AutoSSL no longer working with Cloudflare

[dstana]

I'm getting all these DCV errors all of a sudden with domains that use Cloudflare for DNS. Looking in the log, the problem is because the main domain has its A record at Cloudflare and not the server.

This hasn't been an issue for a long time. What's the work around to get around this?

 

[cPRex]

Hey there! Can you let me know what entires you're seeing in the log? Just make sure to remove any public domains for security reasons.

 

[dstana]

Hey there! Can you let me know what entires you're seeing in the log? Just make sure to remove any public domains for security reasons.

Here's the log:

Log for the AutoSSL run for “user”: Wednesday, February 23, 2022 9:06:58 AM GMT-0700 (cPanel (powered by Sectigo))
 9:06:58 AM AutoSSL’s configured provider is “cPanel (powered by Sectigo)”.
 This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
 Analyzing “user”’s domains …
 9:06:58 AM Analyzing “domain” (website) …
 9:06:58 AM TLS Status: Ready for Renewal
 WARN Certificate expiry: 3/3/22, 12:00 AM UTC (7.33 days from now)
 9:06:58 AM Attempting to ensure the existence of necessary CAA records …
 9:06:58 AM No CAA records were created.
 9:06:58 AM Verifying 8 domains’ management status …
 Verifying “cPanel (powered by Sectigo)”’s authorization on 8 domains via DNS CAA records …
 9:06:58 AM “webdisk.domain” is managed.
 “cpanel.domain” is managed.
 “mail.domain” is managed.
 “www.domain” is managed.
 “domain” is managed.
 “webmail.domain” is managed.
 “cpcontacts.domain” is managed.
 “cpcalendars.domain” is managed.
 All of this user’s 8 domains are managed.
 CA authorized: “domain”
 CA authorized: “www.domain”
 CA authorized: “webdisk.domain”
 CA authorized: “webmail.domain”
 CA authorized: “mail.domain”
 9:06:59 AM CA authorized: “cpcalendars.domain”
 CA authorized: “cpanel.domain”
 CA authorized: “cpcontacts.domain”
 “cPanel (powered by Sectigo)” is authorized to issue certificates for 8 of this user’s 8 domains.
 9:06:59 AM Performing HTTP DCV (Domain Control Validation) on 8 domains …
 9:06:59 AM WARN Local HTTP DCV error (domain): The system queried for a temporary file at “http://domain/.well-known/pki-validation/8689F67E995C9C4B36F273168C851F63.txt”, but the web server responded with the following error: 502 (Bad Gateway). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “domain” resolved to an IP address “104.21.76.183” that does not exist on this server.
 Local HTTP DCV OK: www.domain
 WARN Local HTTP DCV error (mail.domain): The system failed to fetch the DCV (Domain Control Validation) file at “http://mail.domain/.well-known/pki-validation/CD018EAC09228C662865FD0E9D15514F.txt” because of an error (cached): Could not connect to '2606:4700:3036:0000:0000:0000:6815:4cb7:80': Network is unreachable.
 Local HTTP DCV OK: cpanel.domain
 Local HTTP DCV OK: webdisk.domain
 Local HTTP DCV OK: webmail.domain
 Local HTTP DCV OK: cpcontacts.domain
 Local HTTP DCV OK: cpcalendars.domain
 9:06:59 AM Verifying local authority for 2 domains …
 9:06:59 AM No local authority: “domain”
 No local authority: “mail.domain”
 9:06:59 AM No local DNS DCV is necessary.
 9:06:59 AM Processing “user”’s local DCV results …
 9:06:59 AM Analyzing “domain”’s DCV results …
 9:06:59 AM ERROR Impediment: SECURED_DOMAIN_DCV_FAILURE: One or more currently-secured domains failed DCV.
 9:06:59 AM The system has completed “user”’s AutoSSL check.

 

[cPRex]

Thanks for that - if you place a file in the /home/username/public_html/.well-known/pki-validation directory, are you able to visit that normally in a browser outside of the AutoSSL check tool? Just visiting it in a browser would let us know if the issue is with the site configuration, DNS, or AutoSSL.

 

[dstana]

Thanks for that - if you place a file in the /home/username/public_html/.well-known/pki-validation directory, are you able to visit that normally in a browser outside of the AutoSSL check tool? Just visiting it in a browser would let us know if the issue is with the site configuration, DNS, or AutoSSL.

Yep, works just fine. I did notice that directory was empty though, usually there's some files in there from AutoSSL doing its thing. Could that be the issue?

 

[cPRex]

That likely is not related - in more recent versions of AutoSSL, we remove the temporary files after the check completes so they don't just linger forever.

Could you open a ticket with our team so we can check that on our side? It seems odd that a normal browser request would work but AutoSSL can't.

 

[dstana]

Request opened.

 

[cPRex]

Great - do you have that ticket number?

 

[elmister]

Did you resolve the issue, i'm having the same issue with other domains using Cloudflare

when trying to validate the SSL for mail.domain.com it fails resolving with a different IP than the one configured in cloudflare

ADVERTENCIA Local HTTP DCV error (mail.vinilos.info): The system failed to fetch the DCV (Domain Control Validation) file at “http://mail.domain.info/.well-known/pki-validation/2BF4EF95C20D57AE69411060606A66BA.txt” because of an error (cached): Could not connect to '2606:4700:3032:0000:0000:0000:ac43:b8cd:80': Network is unreachable.

In cloudflare the subdomain mail is not pointing to 2606:4700:3032:0000:0000:0000:ac43:b8cd and it's not resolving to that IP in my tests

 

[Regs]

Did you resolve the issue, i'm having the same issue with other domains using Cloudflare

when trying to validate the SSL for mail.domain.com it fails resolving with a different IP than the one configured in cloudflare

ADVERTENCIA Local HTTP DCV error (mail.vinilos.info): The system failed to fetch the DCV (Domain Control Validation) file at “http://mail.domain.info/.well-known/pki-validation/2BF4EF95C20D57AE69411060606A66BA.txt” because of an error (cached): Could not connect to '2606:4700:3032:0000:0000:0000:ac43:b8cd:80': Network is unreachable.

In cloudflare the subdomain mail is not pointing to 2606:4700:3032:0000:0000:0000:ac43:b8cd and it's not resolving to that IP in my tests

Having the exact same issue here

 

[cPRex]

Can you run this command to see what IP address gets returned for the domain in question?

/scripts/cpdig domain.com A

 

[elmister]

# /scripts/cpdig domain.info A
172.67.184.x
104.21.76.x << both are cloudflare ips
[[email protected] ~]# /scripts/cpdig mail.domain.info A
X.X.X.X. server IP, not hidden by cloudflare
# /scripts/cpdig mail.domain.info AAAA

nothing for last command, no answer

 

[cPRex]

That's interesting - I'm afraid I don't have much else to provide from my end, so it might be best if our team checked out that server directly. Could you submit a support ticket?