Forward Certificate Validation to Hosting


#1

Hello there, I’m trying to see how to enable Forwarding Certificate Validation to Hosting setting? My domain is forbiddensky.com . hosted on WPEngine. They also hold my SSL certificates generated from your service. I have sucuri running as a firewall and am getting this error “SiteCheck error: Unable to properly scan your site. TLS certificate does not match the host name” I’ve reached out to both services and they’ve told me I need to get that enabled through you guys for my SSL files. I have files for forbiddensky.com www.forbiddensky.com forbiddensky.net www.forbiddensky.net promohd.com www.promohd.com they all point to www.forbiddensky.com I’m trying to wrap my head around how this all works. Should all those urls use one SSL file? Thank you for the help.


#2

According to WPEngine’s documentation, “Forward Certificate Validation to Hosting” is a Sucuri WAF setting.

https://wpengine.com/support/add-ssl-site/

In any case, it’s not part of Let’s Encrypt, or something Let’s Encrypt can do.

If the name is any indication, enabling “Forward Certificate Validation to Hosting” stops Sucuri from blocking HTTP requests used by Let’s Encrypt or other CAs to validate control of your domain so certificates can be issued.


#3

Thank you very much for this answer. I will circle back with them to see how to address this.


#4

Ok one more question. Does this mean Sucuri is generating their own SSL? if so is that causing the conflict with the WPEngine SSL? If I understood right there may be duplicate files fighting for control?


#5

I don’t know. (Someone here might know the answer.) They might be. They could block the requests anyway.

Sucuri or WPEngine would have to answer that.

There’s nothing inherently wrong or conflicting with having multiple parties who control a website generate different certificates. They can use the same CA, or different CAs. (Edit: But Let’s Encrypt has rate limits, and other CAs could have their own policies.)

But depending on how they implement it, they could cause problems.

For example, ACME HTTP validation uses random filenames in the directory /.well-known/acme-challenge/. If Sucuri intercepts one filename for a few seconds every couple months, it’s virtually impossible for there to be an issue. If they block the entire directory all the time, that would prevent WPEngine from using HTTP validation.


#6

In my previous experience with Sucuri, they acted as a CDN (MITM) to secure your Internet presence.
I don’t know if that is how it is setup in your case.
But that is easy to see.
Q1. What is the real Internet IP of your system?
A1. _______________
Q2. What does Internet DNS show for your domain(s)?
A2a. (www.)forbiddensky.com = 192.124.249.13 [rDNS = cloudproxy10013.sucuri.net]
A2b. (www.)forbiddensky.net = 35.230.56.55 [rDNS = 55.56.230.35.bc0googleusercontent.com]
A2c. (www.)promohd.com = 35.230.56.55 [rDNS = 55.56.230.35.bc0googleusercontent.com]

So it would seem they are acting as a CDN for some of your names.


#7

That would be correct. Only the dot com is using Sucuri. All others redirect. I have been updating the open ticket with information for the better part of 9 hrs. No response from Sucuri… if they can’t solve this fast I may move onto a competitor. Thank you for the insight.


#8

Is that “SiteCheck” process running within Sucuri?
If so, what IP do they check (and what FQDN)?

openssl s_client -connect 35.230.56.55:443 -servername forbiddensky.com
returns a valid cert for forbiddensky.com:

openssl s_client -connect 35.230.56.55:443 -servername www.forbiddensky.com
returns a valid cert for www.forbiddensky.com:


#9

The check is coming from Sucuri. Sadly I do not know where it originates or what IP they check. I had this set up under a different url, same host… and had no problems. This only began to happen once I moved to this url. Don’t know if it correlates or not. Now I’m pretty much at their mercy. Sucuri tech support has not been very helpful and slow to respond. My host and LetsEncrypt have been fantastic. As has this forum.


#10

Does Sucuri have a control panel that allows you to set (see) the exact URL they check?


#11

Not really sure that it shows which they are checking. At least I’m not seeing it in the plug-in interface or their site. They finally got back to me and enabled the validation to host. That did the trick. No longer getting the error. I gave them access to my site to research the issue. Not an easy feeling giving up access. But they did get it resolved. Their login has since been removed. Thank you all for setting me on the right direction. Hopefully this can help others dealing with similar issues.