The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED AutoSSL - Domain failed domain control validation

Discussion in 'Security' started by ItsMattSon, Feb 13, 2017.

Tags:
  1. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    125
    Likes Received:
    27
    Trophy Points:
    28
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Hi guys,

    When i "Check" a domain in SSL/TLS > Manage AutoSSL, it shows this in the log. Can anyone tell me what it means and what's required to rectify?

    NOTE: My domain is at a registrar that is not my host and I'm pretty sure there's no CNAME for "mail". Is that related?

    9:53:45 PM This system has AutoSSL set to use “cPanel (powered by Comodo)”.
    9:53:45 PM Checking websites for “lols” …
    9:53:46 PM The website “mysite.com”, owned by “lols”, has a valid SSL certificate, but additional SSL coverage may be possible for the domain “mail.mysite.com”. The system will attempt to replace this certificate with one that includes this additional domain.
    9:53:46 PM WARN The domain “mail.mysite.com” failed domain control validation: “mail.mysite.com” does not resolve to any IPv4 addresses on the internet. at bin/autossl_check.pl line 562.
    9:53:46 PM WARN All of “mysite.com”’s unsecured domains failed domain control validation. AutoSSL skip this website. at bin/autossl_check.pl line 437.

    9:53:46 PM The system has completed the AutoSSL check for “lols”.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello Matt,

    AutoSSL is attempting to generate the SSL certificate for the "mail" subdomain for use with Exim/Dovecot as part of the "Domain TLS" feature documented at:

    What is Domain TLS - cPanel Knowledge Base - cPanel Documentation

    However, it looks like it's failing because mail.domain.tld does not resolve to an IP address. You'd need to setup an "A" record or "CNAME" record for "mail" at the DNS hosting provider for the domain name so it resolves to the IP address associated with the account.

    Thank you.
     
  3. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    125
    Likes Received:
    27
    Trophy Points:
    28
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Thanks @cPanelMichael, that did the trick :)

    I added a CNAME record for 'mail' and ran AutoSSL again and no errors. I can also now reach https://mail.domain.tld in the browser and see its certificate alive and well.

    It shows a 403 Forbidden page when I go there though, suppose that's normal? Tbh I'm actually not sure of the purpose of mail.domain.tld and why I need it. Would you know a scenario in which it is used?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The mail subdomain is not required, however it's useful for customers that use that hostname when setting up their email clients. Here's a quote from the cPanel 60 Release Notes regarding Mail SNI:

    Access attempts to mail.domain.tld typically result in the display of the default website page. You can review /usr/local/apache/logs/error_log to help determine why it's showing the forbidden error message on your system.

    Thanks!
     
    ItsMattSon likes this.
  5. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    125
    Likes Received:
    27
    Trophy Points:
    28
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Hi cPanelMichael,

    After setting up some DNS records between then and now I haven't seen the 403 forbidden again. Your information was great though because I feel comfortable with the mail subdomain now and why it's there. Plus, you helped me figure out a different problem with why mail.domain.tld would always go to www.mail.domain.tld (which was due to my poorly constructed rewrite rule in my .htaccess enforcing https and a second to force www.)

    Much appreciated!
     
    cPanelMichael likes this.
Loading...

Share This Page