Addon Domain: Manage Subdomain(s) Only, not the Primary Domain

[cPRex]

Our Level 4 technician team was able to conclude that the custom workaround is a not a valid procedure, and it has since been removed from our support pages. I'm sorry if that document led you down the wrong path. They outlined another workaround that could potentially get things working, and also mentioned the certbot that Let's Encrypt has available.

 

[liebn0r]

They outlined another workaround that could potentially get things working

This is your Level 4 tech's solution:

So the solution is to change the _acme-challenge.onezo.org records at the name.com name servers from A to TXT.
Then it should pass DCV (via DNS) and issue the SSL.

Please try that and let me know if we can be of further assistance.

In other words, he's suggesting I set the TXT records at the remote root DNS (which, by the way, I've already stated multiple times that I don't have control over the remote root DNS except to ask clients to set NS records for the DCV subdomains to point to our DNS). The DCV subdomain TXT records are generated by cPanel and updated to the local DNS during the AutoSSL renewal process. How then would manually updating the TXT records at the remote root DNS before attempting AutoSSL renewal then solve this? New DCV values will be generated during the AutoSSL process and be assigned to the local DNS and not the remote DNS and the checks will fail. The whole point of delegating the NS for the DCV subdomains to the local DNS is to that they are considered the NS authority for those subdomains and therefore the local TXT records will be read and the checks will pass.

Sure, remove the article because clearly your team doesn't know how to get it to work.

 

[cPRex]

We removed the article not because we aren't able to get it to work, but because the workaround didn't appear to be valid with our testing. We don't want to have bad information out there.

The issue is that AutoSSL just isn't designed to do what you're trying. You'd have much better luck with the certbot tools handling this rather than trying to move AutoSSL certs to another location.

 

[liebn0r]

It still seems to me that the problem is that the system is attempting HTTP DCV on the wildcard subdomains rather than DNS DCV and/or the cPanel server is not giving answers for NS requests of the DCV subdomains, i.e. "dig _acme-challenge.onezo.org NS @ns1.bid.glass" even though a "dig +trace _acme-challenge.onezo.org NS" clearly shows the NS authority has been delegated to ns1.bid.glass (the same result when the NS is set to server.bid.glass we've tried both multiple times).

 

[liebn0r]

dig _acme-challenge.onezo.org TXT

;; ANSWER SECTION:
_acme-challenge.onezo.org. 14074 IN TXT "AAL1GMsqDB1EqN5yQqVCe9uxQw056tiX8xFlblcHCCw"

 

[liebn0r]

Challenge Types - Let's Encrypt

When you get a certificate from Let’s Encrypt, our servers validate that you control the domain names in that certificate using “challenges,” as defined by the ACME standard. Most of the time, this validation is handled automatically by your ACME client, but if you need to make some more complex...

letsencrypt.org

This challenge asks you to prove that you control the DNS for your domain name by putting a specific value in a TXT record under that domain name. It is harder to configure than HTTP-01, but can work in scenarios that HTTP-01 can’t. It also allows you to issue wildcard certificates. After Let’s Encrypt gives your ACME client a token, your client will create a TXT record derived from that token and your account key, and put that record at _acme-challenge.<YOUR_DOMAIN>. Then Let’s Encrypt will query the DNS system for that record. If it finds a match, you can proceed to issue a certificate!

Generate Wildcard SSL certificate using Let’s Encrypt/Certbot

From past few days or months, everyone on the World Wide Web is talking about SSL certificates and rushing to implement them. But Why…

medium.com

For wildcard certificates, the only challenge method Let’s Encrypt accepts is the DNS challenge, which we can invoke via the preferred-challenges=dns flag.

 

[liebn0r]

Since Let’s Encrypt follows the DNS standards when looking up TXT records for DNS-01 validation, you can use CNAME records or NS records to delegate answering the challenge to other DNS zones. This can be used to delegate the _acme-challenge subdomain to a validation-specific server or zone.

 

[cPRex]

At this point we really need to continue to work through the ticket.

 

[liebn0r]

I suspect that the issue is that cPanel's AutoSSL process is adding an extraneous "local authority" check to wildcard subdomains instead of delegating that process to Let's Encrypt and allowing DNS-based DCV to proceed. If DNS-based DCV would occur, Let's Encrypt would check the TXT records and the tests would pass.

 

[liebn0r]

After 100 or so emails back and forth, cPanel has informed me that fully supporting Let's Encrypt is not within the scope of their implementation. I got this working on a Webmin server in less than an hour, if anyone is looking for how to do this: Let’s Encrypt wildcard certificates, acme.sh and automated DNS verification – The ongoing struggle

 

[cPRex]

I did mention earlier on that this type of implementation isn't something that we support, as we require the DNS to be hosted locally on the cPanel server for wildcard certificates to work properly. While that isn't necessarily something that Let's Encrypt enforces, we added that to the cPanel implementation for additional security. Official details are here in the blue "Note" box: The Let's Encrypt Plugin | cPanel & WHM Documentation

I can't speak for the Let's Encrypt tools outside of cPanel as that isn't something we test on our end, but everything does seem to be working as intended at this time. That was further confirmed by our Level 3 technicians, and the ticket was also escalated to management, so we did explore all the options of support for this particular issue.

 

[liebn0r]

It's all right here: Challenge Types - Let's Encrypt

DNS-01 challenge
This challenge asks you to prove that you control the DNS for your domain name by putting a specific value in a TXT record under that domain name. It is harder to configure than HTTP-01, but can work in scenarios that HTTP-01 can’t. It also allows you to issue wildcard certificates. After Let’s Encrypt gives your ACME client a token, your client will create a TXT record derived from that token and your account key, and put that record at _acme-challenge.<YOUR_DOMAIN>. Then Let’s Encrypt will query the DNS system for that record. If it finds a match, you can proceed to issue a certificate!
...
Since Let’s Encrypt follows the DNS standards when looking up TXT records for DNS-01 validation, you can use CNAME records or NS records to delegate answering the challenge to other DNS zones. This can be used to delegate the _acme-challenge subdomain to a validation-specific server or zone.

If you delegate the _acme-challenge subdomain from the root DNS to the cPanel server, the DNS is still technically hosted locally as a delegated zone. In my setup, if cPanel would just let Let's Encrypt run the DCV check, the test would pass and the certificates would be issued. But your implementation is specifically blocking that from happening due to internal rules that have nothing to do with Let's Encrypt's process.