New Server, can't issue SSL certs (Possibly due to HSTS?)

Support and Discussion
#1

So I’m new to cyberpanel (I’m migrating from cPanel), but I’ve been searching around on how the SSL generation is supposed to work. I used the cPanel backup/restore and it also created the sub-domains for me. However, the SSL certs aren’t getting generated. I went through all of the troubleshooting steps (from the How to fix SSL issues in CyberPanel] thread), like checking DNS, file permissions, etc. When I run the command line to generate the SSL with debug I see something like this:

Invalid response from http://mail.mydomain/.well-known/acme-challenge/KCLIDtEIGZhrT-N8u234sdfsdfsdf: 404

I do see the file in there, but when I try to access the site I notice it is trying to redirect me to HTTPS. And it’s saying that this site is using HTTP Strict Transport Security (HSTS). So you can’t access that file.

So basically I think I can’t issue a cert because it doesn’t have a valid cert.

I then searched around everywhere I could to see if I could turn off HSTS for HTTP requests, but I don’t see it anywhere. I checked in the vHosts in cyberpanel, and in Litespeed Webadmin panel, no luck.

I tried to delete the sub domain and re-create it, but still the same issue. Does anyone have any guidance on this?

#2

Indeed there’s been some issues with that lately.
Im my opinion perhaps the best option would be to make the verification by dns instead of file.

About to go sleep, but tomorrow i will see if its easily implemented to replace the file system, but should be using the powerdns api.

#3

Having the same issue it seems to be bug on Cyberpanel. As I checked using the dns method, I have seen that acme is using ZeroSSL now might be some issue because of that. @usmannasir @shoaibkk look into the matter, its very helpful for everyone.

#4

Yea, I am using external DNS servers, so that could be an issue as well.

#5

I was able to manually generate some certs for the sites on this server. However, now I get a 404 when trying to access the .well-known folder, so I’m very worried about what will happen come renewal time. Hopefully this gets sorted out soon.