AutoSSL not issuing certificates for a DNS error (letsencrypt/sectigo)

Vipereg

Registered
Feb 17, 2020
4
0
1
Italy
cPanel Access Level
Root Administrator
Hi,
i'm having a strange problem on a server with whm/cpanel.
Autossl can't renew ssl certificates for any domain (letsencrypt or sectigo).
(replaced all right data with DOMAIN.TLD, OURDOMAINDNS.TLD, A.B.C.D, E.F.G.H, etc...)

This is the autossl output for a domain:

/usr/local/cpanel/bin/autossl_check --user USER

AutoSSL’s configured provider is “cPanel (powered by Sectigo)”.
This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
Analyzing “editalia”’s domains …
Analyzing “DOMAIN.TLD” …
TLS Status: Defective
Certificate expiry: 10/30/20, 12:00 PM UTC (255.93 days from now)
Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:18:DEPTH_ZERO_SELF_SIGNED_CERT).
Attempting to ensure the existence of necessary CAA records …
No CAA records were created.
Verifying “cPanel (powered by Sectigo)”’s authorization on domains via DNS CAA records …
DNS query error: (XID 27n8hj) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID 39sv69) DNS query (www.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID 27n8hj) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID 2dbf4j) DNS query (mail.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID 27n8hj) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID 7wgbxa) DNS query (cpanel.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID 27n8hj) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID dg7j7r) DNS query (webdisk.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID 27n8hj) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID rt5s3a) DNS query (webmail.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID 27n8hj) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID gutuj8) DNS query (autodiscover.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID 27n8hj) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
“cPanel (powered by Sectigo)” is authorized to issue certificates for all domains.
Performing HTTP DCV (Domain Control Validation) on 7 domains …
The system failed to determine whether “DOMAIN.TLD” is a registered domain because of a DNS error: (XID wx23pz) DNS query (DOMAIN.TLD/NS) timeout!
The system failed to determine whether “DOMAIN.TLD” is a registered domain because of a DNS error: (XID wx23pz) DNS query (DOMAIN.TLD/NS) timeout!
The system failed to determine whether “DOMAIN.TLD” is a registered domain because of a DNS error: (XID wx23pz) DNS query (DOMAIN.TLD/NS) timeout!
The system failed to determine whether “DOMAIN.TLD” is a registered domain because of a DNS error: (XID wx23pz) DNS query (DOMAIN.TLD/NS) timeout!
The system failed to determine whether “DOMAIN.TLD” is a registered domain because of a DNS error: (XID wx23pz) DNS query (DOMAIN.TLD/NS) timeout!
The system failed to determine whether “DOMAIN.TLD” is a registered domain because of a DNS error: (XID wx23pz) DNS query (DOMAIN.TLD/NS) timeout!
The system failed to determine whether “DOMAIN.TLD” is a registered domain because of a DNS error: (XID wx23pz) DNS query (DOMAIN.TLD/NS) timeout!
No local DNS DCV is necessary.
Processing “editalia”’s local DCV results …
Analyzing “DOMAIN.TLD”’s DCV results …
Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV.
The system has completed “editalia”’s AutoSSL check.


I've searched around for same problems and executed the following:

