Addon Domain: Manage Subdomain(s) Only, not the Primary Domain

cPanel & WHM Version
92.0.10

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,360
1,632
363
cPanel Access Level
Root Administrator
Our Level 4 technician team was able to conclude that the custom workaround is a not a valid procedure, and it has since been removed from our support pages. I'm sorry if that document led you down the wrong path. They outlined another workaround that could potentially get things working, and also mentioned the certbot that Let's Encrypt has available.
 

liebn0r

Well-Known Member
Dec 7, 2017
48
7
8
USA
cPanel Access Level
Website Owner
They outlined another workaround that could potentially get things working
This is your Level 4 tech's solution:

So the solution is to change the _acme-challenge.onezo.org records at the name.com name servers from A to TXT.
Then it should pass DCV (via DNS) and issue the SSL.

Please try that and let me know if we can be of further assistance.
In other words, he's suggesting I set the TXT records at the remote root DNS (which, by the way, I've already stated multiple times that I don't have control over the remote root DNS except to ask clients to set NS records for the DCV subdomains to point to our DNS). The DCV subdomain TXT records are generated by cPanel and updated to the local DNS during the AutoSSL renewal process. How then would manually updating the TXT records at the remote root DNS before attempting AutoSSL renewal then solve this? New DCV values will be generated during the AutoSSL process and be assigned to the local DNS and not the remote DNS and the checks will fail. The whole point of delegating the NS for the DCV subdomains to the local DNS is to that they are considered the NS authority for those subdomains and therefore the local TXT records will be read and the checks will pass.

Sure, remove the article because clearly your team doesn't know how to get it to work.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,360
1,632
363
cPanel Access Level
Root Administrator
We removed the article not because we aren't able to get it to work, but because the workaround didn't appear to be valid with our testing. We don't want to have bad information out there.

The issue is that AutoSSL just isn't designed to do what you're trying. You'd have much better luck with the certbot tools handling this rather than trying to move AutoSSL certs to another location.
 

liebn0r

Well-Known Member
Dec 7, 2017
48
7
8
USA
cPanel Access Level
Website Owner
It still seems to me that the problem is that the system is attempting HTTP DCV on the wildcard subdomains rather than DNS DCV and/or the cPanel server is not giving answers for NS requests of the DCV subdomains, i.e. "dig _acme-challenge.onezo.org NS @ns1.bid.glass" even though a "dig +trace _acme-challenge.onezo.org NS" clearly shows the NS authority has been delegated to ns1.bid.glass (the same result when the NS is set to server.bid.glass we've tried both multiple times).
 

liebn0r

Well-Known Member
Dec 7, 2017
48
7
8
USA
cPanel Access Level
Website Owner
This challenge asks you to prove that you control the DNS for your domain name by putting a specific value in a TXT record under that domain name. It is harder to configure than HTTP-01, but can work in scenarios that HTTP-01 can’t. It also allows you to issue wildcard certificates. After Let’s Encrypt gives your ACME client a token, your client will create a TXT record derived from that token and your account key, and put that record at _acme-challenge.<YOUR_DOMAIN>. Then Let’s Encrypt will query the DNS system for that record. If it finds a match, you can proceed to issue a certificate!
For wildcard certificates, the only challenge method Let’s Encrypt accepts is the DNS challenge, which we can invoke via the preferred-challenges=dns flag.
 

liebn0r

Well-Known Member
Dec 7, 2017
48
7
8
USA
cPanel Access Level
Website Owner
I suspect that the issue is that cPanel's AutoSSL process is adding an extraneous "local authority" check to wildcard subdomains instead of delegating that process to Let's Encrypt and allowing DNS-based DCV to proceed. If DNS-based DCV would occur, Let's Encrypt would check the TXT records and the tests would pass.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,360
1,632
363
cPanel Access Level
Root Administrator
I did mention earlier on that this type of implementation isn't something that we support, as we require the DNS to be hosted locally on the cPanel server for wildcard certificates to work properly. While that isn't necessarily something that Let's Encrypt enforces, we added that to the cPanel implementation for additional security. Official details are here in the blue "Note" box: The Let's Encrypt Plugin | cPanel & WHM Documentation

I can't speak for the Let's Encrypt tools outside of cPanel as that isn't something we test on our end, but everything does seem to be working as intended at this time. That was further confirmed by our Level 3 technicians, and the ticket was also escalated to management, so we did explore all the options of support for this particular issue.
 

liebn0r

Well-Known Member
Dec 7, 2017
48
7
8
USA
cPanel Access Level
Website Owner
It's all right here: Challenge Types - Let's Encrypt

DNS-01 challenge
This challenge asks you to prove that you control the DNS for your domain name by putting a specific value in a TXT record under that domain name. It is harder to configure than HTTP-01, but can work in scenarios that HTTP-01 can’t. It also allows you to issue wildcard certificates. After Let’s Encrypt gives your ACME client a token, your client will create a TXT record derived from that token and your account key, and put that record at _acme-challenge.<YOUR_DOMAIN>. Then Let’s Encrypt will query the DNS system for that record. If it finds a match, you can proceed to issue a certificate!
...
Since Let’s Encrypt follows the DNS standards when looking up TXT records for DNS-01 validation, you can use CNAME records or NS records to delegate answering the challenge to other DNS zones. This can be used to delegate the _acme-challenge subdomain to a validation-specific server or zone.
If you delegate the _acme-challenge subdomain from the root DNS to the cPanel server, the DNS is still technically hosted locally as a delegated zone. In my setup, if cPanel would just let Let's Encrypt run the DCV check, the test would pass and the certificates would be issued. But your implementation is specifically blocking that from happening due to internal rules that have nothing to do with Let's Encrypt's process.