Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Autossl failing for all domains if single subdomain fails

Discussion in 'Security' started by greatwitenorth, Jan 23, 2019.

  1. greatwitenorth

    greatwitenorth Member

    Joined:
    Feb 28, 2014
    Messages:
    15
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    I'm using AutoSSL with cpanel 76.0.18 using Let's Encrypt as the provider. Recently some domains which are not using my server as their nameserver started to fail the DVC check when renewing a certificate. The weird part is that only one subdomain for the entire account fails (all others pass via http check) but this results in no certificates being installed for any domains. Here's the logs:
    Code:
    Log for the AutoSSL run for “rempelin”: Wednesday, January 23, 2019 12:12:21 PM GMT-0600 (Let’s Encrypt™)
    12:12:21 PM AutoSSL’s configured provider is “Let’s Encrypt™”.
    Checking websites for “rempelin” …
    12:12:21 PM Analyzing “example.com” …
    12:12:21 PM TLS Status: Ready for Renewal
    WARN Certificate expiry: 1/31/19, 12:00 AM UTC (7.24 days from now)
    12:12:21 PM Performing DCV (Domain Control Validation) …
    12:12:22 PM Local HTTP DCV OK: example.ca
    Local HTTP DCV OK: example.com
    Local HTTP DCV OK: www.example.ca
    Local HTTP DCV OK: mail.example.ca
    Local HTTP DCV OK: www.example.com
    WARN Local HTTP DCV error (mail.example.com): “mail.example.com” does not resolve to any IPv4 addresses on the internet.
    Local HTTP DCV OK: cpanel.example.com
    Local HTTP DCV OK: webdisk.example.com
    Local HTTP DCV OK: webmail.example.com
    12:12:29 PM ERROR Local DNS DCV error (mail.example.com): The DNS query to “_cpanel-dcv-test-record.example.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=PrdxBl_HvnyJS3U1wwaBV1Z2losScoUC4twNPCfwKuxMBaLhzofhhbpEWLE49MfV”.
    12:12:29 PM Analyzing “example.com”’s DCV results …
    12:12:29 PM ERROR Impediment: SECURED_DOMAIN_DCV_FAILURE: One or more currently-secured domains failed DCV.
    12:12:29 PM The system has completed the AutoSSL check for “rempelin”.
    
    I'd expect verification to fail for mail.example.com and in turn no ssl certificate installed. But I would expect that example.com should receive a new certificate since it passed.

    What am I missing here? The only way to solve this is to manually go into every account and disable autossl for the particular subdomain that is failing.
     
    #1 greatwitenorth, Jan 23, 2019
    Last edited by a moderator: Jan 23, 2019
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,502
    Likes Received:
    509
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @greatwitenorth

    The issue is in the error message:
    This is saying that AutoSSL is attempting to add coverage to a domain but when the DCV check fails it's not going to supply a new cert to the domains that are already covered. It would replace the certificate in the event the DCV check passed.

    If you dont want specific domains or subdomains covered by AutoSSL you can exclude them from within cPanel>>SSL/TLS>>SSL/TLS Status

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice