autossl "does not control DNS for the <domain> domain"

dev.null

Well-Known Member
May 27, 2003
89
2
158
Suddenly my autossl has reduced coverage.

I have one domain that is wordpress multi-user (hosts multiple websites). I park a number of other domains on it.

The other domains (about 10) it hosts are setup as separate cpanel accounts, that way their emails, etc are all separate. And those domains have other functions they need to do, so having them in separate home directories is practically a necessity.

Autossl behaved until now. Today a new cert got issued missing all the other domains, and I see this repeatedly in the autossl log:

Code:
<main domain> does not control DNS for the “<parked domain>” domain
Searching around I found that having "Allow unregistered domains" and "Allow remote domains" enabled can work around this.

I have them enabled, but it still leaves those domains out.

How can I get autossl to correctly add these domains back in?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,263
313
Houston
I'm not sure how you came to the conclusion that Allowing unregistered and remote domains would be a viable workaround for this specific issue but that would be incorrect. If AutoSSL is unable to identify the IP address for the domain or it finds when its query is run that the IP is not one it recognizes on the server you will receive this error.

Some preliminary questions:

  1. Did the cert get issued to ANY domains on the server?
  2. Do you have root access to the server? If yes:
    1. Are there any redirects in place for the domains?
    2. Is the server NAT routed?
  3. Does the Domain actually resolve to the server? The IP the error notes, would be a clue to this, if it's not an IP on the server you should check the domain's DNS.
  4. Does the output of the following match what the domain should resolve to?

  5. Code:
    /usr/local/cpanel/3rdparty/bin/perl -MCpanel::DnsRoots -MData::Dumper -e 'print Dumper(Cpanel::DnsRoots->new()->get_ipv4_addresses_for_domain("REPLACEWITHYOURDOMAIN.TLD"));'
 

Karl

Well-Known Member
PartnerNOC
Aug 10, 2001
86
1
308
We're finding the same issue on some servers now renewal time has come round. If they are using 3rd party nameservers they are failing, even when they resolve to the server IP.

1) Yes
2.1) No
2.2) No
3) Yes
4) Yes
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,263
313
Houston
@Karl

If I'm reading your response correctly:

  • Specific domains did not get a certificate issued
  • those domains do not have any redirects (including redirection to https)
  • The command provided shows the correct IP which matches that of the server
What is the error message exactly that you're seeing in the autoSSL logs?