Auto SSL issuing self signed certificates even through Let's Encrypt is on

Operating System & Version
Linux 3.10.0-862.14.4.el7.x86_64
cPanel & WHM Version
v88.0.5
Jun 1, 2020
10
1
3
Oldham, England
cPanel Access Level
Reseller Owner
Hello, this is my first post so I hope it's in the correct place.

My server is having trouble issuing Let's Encrypt SSL certificates to new accounts added.

I haven't changed any settings and the Let's Encrypt option is selected as default however when I run auto SSL it's not activating and under the "Manage SSL Hosts" section it is the only one showing as "Self Signed" as the issuer.

I have tried to issue it a few times and I still get the same problem.

I've also done this on an account I've recently unsuspended and it's also having the same issue.

If anyone has any pointers or idea why this may be happening that would be very helpful.

Many thanks.


The error logs I am receiving are below

Log for the AutoSSL run for “testdomainname”: Monday, June 1, 2020 7:06:57 PM GMT+0100 (Let’s Encrypt™)

7:06:57 PM AutoSSL’s configured provider is “Let’s Encrypt™”.
Analyzing “testdomainname”’s domains …
7:06:57 PM Analyzing “testdomainnames.co.uk” …
7:06:57 PM ERROR TLS Status: Defective
Certificate expiry: 6/1/21, 2:03 PM UTC (364.83 days from now)
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:18:DEPTH_ZERO_SELF_SIGNED_CERT).
7:06:57 PM Attempting to ensure the existence of necessary CAA records …
7:06:57 PM No CAA records were created.
7:06:57 PM Verifying 9 domains’ DNS management …
Verifying “Let’s Encrypt™”’s authorization on 9 domains via DNS CAA records …
7:06:58 PM DNS manages “www.testdomainnames.co.uk”.
CA authorized: “testdomainnames.co.uk”
CA authorized: “*.testdomainnames.co.uk”
CA authorized: “www.testdomainnames.co.uk”
CA authorized: “mail.testdomainnames.co.uk”
CA authorized: “cpanel.testdomainnames.co.uk”
CA authorized: “webmail.testdomainnames.co.uk”
CA authorized: “webdisk.testdomainnames.co.uk”
CA authorized: “cpcontacts.testdomainnames.co.uk”
CA authorized: “cpcalendars.testdomainnames.co.uk”
“Let’s Encrypt™” is authorized to issue certificates for 9 of this user’s 9 domains.
DNS manages “testdomainnames.co.uk”.
DNS manages “mail.testdomainnames.co.uk”.
DNS manages “cpanel.testdomainnames.co.uk”.
DNS manages “webdisk.testdomainnames.co.uk”.
DNS manages “webmail.testdomainnames.co.uk”.
DNS manages “cpcontacts.testdomainnames.co.uk”.
DNS manages “cpcalendars.testdomainnames.co.uk”.
DNS manages “*.testdomainnames.co.uk”.
DNS manages 9 of this user’s 9 domains.
7:06:58 PM Performing HTTP DCV (Domain Control Validation) on 8 domains …
7:07:00 PM Local HTTP DCV OK: testdomainnames.co.uk
Local HTTP DCV OK: www.testdomainnames.co.uk
Local HTTP DCV OK: mail.testdomainnames.co.uk
WARN Local HTTP DCV error (cpanel.testdomainnames.co.uk): “cpanel.testdomainnames.co.uk” does not resolve to any IP addresses on the internet.
WARN Local HTTP DCV error (webdisk.testdomainnames.co.uk): “webdisk.testdomainnames.co.uk” does not resolve to any IP addresses on the internet.
WARN Local HTTP DCV error (webmail.testdomainnames.co.uk): “webmail.testdomainnames.co.uk” does not resolve to any IP addresses on the internet.
WARN Local HTTP DCV error (cpcontacts.testdomainnames.co.uk): “cpcontacts.testdomainnames.co.uk” does not resolve to any IP addresses on the internet.
WARN Local HTTP DCV error (cpcalendars.testdomainnames.co.uk): “cpcalendars.testdomainnames.co.uk” does not resolve to any IP addresses on the internet.
