AutoSSL DNS DCV – Returned No "TXT" Record

[Deleted member 868887]

Hello,

My logs show the following error for a number of sites:

1:29:45 AM ERROR Local DNS DCV error (mwge.org): The DNS query to “_cpanel-dcv-test-record.mwge.org” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=A4iuwIK.....”.

Do I need to manually add a TXT record for the DNS DCV to work correctly? I've come across this documentation page but haven't found any other instructions that can guide me through the process. For example: What would I input as "host" for the record? Are the TXT record values only available when they appear as errors in the AutoSSL logs? etc.

Thank you,
JP

 

[cPanelMichael]

Hello JP,

DNS-based domain control validation with the AutoSSL feature is new in cPanel & WHM version 74. For anyone else viewing this thread, here's the relevant section from the section of the Release Notes that you linked to:

In cPanel & WHM version 74, we added DNS-based Domain Control Validation (DCV), which the server automatically runs if HTTP-based DCV fails. DNS-based DCV provides an additional method for cPanel & WHM servers to prove domain control to certificate authorities. This new method will significantly improve SSL issuance rates and reduce AutoSSL notifications.

As part of the DNS-based DCV method, a DNS record (CNAME record for Comodo, TXT record for Let's Encrypt) is automatically added to domain name's DNS zone on the cPanel & WHM server. The DNS record in the DNS zone for the domain name is added/removed/modified automatically as needed (Comodo and Let's Encrypt have different requirements for the DNS records).

1:29:45 AM ERROR Local DNS DCV error (domain.org): The DNS query to “_cpanel-dcv-test-record.domain.org” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=A4iuwIK.....”.

This error message suggests the DNS for the domain name in-question is not hosted on the cPanel & WHM server. Can you confirm the DNS for the affected domain name is managed on a remote server? If so, note the DNS-based DCV functionality is primarily designed to work when the DNS for a domain name is hosted by the local cPanel & WHM server (or the servers in a supported DNS cluster environment). You might be able to workaround this through the use of a custom script if the remote DNS host provides an API for you to use, however manually adding the records at the remote DNS provider isn't really a viable option at this point because the DCV request will timeout if the record isn't propagated within a short window of time after AutoSSL is initiated.

Thank you.

 

[Deleted member 868887]

Hi Michael,

Thanks for your reply. Yes, I can confirm that the DNS for the affected domain name is managed on a remote server (the domain is registered via GoDaddy and I handle the majority of my DNS configuration through their interface).

I've actually been following along on this feature request for over a year now and have been very much looking forward to this feature. I was very excited when I saw that it was being implemented in cPanel & WHM version 74 but I obviously wasn't aware that it would involve this limitation, so this is a bit disappointing.

I spoke with my remote DNS provider and they said that the custom script/API idea wouldn't be possible. If you have any other potential workaround ideas, I would be very interested to hear

Thank you,
JP

 

[cPanelMichael]

Hello JP,

Have you considered setting up your own name servers and managing the DNS for your domain names on the cPanel & WHM servers (or on a DNS-Only server through the use of the DNS clustering feature)? This is the best approach as the automatically populated records in the DNS zones would then be picked up by the AutoSSL feature.

Thank you.

 

[Deleted member 868887]

Thank you Michael, I will take your suggestion into account

 

[vanessa]

I think there's a little bit of a larger issue. If a domain has to rely on DNS-based DCV validation, there seems to be an issue where every time it tries to do so, it generates a new DCV string in the zone and causes the API to fail its own DNS check due to propagation, since the domain may be resolving to its previous TXT record and the API is validating against the new one.

 

[cPanelMichael]

I think there's a little bit of a larger issue. If a domain has to rely on DNS-based DCV validation, there seems to be an issue where every time it tries to do so, it generates a new DCV string in the zone and causes the API to fail its own DNS check due to propagation, since the domain may be resolving to its previous TXT record and the API is validating against the new one.

Hi Vanessa,

The local DNS-based DCV occurs first and uses TXT records, all of which have _cpanel-dcv-test-record as their record name. Only one local DNS-based DCV can happen per DNS zone at a time. The ~/.cpanel/dns_dcv_lock file is used as a filesystem-based mutex, and the process that owns a lock on that path is the only one that can do DNS-based DCV for the user at that time.