whmapi1 set_up_dns_resolver_workarounds

/scripts/cpdig DOMAIN.TLD A --verbose

[1581947097] libunbound[5388:0] notice: init module 0: validator
[1581947097] libunbound[5388:0] notice: init module 1: iterator
[1581947097] libunbound[5388:0] info: resolving DOMAIN.TLD. A IN
[1581947097] libunbound[5388:0] info: priming . IN NS
[1581947097] libunbound[5388:0] info: response for . NS IN
[1581947097] libunbound[5388:0] info: reply from <.> 2001:500:200::b#53
[1581947097] libunbound[5388:0] info: query response was ANSWER
[1581947097] libunbound[5388:0] info: priming successful for . NS IN
[1581947097] libunbound[5388:0] info: response for DOMAIN.TLD. A IN
[1581947097] libunbound[5388:0] info: reply from <.> 199.7.91.13#53
[1581947097] libunbound[5388:0] info: query response was REFERRAL
[1581947097] libunbound[5388:0] info: response for DOMAIN.TLD. A IN
[1581947097] libunbound[5388:0] info: reply from <it.> 2001:67c:1010:7::53#53
[1581947097] libunbound[5388:0] info: query response was REFERRAL
[1581947097] libunbound[5388:0] info: resolving ns1.OURDOMAINDNS.TLD AAAA IN
[1581947097] libunbound[5388:0] info: resolving ns2.OURDOMAINDNS.TLD AAAA IN
[1581947097] libunbound[5388:0] info: resolving ns2.OURDOMAINDNS.TLD A IN
[1581947097] libunbound[5388:0] info: resolving ns3.OURDOMAINDNS.TLD A IN
[1581947097] libunbound[5388:0] info: resolving ns3.OURDOMAINDNS.TLD AAAA IN
[1581947097] libunbound[5388:0] info: resolving ns1.OURDOMAINDNS.TLD A IN
[1581947097] libunbound[5388:0] info: response for ns2.OURDOMAINDNS.TLD AAAA IN
[1581947097] libunbound[5388:0] info: reply from <.> 2001:500:2::c#53
[1581947097] libunbound[5388:0] info: query response was REFERRAL
[1581947097] libunbound[5388:0] info: response for ns1.OURDOMAINDNS.TLD A IN
[1581947097] libunbound[5388:0] info: reply from <.> 2001:500:1::53#53
[1581947097] libunbound[5388:0] info: query response was REFERRAL
[1581947097] libunbound[5388:0] info: response for ns3.OURDOMAINDNS.TLD AAAA IN
[1581947097] libunbound[5388:0] info: reply from <.> 2001:503:ba3e::2:30#53
[1581947097] libunbound[5388:0] info: query response was REFERRAL
[1581947097] libunbound[5388:0] info: response for ns3.OURDOMAINDNS.TLD A IN
[1581947097] libunbound[5388:0] info: reply from <.> 2001:500:9f::42#53
[1581947097] libunbound[5388:0] info: query response was REFERRAL
[1581947097] libunbound[5388:0] info: response for ns3.OURDOMAINDNS.TLD AAAA IN
[1581947097] libunbound[5388:0] info: reply from <com.> 2001:503:83eb::30#53
[1581947097] libunbound[5388:0] info: query response was REFERRAL
[1581947097] libunbound[5388:0] info: resolving ns4.OURDOMAINDNS.TLD AAAA IN
[1581947097] libunbound[5388:0] info: response for ns2.OURDOMAINDNS.TLD AAAA IN
[1581947097] libunbound[5388:0] info: reply from <com.> 2001:503:83eb::30#53
[1581947097] libunbound[5388:0] info: query response was REFERRAL
[1581947097] libunbound[5388:0] info: response for ns1.OURDOMAINDNS.TLD A IN
[1581947097] libunbound[5388:0] info: reply from <com.> 2001:502:1ca1::30#53
[1581947097] libunbound[5388:0] info: query response was REFERRAL
[1581947097] libunbound[5388:0] info: response for ns3.OURDOMAINDNS.TLD A IN
[1581947097] libunbound[5388:0] info: reply from <com.> 192.12.94.30#53
[1581947097] libunbound[5388:0] info: query response was REFERRAL
[1581947097] libunbound[5388:0] info: response for ns1.OURDOMAINDNS.TLD AAAA IN
[1581947097] libunbound[5388:0] info: reply from <.> 199.9.14.201#53
[1581947097] libunbound[5388:0] info: query response was REFERRAL
[1581947098] libunbound[5388:0] info: response for ns2.OURDOMAINDNS.TLD A IN
[1581947098] libunbound[5388:0] info: reply from <.> 2001:dc3::35#53
[1581947098] libunbound[5388:0] info: query response was REFERRAL
[1581947098] libunbound[5388:0] info: response for ns1.OURDOMAINDNS.TLD AAAA IN
[1581947098] libunbound[5388:0] info: reply from <com.> 2001:503:a83e::2:30#53
[1581947098] libunbound[5388:0] info: query response was REFERRAL
[1581947098] libunbound[5388:0] info: response for ns2.OURDOMAINDNS.TLD A IN
[1581947098] libunbound[5388:0] info: reply from <com.> 192.42.93.30#53
[1581947098] libunbound[5388:0] info: query response was REFERRAL

for i in {a..m}; do echo -n "$i.root-servers.net: "; dig -4 "$i".root-servers.net @"$i".root-servers.net +short;done

a.root-servers.net: 198.41.0.4
b.root-servers.net: 199.9.14.201
c.root-servers.net: 192.33.4.12
d.root-servers.net: 199.7.91.13
e.root-servers.net: 192.203.230.10
f.root-servers.net: 192.5.5.241
g.root-servers.net: 192.112.36.4
h.root-servers.net: 198.97.190.53
i.root-servers.net: 192.36.148.17
j.root-servers.net: 192.58.128.30
k.root-servers.net: 193.0.14.129
l.root-servers.net: 199.7.83.42
m.root-servers.net: 202.12.27.33

for gtld in {a..m}; do echo Trying $gtld.gtld-servers.net ; dig +trace +short DOMAIN.TLD @$gtld.gtld-servers.net; done