7:07:00 PM Enqueueing 6 domains (1 zone) for local DNS DCV …
7:07:00 PM Publishing DNS changes for local DNS DCV (1 zone) …
Querying DNS to confirm DCV changes …
7:07:07 PM Processing “testdomainname”’s local DCV results …
7:07:07 PM ERROR Local DNS DCV error (cpanel.testdomainnames.co.uk): The DNS query to “_cpanel-dcv-test-record.testdomainnames.co.uk” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=tfyvWzTRF_1GXsy4TjrCl9ynPOokhIUNyz2OfJ6si3TAMo2FzRA_c6c0Wu0EAC0I”.
ERROR Local DNS DCV error (webdisk.testdomainnames.co.uk): The DNS query to “_cpanel-dcv-test-record.testdomainnames.co.uk” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=tfyvWzTRF_1GXsy4TjrCl9ynPOokhIUNyz2OfJ6si3TAMo2FzRA_c6c0Wu0EAC0I”.
ERROR Local DNS DCV error (webmail.testdomainnames.co.uk): The DNS query to “_cpanel-dcv-test-record.testdomainnames.co.uk” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=tfyvWzTRF_1GXsy4TjrCl9ynPOokhIUNyz2OfJ6si3TAMo2FzRA_c6c0Wu0EAC0I”.
ERROR Local DNS DCV error (cpcontacts.testdomainnames.co.uk): The DNS query to “_cpanel-dcv-test-record.testdomainnames.co.uk” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=tfyvWzTRF_1GXsy4TjrCl9ynPOokhIUNyz2OfJ6si3TAMo2FzRA_c6c0Wu0EAC0I”.
ERROR Local DNS DCV error (cpcalendars.testdomainnames.co.uk): The DNS query to “_cpanel-dcv-test-record.testdomainnames.co.uk” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=tfyvWzTRF_1GXsy4TjrCl9ynPOokhIUNyz2OfJ6si3TAMo2FzRA_c6c0Wu0EAC0I”.
ERROR Local DNS DCV error (*.testdomainnames.co.uk): The DNS query to “_cpanel-dcv-test-record.testdomainnames.co.uk” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=tfyvWzTRF_1GXsy4TjrCl9ynPOokhIUNyz2OfJ6si3TAMo2FzRA_c6c0Wu0EAC0I”.
Analyzing “testdomainnames.co.uk”’s DCV results …
7:07:10 PM WARN Cpanel::SSL::Auto::ProviderDCV=HASH(0x2de6010): No DCV method for “webmail.testdomainnames.co.uk”! at /usr/local/cpanel/Cpanel/SSL/Auto/ProviderDCV.pm line 107. ...propagated at /usr/local/cpanel/Cpanel/SSL/Auto/Run/HandleVhost.pm line 241. ...caught at /usr/local/cpanel/Cpanel/SSL/Auto/Run/User.pm line 307.
7:07:10 PM The system has completed “testdomainname”’s AutoSSL check.
 
Last edited:

ffeingol

Well-Known Member
PartnerNOC
Nov 9, 2001
629
205
343
cPanel Access Level
DataCenter Provider
Without reading "every" line of the log, it looks like your domain does not actually resolve to your server. Let's Encrypt won't issue the certificate unless the domain resolves to your server. "testdomainnames.co.uk " does not appear to be a valid, registered domain, so it's not going to get issued a certificate.
 
  • Like
Reactions: cPanelLauren

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
@ffeingol is correct, based on the error “testdomainnames.co.uk” does not resolve to an IP - this doesn't necessarily mean it ACTUALLY doesn't (though it can) it means that the check that's done isn't finding the IP address for the domain when it performs a DNS lookup.

What's the output on the server when you run the following?

Code:
/scripts/cpdig testdomainnames.co.uk A --verbose
(please ensure you remove any identifying information prior to responding as well)
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Hi @digitalrefresh

That administrator was me :) and yea you'd replace the example domain name with the real one when you run it. Just change any IP addresses or real domain names associated with you before responding with it.