I've not seen any additional reports of the issue you described occurring. Can you outline the step-by-step instructions on how to reproduce that behavior?

Thank you.

 

[computica]

Hello JP,

DNS-based domain control validation with the AutoSSL feature is new in cPanel & WHM version 74. For anyone else viewing this thread, here's the relevant section from the section of the Release Notes that you linked to:



As part of the DNS-based DCV method, a DNS record (CNAME record for Comodo, TXT record for Let's Encrypt) is automatically added to domain name's DNS zone on the cPanel & WHM server. The DNS record in the DNS zone for the domain name is added/removed/modified automatically as needed (Comodo and Let's Encrypt have different requirements for the DNS records).



This error message suggests the DNS for the domain name in-question is not hosted on the cPanel & WHM server. Can you confirm the DNS for the affected domain name is managed on a remote server? If so, note the DNS-based DCV functionality is primarily designed to work when the DNS for a domain name is hosted by the local cPanel & WHM server (or the servers in a supported DNS cluster environment). You might be able to workaround this through the use of a custom script if the remote DNS host provides an API for you to use, however manually adding the records at the remote DNS provider isn't really a viable option at this point because the DCV request will timeout if the record isn't propagated within a short window of time after AutoSSL is initiated.

Thank you.

I just started getting these errors since I think this is the first time a check has happened since I upgraded to v74. Can you clarify this a little in more plain words? Are you saying that we MUST host the DNS on the local server now and not a remote server? I've been using GoDaddy's DNS since it will always be up (or SHOULD be) and if my local server goes down for some reason, then things like email wouldn't work if the MX records aren't available. I'm fine with websites being down a bit, but if websites AND email (especially email) is down, that's a big problem.

Is there any way around this besides the API method?

Thanks

 

[cPanelMichael]

Are you saying that we MUST host the DNS on the local server now and not a remote server?

Hello @computica,

Hosting the DNS for a domain on the local cPanel server is not an overall requirement when using cPanel & WHM. It's only a requirement if you want to take advantage of the DNS-based validation process with AutoSSL. AutoSSL still uses HTTP-based validation as well (in-fact it tries this first).

Could you open a support ticket so we can take a closer look at the account and determine why the HTTP-based validation for AutoSSL failed on that account? You can post the ticket number here and we'll link it to this thread.

Thank you.

 

[johnny_n]

Whether one has access to the remote DNS seems irrelevant since every time AutoSSL runs, it generates a new DCV code - so it's never possible to update outside DNS. Is this correct?

 

[cPanelMichael]

Whether one has access to the remote DNS seems irrelevant since every time AutoSSL runs, it generates a new DCV code - so it's never possible to update outside DNS. Is this correct?

Hello @johnny_n,

While it might be possible to get DNS-based DCV to succeed when a domain's DNS is hosted on a remote server, it would require that you make use of AutoSSL hooks and setup a custom script that automatically pushes the DNS record changes to the remote DNS server immediately after the AutoSSL process starts (the remote DNS provider would also need to offer API/integration tools to support this). Manually adding the records at the remote DNS provider isn't really a viable option at this point because the DCV request will timeout if the record isn't propagated within a short window of time after AutoSSL is initiated.

Thank you.

 

[TechGuru21]

So what is the fix to using AutoSSL for a domain that is externally managed through Godaddy or whichever DNS service? I am currently running into this issue with a certificate that worked a year ago and now this upcoming March renewal is flagging the same issue as listed above.

 

[cPanelMichael]

So what is the fix to using AutoSSL for a domain that is externally managed through Godaddy or whichever DNS service? I am currently running into this issue with a certificate that worked a year ago and now this upcoming March renewal is flagging the same issue as listed above.

Hello @TechGuru21,

AutoSSL still uses HTTP-based validation first, so using a remote DNS hosting provider should not prevent successful validations. Feel free to open a support ticket if you'd like us to troubleshoot why AutoSSL is failing to validate using the HTTP-based validation method.

Thank you.