cPanel® Blog

Urgent DCV Updates This Week

Versions with the updates have been added to the bottom of this post!

———————————————-

The cPanel Market SSL Provider allows webhosts to easily sell DV, EV, and OV SSL certificates through cPanel. Similarly, AutoSSL automatically requests and installs free SSL certificates for hosted domains. Both of these features allow you to install SSL certificates issued by cPanel, and signed by Comodo.

Late last week we were alerted to changes that Comodo is making to how they handle domain verification. If you have cPanel & WHM updates set to automatically be applied, then you don’t need to worry about anything at all. However, if you manage your updates manually, you need to pay attention.

DCV

Domain Control Validation (DCV) is the act of verifying that a user is the one who controls a domain. Both the cPanel Market SSL Provider and AutoSSL use files our software creates in a website’s document root (on most cPanel accounts: /home/user/public_html/) to verify that the server requesting the SSL controls the domain. The changes that Comodo is making touch on the very core of cPanel’s DCV.

Comodo DCV Updates

The list of things Comodo is changing includes both the contents of the file, and the directory in which it will be looking. Rather than looking in a website’s document root directly, it will now look inside a folder named .well-known inside the document root.

For example, right now the DCV check will look for HTTP(S)://fully.qualified.name/<filename.txt>. After the change is released the DCV check will look for  HTTP(S)://fully.qualified.name/.well-known/pki-validation/<filename.txt> to validate the domain.

When you need to upgrade

For now both the “old” and the “new” ways of validating domains will continue to work. The “old” way will no longer be supported after July 20, 2017. Over the weekend our development team worked hard to get code written and tests updated to reflect these changes. These updates will apply to all supported versions of cPanel & WHM: version 56 through 66.

Comodo’s changes are live today, so we’re going to be testing extensively over the next few days before releasing our updates to the public. Assuming an ideal timeline, we will release updates for all versions this week, in plenty of time for the deadline on July 20th.

Anticipated question/answer rundown

  • What changes do I need to make?
    • Assuming that you allow your cPanel & WHM servers to stay updated automatically, you don’t need to make any changes at all. cPanel will create all of the necessary folders and files as they are needed, and AutoSSL will continue to work in the anticipated way.
  • Why the tight timeline?
    • Unfortunately, sometimes things have to move more quickly than we’d like. Comodo gave us as much notice as they could, and we’re making the most of the time.
  • What happens if I don’t upgrade by the 20th?
    • Existing SSL certificates will continue to work until they expire, however servers that are not updated will be unable to request and issue new SSL certificates.
  • How does this impact the release of Version 66 this week?
    • We’re hoping it won’t, and we’re still hoping to release version 66 to CURRENT (with these updates) on Wednesday. Worst case scenario, it will be delayed until the week of the 17th.

Where to go for more information

If there are updates to be had, beyond a new version to upgrade to, I will be updating this blog post. This will be the best source for new information, but you can also find us on twitter and Facebook.

UPDATES!

The updates that include the DCV updates have been released!

  • 66.0.1 — In the EDGE tier on July 12th, 2017 (CURRENT planned for Tuesday, July 18th)
  • 64.0.32 — In CURRENT on July 12th, 2017 (should be in STABLE by Monday, July 17th)
  • 62.0.26 — in the 62 LTS tier on July 12th, 2017
  • 60.0.44– in the 60 LTS tier on July 12th, 2017
  • 58.0.51 — in the 58 LTS tier on July 12th, 2017
  • 56.0.50 — in the 56 LTS tier on July 12th, 2017

benny Vasquez

scripter, crafter, cPanel’s Manager of Community Engagement. Facilitating communication between cPanel’s amazing development team, and cPanel’s amazing community. Find me on twitter: @cpaneldev

  • Ken Wiebe

    I’m currently on 64.0.33 and don’t see any of the files mentioned:

    HTTP(S)://fully.qualified.name/.well-known/pki-validation/

    Are these files supposed to be in the root directory?

    • cPanelbenny

      The folders will be created in your website’s document root. The folders and files will be created as needed by AutoSSL, so if they aren’t in your document root that likely means that you haven’t had to be issued an SSL by AutoSSL yet.

      • Ken Wiebe

        Does that mean that it will only install the files when it comes time to renew…15 days before the certificate expires?

        I know that I have never seen any .txt files in the root directory and AutoSSL has renewed a bunch of accounts already in the past.

        • cPanelbenny

          Yup, that pretty well sums it up. We wouldn’t be creating the .txt files in the document root (to be clear, the document root is: /home/$USER/public_html/ for more websites). You’d be looking for the folders in the document root.

          • Ken Wiebe

            Thanks Benny.

            As far as my reference to the original DCV method, I have never seen a file such as:

            /home/$USER/public_html/

          • cPanelbenny

            Ah! Sorry, I misspoke. We should be removing the files after validation is complete, it’s likely that you’d never notice them.

          • Ken Wiebe

            Ahhh..makes sense.

            Does the same hold true for the new verification method?

          • cPanelbenny

            Yup!

          • Ken Wiebe

            Thanks for the info, very helpful 🙂

          • cPanelbenny

            Anytime. 🙂

  • Quick question: I don’t have /.well-known/pki-validation/ instead of /pki-validation I have /acme-challenge (on cPanel & WHM 64.0 (build 33)). Do I need to do anything?

    • cPanelbenny

      I believe that means you’re using Let’s Encrypt instead of Comodo, so you should be good!