AutoSSL no longer working with Cloudflare

dstana

Well-Known Member
Jul 6, 2016
108
19
68
Phoenix, AZ
cPanel Access Level
Root Administrator
I'm getting all these DCV errors all of a sudden with domains that use Cloudflare for DNS. Looking in the log, the problem is because the main domain has its A record at Cloudflare and not the server.

This hasn't been an issue for a long time. What's the work around to get around this?
 
Last edited by a moderator:

dstana

Well-Known Member
Jul 6, 2016
108
19
68
Phoenix, AZ
cPanel Access Level
Root Administrator
Hey there! Can you let me know what entires you're seeing in the log? Just make sure to remove any public domains for security reasons.
Here's the log:

Code:
Log for the AutoSSL run for “user”: Wednesday, February 23, 2022 9:06:58 AM GMT-0700 (cPanel (powered by Sectigo))
 9:06:58 AM AutoSSL’s configured provider is “cPanel (powered by Sectigo)”.
 This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
 Analyzing “user”’s domains …
 9:06:58 AM Analyzing “domain” (website) …
 9:06:58 AM TLS Status: Ready for Renewal
 WARN Certificate expiry: 3/3/22, 12:00 AM UTC (7.33 days from now)
 9:06:58 AM Attempting to ensure the existence of necessary CAA records …
 9:06:58 AM No CAA records were created.
 9:06:58 AM Verifying 8 domains’ management status …
 Verifying “cPanel (powered by Sectigo)”’s authorization on 8 domains via DNS CAA records …
 9:06:58 AM “webdisk.domain” is managed.
 “cpanel.domain” is managed.
 “mail.domain” is managed.
 “www.domain” is managed.
 “domain” is managed.
 “webmail.domain” is managed.
 “cpcontacts.domain” is managed.
 “cpcalendars.domain” is managed.
 All of this user’s 8 domains are managed.
 CA authorized: “domain”
 CA authorized: “www.domain”
 CA authorized: “webdisk.domain”
 CA authorized: “webmail.domain”
 CA authorized: “mail.domain”
 9:06:59 AM CA authorized: “cpcalendars.domain”
 CA authorized: “cpanel.domain”
 CA authorized: “cpcontacts.domain”
 “cPanel (powered by Sectigo)” is authorized to issue certificates for 8 of this user’s 8 domains.
 9:06:59 AM Performing HTTP DCV (Domain Control Validation) on 8 domains …
 9:06:59 AM WARN Local HTTP DCV error (domain): The system queried for a temporary file at “http://domain/.well-known/pki-validation/8689F67E995C9C4B36F273168C851F63.txt”, but the web server responded with the following error: 502 (Bad Gateway). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “domain” resolved to an IP address “104.21.76.183” that does not exist on this server.
 Local HTTP DCV OK: www.domain
 WARN Local HTTP DCV error (mail.domain): The system failed to fetch the DCV (Domain Control Validation) file at “http://mail.domain/.well-known/pki-validation/CD018EAC09228C662865FD0E9D15514F.txt” because of an error (cached): Could not connect to '2606:4700:3036:0000:0000:0000:6815:4cb7:80': Network is unreachable.
 Local HTTP DCV OK: cpanel.domain
 Local HTTP DCV OK: webdisk.domain
 Local HTTP DCV OK: webmail.domain
 Local HTTP DCV OK: cpcontacts.domain
 Local HTTP DCV OK: cpcalendars.domain
 9:06:59 AM Verifying local authority for 2 domains …
 9:06:59 AM No local authority: “domain”
 No local authority: “mail.domain”
 9:06:59 AM No local DNS DCV is necessary.
 9:06:59 AM Processing “user”’s local DCV results …
 9:06:59 AM Analyzing “domain”’s DCV results …
 9:06:59 AM ERROR Impediment: SECURED_DOMAIN_DCV_FAILURE: One or more currently-secured domains failed DCV.
 9:06:59 AM The system has completed “user”’s AutoSSL check.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,360
1,632
363
cPanel Access Level
Root Administrator
Thanks for that - if you place a file in the /home/username/public_html/.well-known/pki-validation directory, are you able to visit that normally in a browser outside of the AutoSSL check tool? Just visiting it in a browser would let us know if the issue is with the site configuration, DNS, or AutoSSL.
 

dstana

Well-Known Member
Jul 6, 2016
108
19
68
Phoenix, AZ
cPanel Access Level
Root Administrator
Thanks for that - if you place a file in the /home/username/public_html/.well-known/pki-validation directory, are you able to visit that normally in a browser outside of the AutoSSL check tool? Just visiting it in a browser would let us know if the issue is with the site configuration, DNS, or AutoSSL.
Yep, works just fine. I did notice that directory was empty though, usually there's some files in there from AutoSSL doing its thing. Could that be the issue?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,360
1,632
363
cPanel Access Level
Root Administrator
That likely is not related - in more recent versions of AutoSSL, we remove the temporary files after the check completes so they don't just linger forever.

Could you open a ticket with our team so we can check that on our side? It seems odd that a normal browser request would work but AutoSSL can't.
 

elmister

Well-Known Member
Mar 2, 2004
46
2
158
Did you resolve the issue, i'm having the same issue with other domains using Cloudflare

when trying to validate the SSL for mail.domain.com it fails resolving with a different IP than the one configured in cloudflare

ADVERTENCIA Local HTTP DCV error (mail.vinilos.info): The system failed to fetch the DCV (Domain Control Validation) file at “http://mail.domain.info/.well-known/pki-validation/2BF4EF95C20D57AE69411060606A66BA.txt” because of an error (cached): Could not connect to '2606:4700:3032:0000:0000:0000:ac43:b8cd:80': Network is unreachable.

In cloudflare the subdomain mail is not pointing to 2606:4700:3032:0000:0000:0000:ac43:b8cd and it's not resolving to that IP in my tests
 

Regs

Registered
Jun 19, 2002
1
0
151
Did you resolve the issue, i'm having the same issue with other domains using Cloudflare

when trying to validate the SSL for mail.domain.com it fails resolving with a different IP than the one configured in cloudflare

ADVERTENCIA Local HTTP DCV error (mail.vinilos.info): The system failed to fetch the DCV (Domain Control Validation) file at “http://mail.domain.info/.well-known/pki-validation/2BF4EF95C20D57AE69411060606A66BA.txt” because of an error (cached): Could not connect to '2606:4700:3032:0000:0000:0000:ac43:b8cd:80': Network is unreachable.

In cloudflare the subdomain mail is not pointing to 2606:4700:3032:0000:0000:0000:ac43:b8cd and it's not resolving to that IP in my tests
Having the exact same issue here :(
 

elmister

Well-Known Member
Mar 2, 2004
46
2
158
# /scripts/cpdig domain.info A
172.67.184.x
104.21.76.x << both are cloudflare ips
[[email protected] ~]# /scripts/cpdig mail.domain.info A
X.X.X.X. server IP, not hidden by cloudflare
# /scripts/cpdig mail.domain.info AAAA

nothing for last command, no answer