AutoSSL DNS DCV useless when running over CPanel DNS Cluster

[FusedT]

We've got a DNS cluster with AWS Route53 providing the service (via special plugin). As such, there's some delay between when cluster returns that the record has been updated and the actual update, and that might take up to 60 seconds according to AWS docs.

We're running autossl for wildcard domains now and they only support DNS DCV, as such, autossl updates the record and then almost immediately asks letsencrypt to check it, and of course, gets the old record because not enough time has passed.

I've opened a ticket, #93454103 , but they've provided useless response suggesting submitting a feature request.

So anyone deciding to run a dns cluster with dns dcv, beware of this pitfall.

 

[cPanelLauren]

Hello,


Can you explain the "special plugin" you're using for DNS clustering? Is it correct to assume from that, that you're not using cPanel's DNS Clustering?

I also checked the ticket in which our analyst let you know that the delay you're requesting isn't something that cPanel currently includes in the Let's Encrypt Module we provide and while It is understood that this is something you would like to see occur in the product it is not something I'd call a useless response, and most certainly is something that is best suited to be a feature request. Our support analysts can't help you with a configuration change to an application like this, all of this is packed into a module they wouldn't be permitted to change.

Furthermore, the changes you're referencing are not a part of the official cPanel Let's Encrypt plugin, this is for a separate paid plugin Fleet SSL (it used to be: Let's Encrypt for cPanel) which you are welcome to install but do note that this is not provided by or supported by cPanel in any way.

Another avenue if you would not like to open a Feature request to request that cPanel's Let's Encrypt plugin support this functionality is to use certbot which also supports this delay, This is Let's Encrypt's officially recommended plugin and would allow you to configure it to your specifications and needs

 

[FusedT]

We're using DNS clustering from CPanel, and the plugin was written according to cpanel guides.

I have mentioned 3rd party LetsEncrypt plugin (that we don't use) because it implements that option while yours built-in doesn't. certbot's a good idea, but not on wide-scale hosting.

 

[cPanelLauren]

I have mentioned 3rd party LetsEncrypt plugin (that we don't use) because it implements that option while yours built-in doesn't. certbot's a good idea, but not on wide-scale hosting.

To be completely honest Let's Encrypt is great but not if you have a lot of domains/virtualhosts since they ratelimit. But I can't say that AutoSSL with Sectigo would support this delay either so you're looking at either FleetSSL or Certbot - if this delay needs to be respected. the only other thing i can think of is to write a custom script that initiates an AutoSSL run after a delay of X minutes once a new account is created - Account creation is a hookable event