cPanel AutoSSL via Comodo FIX suggestion
Posted: 14 Aug 2018, 12:32
I just recently switched cPanel AutoSSL provider from "Let's Encrypt" to cPanel via Comodo.
The SSL cert requests stayed in queue for an excessive time, and I wound up logging a paid support request with cPanel.
It was discovered that the DCV was failing and thus blocking cert delivery due to either 1) because I had a number of the remote domain "query from" addresses blocked (Russia, China, Turkey, et al) blocked, OR 2) because I had one or more of the following blocked:
178.255.81.12
178.255.81.13
91.199.212.132
199.66.201.132
On further investigation, I discovered that the fine folks at ConfigServer HAD in fact created:
cpanel.comodo.allow: with rules to ALLOW Port 80 and Port 443
cpanel.comodo.ignore: with those 4 IP addresses
AND added include statements for those two files in csf.allow and csf.ignore.
Which is awesome!!!
BUT, cPanel Support ALSO says that they HIGHLY recommend adding Port 53 to the ALLOW list of Ports. They say that their validation procedures use this port and it is likely that cert deliver/installation may fail if Port 53 is not open for those 4 IP addresses for inbound traffic.
Here is how I have kludged it until you guys can add Port 53 to y'alls file:
1) I created cpanel.comodo53.allow and added:
tcp|in|d=53|s=178.255.81.12 # Comodo SSL Resolver
tcp|in|d=53|s=178.255.81.13 # Comodo SSL Resolver
tcp|in|d=53|s=91.199.212.132 # Comodo DCV Server
tcp|in|d=53|s=199.66.201.132 # Comodo DCV Server
2) I added this include statement to csf.allow:
Include /etc/csf/cpanel.comodo53.allow
PLEASE consider adding the 4 statements above to y'alls cpanel.comodo.allow file so that it updates automagically for all folks and I THINK it will FIX a lot of the Comodo-related issues.
And then I can delete the kludge file and extra include statement.
Thanks!
The SSL cert requests stayed in queue for an excessive time, and I wound up logging a paid support request with cPanel.
It was discovered that the DCV was failing and thus blocking cert delivery due to either 1) because I had a number of the remote domain "query from" addresses blocked (Russia, China, Turkey, et al) blocked, OR 2) because I had one or more of the following blocked:
178.255.81.12
178.255.81.13
91.199.212.132
199.66.201.132
On further investigation, I discovered that the fine folks at ConfigServer HAD in fact created:
cpanel.comodo.allow: with rules to ALLOW Port 80 and Port 443
cpanel.comodo.ignore: with those 4 IP addresses
AND added include statements for those two files in csf.allow and csf.ignore.
Which is awesome!!!
BUT, cPanel Support ALSO says that they HIGHLY recommend adding Port 53 to the ALLOW list of Ports. They say that their validation procedures use this port and it is likely that cert deliver/installation may fail if Port 53 is not open for those 4 IP addresses for inbound traffic.
Here is how I have kludged it until you guys can add Port 53 to y'alls file:
1) I created cpanel.comodo53.allow and added:
tcp|in|d=53|s=178.255.81.12 # Comodo SSL Resolver
tcp|in|d=53|s=178.255.81.13 # Comodo SSL Resolver
tcp|in|d=53|s=91.199.212.132 # Comodo DCV Server
tcp|in|d=53|s=199.66.201.132 # Comodo DCV Server
2) I added this include statement to csf.allow:
Include /etc/csf/cpanel.comodo53.allow
PLEASE consider adding the 4 statements above to y'alls cpanel.comodo.allow file so that it updates automagically for all folks and I THINK it will FIX a lot of the Comodo-related issues.
And then I can delete the kludge file and extra include statement.
Thanks!