Autossl does not work for addon domain root name but works with www

[jibu]

The main domain and the addon DNS are managed externally, however, the A record resolves to a server IP. The autossl DCV works for all except the addon subdomain as it does not have A record in the external DNS zone record. Anyway, the issue is that the AutoSSL gets issued for addon is for CN = www.addondomain.tld , so the SSL does show correctly for addondomain.tld (without www). Below is the autossl log.

Log for the AutoSSL run for “user”: Tuesday, August 6, 2019 1:39:21 AM GMT+05-30 (cPanel (powered by Sectigo))
 1:39:21 AM AutoSSL’s configured provider is “cPanel (powered by Sectigo)”.
 This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
 Checking websites for “user” …
 1:39:22 AM Analyzing “subdomain.domain.tld” …
 1:39:22 AM TLS Status: Incomplete
 Certificate expiry: 10/12/19, 12:00 AM UTC (67.16 days from now)
 1:39:22 AM Analyzing “domain.tld” …
 1:39:22 AM SUCCESS TLS Status: OK
 Certificate expiry: 10/12/19, 12:00 AM UTC (67.16 days from now)
 1:39:22 AM Performing DCV (Domain Control Validation) …
 1:39:22 AM Local HTTP DCV OK: addondomain.tld
 Local HTTP DCV OK: www.addondomain.tld (via addondomain.tld)
 Local HTTP DCV OK: mail.addondomain.tld (via addondomain.tld)
 WARN Local HTTP DCV error (subdomain.domain.tld): “subdomain.domain.tld” does not resolve to any IP addresses on the internet.
 Local HTTP DCV OK: cpanel.addondomain.tld (via addondomain.tld)
 Local HTTP DCV OK: webdisk.addondomain.tld (via addondomain.tld)
 Local HTTP DCV OK: webmail.addondomain.tld (via addondomain.tld)
 WARN Local HTTP DCV error (www.subdomain.domain.tld): “www.subdomain.domain.tld” does not resolve to any IP addresses on the internet.
 Local HTTP DCV OK: autodiscover.addondomain.tld (via addondomain.tld)
 1:39:29 AM ERROR Local DNS DCV error (subdomain.domain.tld): The DNS query to “_cpanel-dcv-test-record.domain.tld” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=c2vwKS3AnmYF0ofadsPgueOq_mrSlvLfdatxoE2sbARrK_ngwsd8b7VTpIZ9yMSQR6”.
 ERROR Local DNS DCV error (www.subdomain.domain.tld): The DNS query to “_cpanel-dcv-test-record.domain.tld” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=c2vwKS3AnmYF0oeuPgueOq_mrSlvhseftxoE2sbARrK_ngwsd8b7VTpIZ9yMSQR6”.
 1:39:29 AM Analyzing “subdomain.domain.tld”’s DCV results …
 1:39:29 AM local DCV has gained domains
 ERROR Impediment: SECURED_DOMAIN_DCV_FAILURE: One or more currently-secured domains failed DCV.
 1:39:29 AM The system has completed the AutoSSL check for “user”.

 

[cPanelLauren]

The output you've provided indicates that the domain is clearly passing the dcv check:

Local HTTP DCV OK: addondomain.tld
 Local HTTP DCV OK: www.addondomain.tld (via addondomain.tld)
 Local HTTP DCV OK: mail.addondomain.tld (via addondomain.tld)

What isn't passing the domain control validation is a subdomain:

1:39:29 AM ERROR Local DNS DCV error (subdomain.domain.tld): The DNS query to “_cpanel-dcv-test-record.domain.tld” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=c2vwKS3AnmYF0ofadsPgueOq_mrSlvLfdatxoE2sbARrK_ngwsd8b7VTpIZ9yMSQR6”.
 ERROR Local DNS DCV error (www.subdomain.domain.tld): The DNS query to “_cpanel-dcv-test-record.domain.tld” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=c2vwKS3AnmYF0oeuPgueOq_mrSlvhseftxoE2sbARrK_ngwsd8b7VTpIZ9yMSQR6”.

If you haven't implemented an A record for this subdomain where you have DNS hosted for the root domain then this won't be able to pass.

 

[cPanelMichael]

Hello

We introduced a script in cPanel & WHM version 80 to help troubleshoot these types of issues:

Implemented case CPANEL-25062: Add “scripts/cpdig” as a diagnostic tool for DNS lookups.

Here's a look at the script's contents:

#!/usr/local/cpanel/3rdparty/bin/perl

# cpanel - scripts/cpdig                           Copyright 2019 cPanel, L.L.C.
#                                                           All rights reserved.
# [email protected]                                         http://cpanel.net
# This code is subject to the cPanel license. Unauthorized copying is prohibited

package scripts::cpdig;

use strict;
use warnings;

=encoding utf-8

=head1 NAME

cpdig

=head1 USAGE

    cpdig <name> <type>

=head1 DESCRIPTION

This script performs a DNS query using cPanel’s custom DNS resolver.
Its output should yield the same end results as C<dig +trace $name $type>.

cPanel provides this script solely for diagnostic purposes; no cPanel
& WHM feature requires its use.

=cut

use parent qw( Cpanel::HelpfulScript );

use Cpanel::DnsRoots::Resolver;

use constant _OPTIONS        => ();
use constant _ACCEPT_UNNAMED => 1;

__PACKAGE__->new(@ARGV)->run() if !caller;

sub run {
    my ($self) = @_;

    my ( $name, $type ) = $self->getopt_unnamed();
    die $self->help() if grep { !$_ } $name, $type;

    my $dns = Cpanel::DnsRoots::Resolver->new();

    $self->_print("$_\n") for $dns->recursive_query( $name, $type );

    return;
}

1;

For example, to check how a "TXT" record resolves:

/scripts/cpdig subdomain.domain.tld TXT

Or, to check how an "A" record resolves:

/scripts/cpdig subdomain.domain.tld A

Thank you.

 

[jibu]

Yes, the domain is definitely passing the DCV and hence this question. The addondomain.tld does not get the SSL active even after the DCV, however the same www.addondomain.tld get the SSL with no issues. Anyway, I had already requested the client to set up A record for the subdomain.maindomain.tld (addondomain's subdomain) and once that resolved, the SSL got active for the addondomain.tld.

Thank you Script Michael, this would certainly help us all.