Urgent DCV Updates

Versions with the updates have been added to the bottom of this post!

———————————————-

The cPanel Market SSL Provider allows webhosts to easily sell DV, EV, and OV SSL certificates through cPanel. Similarly, AutoSSL automatically requests and installs free SSL certificates for hosted domains. Both of these features allow you to install SSL certificates issued by cPanel, and signed by Comodo.

Late last week we were alerted to changes that Comodo is making to how they handle domain verification. If you have cPanel & WHM updates set to automatically be applied, then you don’t need to worry about anything at all. However, if you manage your updates manually, you need to pay attention.

DCV

Domain Control Validation (DCV) is the act of verifying that a user is the one who controls a domain. Both the cPanel Market SSL Provider and AutoSSL use files our software creates in a website’s document root (on most cPanel accounts: /home/user/public_html/) to verify that the server requesting the SSL controls the domain. The changes that Comodo is making touch on the very core of cPanel’s DCV.

Comodo DCV Updates

The list of things Comodo is changing includes both the contents of the file, and the directory in which it will be looking. Rather than looking in a website’s document root directly, it will now look inside a folder named .well-known inside the document root.

For example, right now the DCV check will look for HTTP(S)://fully.qualified.name/<filename.txt>. After the change is released the DCV check will look for  HTTP(S)://fully.qualified.name/.well-known/pki-validation/<filename.txt> to validate the domain.

When you need to upgrade

For now both the “old” and the “new” ways of validating domains will continue to work. The “old” way will no longer be supported after July 20, 2017. Over the weekend our development team worked hard to get code written and tests updated to reflect these changes. These updates will apply to all supported versions of cPanel & WHM: version 56 through 66.

Comodo’s changes are live today, so we’re going to be testing extensively over the next few days before releasing our updates to the public. Assuming an ideal timeline, we will release updates for all versions this week, in plenty of time for the deadline on July 20th.

Anticipated question/answer rundown

  • What changes do I need to make?
    • Assuming that you allow your cPanel & WHM servers to stay updated automatically, you don’t need to make any changes at all. cPanel will create all of the necessary folders and files as they are needed, and AutoSSL will continue to work in the anticipated way.
  • Why the tight timeline?
    • Unfortunately, sometimes things have to move more quickly than we’d like. Comodo gave us as much notice as they could, and we’re making the most of the time.
  • What happens if I don’t upgrade by the 20th?
    • Existing SSL certificates will continue to work until they expire, however servers that are not updated will be unable to request and issue new SSL certificates.
  • How does this impact the release of Version 66 this week?
    • We’re hoping it won’t, and we’re still hoping to release version 66 to CURRENT (with these updates) on Wednesday. Worst case scenario, it will be delayed until the week of the 17th.

Where to go for more information

If there are updates to be had, beyond a new version to upgrade to, I will be updating this blog post. This will be the best source for new information, but you can also find us on twitter and Facebook.

UPDATES!

The updates that include the DCV updates have been released!

  • 66.0.1 — In the EDGE tier on July 12th, 2017 (CURRENT planned for Tuesday, July 18th)
  • 64.0.32 — In CURRENT on July 12th, 2017 (should be in STABLE by Monday, July 17th)
  • 62.0.26 — in the 62 LTS tier on July 12th, 2017
  • 60.0.44– in the 60 LTS tier on July 12th, 2017
  • 58.0.51 — in the 58 LTS tier on July 12th, 2017
  • 56.0.50 — in the 56 LTS tier on July 12th, 2017