Addon Domain: Manage Subdomain(s) Only, not the Primary Domain

cPanel & WHM Version
92.0.10

liebn0r

Active Member
Dec 7, 2017
41
2
8
USA
cPanel Access Level
Website Owner
I have an account, my main account, let's call it Blue and it hosts blue.com on IP 1.2.3.4 (for sake of example). My friend has a domain on their own server, let's call it buddy.com (for sake of example). We want my server to handle all wildcard domains (*.buddy.com) not already being managed by buddy.com's DNS, specifically on the Blue account because that has all the software and environment on it we want to handle *.buddy.com's traffic. We also want SSL enabled.

I'm really close to figuring this out. Here's what I know I need to do:
  • My friend adds DNS records for buddy.com:
    *.buddy.com 1.2.3.4 300
    _cpanel-dcv-test-record.buddy.com ns1.blue.com 300
    _acme-challenge.buddy.com ns1.blue.com 300
  • I add all of buddy.com's nameserver IPs to "Configure Remote Service IPs"
  • I go into the Blue cPanel account and... somehow magically (this is the part I can't figure out) only add *.buddy.com as an addon subdomain and configure it do the subdirectory I want to handle its traffic
  • I install the letsencrypt plugin for AutoSSL and run it for the Blue account
Now I can accomplish this if I add buddy.com as an addon domain with all of the subdomain and DNS configuration that comes with it including www and webmail and cpanel etc etc and then add *.buddy.com as a wildcard subdomain, but ***I don't want*** the server to try to manage the buddy.com primary domain, I only want to manage the wildcard subdomain.

Is there a way to do this properly? If not, to what extent can I edit the DNS records and remove all the crap I don't want? How else can I trim this down to configure only the minimum necessary to accomplish what I want?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,148
784
313
cPanel Access Level
Root Administrator
Hey there! I think you're doing everything correctly. Since the DNS for buddy.com isn't managed and also isn't pointed to your machine, the site itself won't point here even though it may create that domain as part of your setup process. It will exist on the server, but just not be used.

After you create the domain you're welcome to remove any DNS records that you aren't using, such as the "cpanel" and "webmail" entries as that won't negatively impact the account at all.
 

liebn0r

Active Member
Dec 7, 2017
41
2
8
USA
cPanel Access Level
Website Owner
I'm having an issue with Let's Encrypt not validating these domains:

1620168061989.png

It's trying to perform DCV on the root domain which is not hosted on the server, only wildcard domains are. How do I fix this? Can I somehow instruct Let's Encrypt to perform DCV on a subdomain to verify the wildcard certificate?
 

liebn0r

Active Member
Dec 7, 2017
41
2
8
USA
cPanel Access Level
Website Owner
I'm not sure I understand the question. There are other domains on the account that have the root domain hosted on the server and they're passing. The system isn't securing SSL certificates for the wildcard domains described in the original post.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,148
784
313
cPanel Access Level
Root Administrator
Thanks for that - you are correct that you would need to be using Let's Encrypt, but the issue is with DNS verification:

https://docs.cpanel.net/knowledge-base/third-party/the-lets-encrypt-plugin/

"If you use the Let's Encrypt plugin to issue certificates for wildcard domains, be aware that:

This plugin cannot use HTTP DCV challenges to issue certificates for wildcard domains. This is because Let's Encrypt does not support this type of challenge. For more information, read Let's Encrypt's HTTP-01 challenge type documentation.

You cannot use this plugin to obtain certificates for wildcard domains if you use third-party DNS hosting. You must host DNS on your local cPanel & WHM server or within the server's DNS cluster."
 

liebn0r

Active Member
Dec 7, 2017
41
2
8
USA
cPanel Access Level
Website Owner
The _cpanel-dcv-test-record and _acme-challenge DNS records are pointed to the server. That worked in the initial setup, I'm not sure why it's not working now.
 

liebn0r

Active Member
Dec 7, 2017
41
2
8
USA
cPanel Access Level
Website Owner
For the record, I opened a ticket for this, and it's not going well. I'm getting passed between so many different support people, and each one starts over without thoroughly reading the ticket and coming up with new explanations or bringing up issues that have already been addressed. My responses and questions go unanswered, there's no consistency whatsoever.

The root domain DNS (i.e. REDACTED) has the DCV subdomain records (_cpanel-dcv-test-record and _acme-challenge) set to my server's nameservers (it was ns1.bid.glass and ns2.bid.glass but someone told me to switch it to server.bid.glass and then I got passed off to someone else). A dig of _cpanel-dcv-test-record.REDACTED.io has no answer. A dig trace of _cpanel-dcv-test-record.REDACTED shows that my cPanel server is the one responding. A DNS lookup for the TXT record for _cpanel-dcv-test-record.carsheet.io reports the TXT record set by my cPanel server. What's going wrong here?
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,148
784
313
cPanel Access Level
Root Administrator
Thanks for that - I do see the ticket was escalated from Level 1 support and eventually making its way to Level 3, and was only passed to new technicians while shift changes were happening. If you don't believe the ticket was handled properly, you can request to work directly with a supervisor through that ticket and we'll be happy to do that.

It still seems there are problems with the DNS configuration with those records that is keeping the workaround from working properly. It's also worth noting that the configuration you're trying to implement is not something that is officially supported.
 

liebn0r

Active Member
Dec 7, 2017
41
2
8
USA
cPanel Access Level
Website Owner
Well, it did work originally, that's why there are valid wildcard SSL certificates for those domains in the first place. According to the logs, Let's Encrypt is only attempting HTTP-based DCV, not DNS-based DCV. I wonder if it would pass if it attempted DNS-based DCV because the TXT records are getting updated correctly, but I don't know how the authentication process is managed by WHM/Let'sEncrypt.