Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: historictoxaway.org
I ran this command: Via CPanel, this error occurs:
DNS DCV: No local authority: “cpcontacts.historictoxaway.org”; HTTP DCV: “cpcontacts.historictoxaway.org” does not resolve to any IP addresses on the internet.
on two items: cpcontacts.historictoxaway.org, cpcalendar.historictoxaway.org
It produced this output:
This certificate has expired. If you currently host secure content on the domains below, you need to contact your certificate authority to request a new certificate for these domains.
Domains:
Issuer Organization:
Let's Encrypt
My web server is (include version): not sure
The operating system my web server runs on is (include version): not sure
My hosting provider, if applicable, is: Bluehost
I can login to a root shell on my machine (yes or no, or I don't know): I don't know
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):CPanel
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): not sure
Sounds pretty self-explanatory, right? Those 2 hostnames do not exist. See e.g. cpcalendar.historictoxaway.org | DNSViz and cpcontacts.historictoxaway.org | DNSViz.
2 Likes
So do I just exclude them from AUTOssl?
That's an option if you don't use those hostnames any longer. Otherwise: fix their DNS.
4 Likes
I don't know how to fix a DNS
That's outside the scope of this Community unfortunately.
1 Like
We don't know what you're trying to accomplish, we can just tell you that you're trying to get a certificate for names that don't exist. Presumably you're the one who knows if those names are supposed to exist or not? We certainly don't know what they're for. If you don't use them and they're not supposed to exist, why are you getting a certificate for them? And if you do use them and they are supposed to exist, why are you trying to get a certificate for them instead of trying to get them working?
And what does any of this have to do with PCI compliance?
4 Likes
Exactly what I thought. We're a nonprofit using DonorPerfect to manage and take donations from our database. The PCI compliance part related to an iframe form and we finally gave up on that and just went direct to our PayPal portal. But these last 2 'dings' are preventing our getting 'certified' which is apparently a necessity now to use the software...all seems a little off to me.
I;m not 100% sure these two items are the errors we're getting and no one involved seems equipped to help me understand what's going on. Just that two ports - 2082 and 2086 - are issues.
these are the dings based on Security Metrics vulnerability scan:
And just found this - related to the two ports, and with Cloudflare involved, which we have:
Your security scan has revealed security vulnerabilities due to open ports.
This could be due to the domain you have run your scan against is being routed via Cloudflare.
By default, Cloudflare proxies traffic destined for the HTTP/HTTPS ports listed below.
- 80
- 8080
- 8880
- 2052
- 2082
- 2086
- 2095
HTTPS ports supported by Cloudflare:
- 443
- 2053
- 2083
- 2087
- 2096
- 8443
So maybe I should just contact Bluehost and ask them to redirect to the secondary list (2083, 2087)??
These are standard cPanel ports with which I'm very familiar. You can use, for example, yourdomainname.com:2083 to access your cPanel login or yourdomainname.com:2096 to access your webmail login. Not sure why anyone would care about the insecure versions of those ports (2082 and 2095).
3 Likes
You already have HTTPS services running on those ports. Maybe just block the two HTTP ports if you don't need them.
Mind you, we are not a general purpose site for helping with server design. You would probably be well served by contracting with someone who can help you with all this.
curl -I https://historictoxaway.org:2083
HTTP/2 200
server: cloudflare
3 Likes
Agreed. Nonprofit so i;m trying to do what i can w/o extra expense. but may be time for reinforcements
Avoiding mistakes with payment processing systems is worthwhile effort. There are probably hosting services geared to your situation which might work too.
2 Likes
I think you already have your answer here (and in the link to cPanel docs I posted) if you have access to the Tweak Settings interface.
3 Likes
For the nonexistent address (A) records for cpcontacts and cpcalendar, this is a very common situation. You can manually create them in your DNS records to look just like your "@" record (and other similar records like "webdisk").
3 Likes
Usually Peripheral Component Interconnect - Wikipedia (PCI) isn’t worried about certificates, and PCI IO Ports are totally different thing than TCP & UDP Ports.
2 Likes
