Every so often something new is introduced designed to make things easier. But sometimes it also accidentally making things a bit harder. This is one of those times.
cPanel v58 introduced AutoSSL which automatically installs and renews SSL Certificates. All websites can use a Domain Validated SSL Certificate but AutoSSL can also be used to work with Let’s Encrypt. As a quick primer, SSL certificates allow a website to encrypt the communication between the web host and website visitors which is particularly important when you’re sending sensitive information like passwords and Credit Card details. Google also appears to be moving in the direction of recommending websites that use SSL. So if your webhost is using cPanel they can easily offer automated SSL Certificates to all their customers costing them practically nothing.
Great, right? Well, if you’re using a Content Distribution Network (CDN) or third-party Website Firewall, things may not be so great.
To prevent abuse, AutoSSL checks that the IP address of the domain matches the value in cPanel. And this is where there may likely be conflicts if your website uses a CDN like Cloudflare or a Website Firewall — by default AutoSSL will instead see the IP address of the CDN/Website Firewall causing it to fail with an error message like the one below:
The system failed to fetch the DCV (Domain Control Validation) file at “http://DOMAIN.com/FOLDER” because of an error: The system failed to send an HTTP (Hypertext Transfer Protocol) “GET” request to “http://DOMAIN.com/FOLDER” because of an error: Timed out while waiting for socket to become ready for reading. The domain “DOMAIN.com” resolved to an IP address “IP_ADDRESS” that does not exist on this server.
If your CDN/Website Firewall has provisions for allowing AutoSSL to view the actual IP address, then you’re probably fine. But if not (maybe you’re on Cloudflare’s free account) then there are work-arounds (suggested below) but you might have to go back and re-think your security, caching and performance strategy for your websites.
Use Cloudflare with AutoSSL
While we’ll use Cloudflare’s free account as a specific example, the general principle should apply to any CDN/Website Firewall where you cannot allow AutoSSL to view the actual IP address.
- Rely on Cloudflare’s shared SSL certificate and set your SSL level to Full or lower. This will keep the connection between visitors and Cloudflare encrypted but may leave the connection between Cloudflare and your web host unencrypted. If you’re fine with that then there’s nothing left to do.
- Use AutoSSL and disable Cloudflare (or allow traffic to simply pass through Cloudflare). This will allow you to use the SSL Certificate generated by AutoSSL but you will unfortunately lose all the benefits that Cloudflare brings (such as caching, minification etc…). If you only want to use Cloudflare as a DNS manager, then this might be the solution for you.
- Temporarily disable Cloudflare when you need to issue/renew the SSL Certificate via AutoSSL. This will be troublesome because Let’s Encrypt requires renewal every 90 days. But if you insist on using Full (Strict) SSL on Cloudflare, this may be your only choice unless you…
- Upgrade to a Cloudflare Business account which allows you to install your own SSL Certificate. If money is no object this would be the best solution.