com with a -d www.MYDOMAIN.com over any wildcard certificates.

The site I was having issues with has not auto-renewed since I updated to the latest commit which is good- the 2 week renewal issue seems to have resolved. When it renews, I suspect it will have an issue because it's incorrect to specify -d *.MYDOMAIN.com in acme.sh. So, this has been semi-stable since 2023/05/21 at least.

[Deooz]

From what I've noticed in the discussion, everyone is focusing on the wildcard, and there's little talk about the validation methods required by the certification authority (in this case Let's Encrypt) to verify that you own the domain and can effectively issue the certificate. Right now, it seems that 2 different scripts coexist in CyberPanel; one manual and one automatic.

In the first script (the manual one; when you click on apply SSL), it requests an SSL certificate for your domain and all its subdomains (*) and uses dns_pdns as a validation method, which means it is using PowerDNS to test domain ownership. This makes me think that when the script was made, it was thought to work within the CyberPanel ecosystem since, as far as I know, CP uses PowerDNS to provide a DNS management service. It would make sense that the validation does not pass if you manage your DNS records outside of CyberPanel, for example, in CloudFlare or your domain provider. Although it's not ideal, if you use CloudFlare, you can use from your SSH terminal:

export CF_Key="your_Cloudflare_API_key"
export CF_Email="your_Cloudflare_email"

This will add environment variables for acme.sh to interact with your DNS records on CloudFlare and complete the validation without further difficulty.

In the second command, (the one that fires automatically), it requests a certificate only for the root version of the domain and the www version and uses an HTTP validation, denoted by -w /usr/local/lsws/Example/html.

So we have 2 different validation methods. In the first, you use dns_pdns as a DNS validation method to test domain ownership. In the second, you're using HTTP validation, meaning you're using the web server at that location to serve the validation files.

The reason the second command works better must be because HTTP validation is less prone to errors than DNS validation. DNS validation can fail if DNS records don't propagate fast enough, or if there are configuration issues with the DNS server.

It might be a good idea to be able to choose the methid to use when issuing an SSL, and allow the user to enter the domain (and multi-level subdomain) for which they wish to apply SSL as well as their validation methods.

[SaJeTek-Developer]

I did specify that I do NOT use cloudflare nor do I use or have ever used CP DNS. I've always used the http authentication. The problem is that the DNS authentication takes very long to fail before reverting to http authentication, in my test, it was approximately 1hr before it switched back to http authentication. Yes some has spoken about the wildcard as this is new in SSL v2 which should also be something with a toggle because I know that wildcard certificates require DNS auth but not everyone requires or prefers that.

This DNS authentication is new with SSL v2 which I have no need for but CP uses it as priority before falling back to http based authentication i.e. SSL v1.

As suggested before a simple toggle would fix all issues where one can specify that they want to use DNS auth, wildcards or just a simple http auth which is what I use exclusively.

Waiting an hour to fallback to SSL v1 is horrendous much less UX acceptable. I've had to manually run acme to get my certificates and helped others to get their certificates manually as well.

[packetdog]

The reason the second command works better must be because HTTP validation is less prone to errors than DNS validation. DNS validation can fail if DNS records don't propagate fast enough, or if there are configuration issues with the DNS server.

I agree with everything @Deooz said, and also IT'S A FRICKING WEB SERVER! Why the hell wouldn't we use http validation?! Jeez.