Trying a.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.
Trying b.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.
Trying c.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.
Trying d.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.
Trying e.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.
Trying f.gtld-servers.net
A A.B.C.D from server E.F.G.H in 11 ms.
Trying g.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.
Trying h.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.
Trying i.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.
Trying j.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.
Trying k.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.
Trying l.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.
Trying m.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.

/usr/local/cpanel/3rdparty/bin/perl -mCpanel::DnsRoots -e 'use Data::Dumper; print Dumper(Cpanel::DnsRoots->new()->get_ipv4_addresses_for_domain(@ARGV[0]));' DOMAIN.TLD

warn [-e] DNS query failure (DOMAIN.TLD/A): Cpanel::Exception::Timeout/(XID 594jqp) DNS query (DOMAIN.TLD/A) timeout!
at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 379.
Cpanel::DNS::Unbound::_die_if_query_failed(HASH(0x1cbe280)) called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 368
Cpanel::DNS::Unbound::recursive_query_or_die(Cpanel::DNS::Unbound=HASH(0x18e6008), "DOMAIN.TLD", "A") called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 432
eval {...} called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 432
Cpanel::DNS::Unbound::recursive_query(Cpanel::DNS::Unbound=HASH(0x18e6008), "DOMAIN.TLD", "A") called at /usr/local/cpanel/Cpanel/DnsRoots.pm line 83
Cpanel::DnsRoots::get_ipv4_addresses_for_domain(Cpanel::DnsRoots=HASH(0x1cbe040), "DOMAIN.TLD") called at -e line 1

The problem seems to be in this last command.
I've tried to install BIND and POWERDNS on this machine (we've separated dns).
I've tried to modify resolv.conf using global dns, self, provider's.

Can you help me?
 

jpvanoosten

Member
May 14, 2014
7
1
51
cPanel Access Level
Root Administrator
I'm getting the same errors for all my sites:

Code:
# /usr/local/cpanel/bin/autossl_check --user DOMAIN
AutoSSL’s configured provider is “cPanel (powered by Sectigo)”.
This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
Analyzing “DOMAIN”’s domains …
        Analyzing “DOMAIN.tld” …
                TLS Status: Incomplete
                Certificate expiry: 4/3/20, 12:00 AM UTC (44.11 days from now)
        Analyzing “researchmethods.DOMAIN.tld” …
                TLS Status: Defective
                Certificate expiry: 2/13/20, 12:00 AM UTC (5.89 days ago)
                Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
        Attempting to ensure the existence of necessary CAA records …
                No CAA records were created.
        Verifying 10 domains’ DNS management …
        Verifying “cPanel (powered by Sectigo)”’s authorization on 10 domains via DNS CAA records …
        DNS query error (DOMAIN.tld/NS): (XID pqyyr8) DNS request timeout: DOMAIN.tld/NS
                DNS does not manage “DOMAIN.tld”.
        DNS query error (www.DOMAIN.tld/NS): (XID zvkqkd) DNS request timeout: www.DOMAIN.tld/NS
                DNS does not manage “www.DOMAIN.tld”.
        DNS query error (mail.DOMAIN.tld/NS): (XID hc34hv) DNS request timeout: mail.DOMAIN.tld/NS
                DNS does not manage “mail.DOMAIN.tld”.
        DNS query error (cpanel.DOMAIN.tld/NS): (XID q58y5r) DNS request timeout: cpanel.DOMAIN.tld/NS
                DNS does not manage “cpanel.DOMAIN.tld”.
        DNS query error (webdisk.DOMAIN.tld/NS): (XID bd6qdg) DNS request timeout: webdisk.DOMAIN.tld/NS
                DNS does not manage “webdisk.DOMAIN.tld”.
        DNS query error (webmail.DOMAIN.tld/NS): (XID webmr6) DNS request timeout: webmail.DOMAIN.tld/NS
                DNS does not manage “webmail.DOMAIN.tld”.
        DNS query error (cpcontacts.DOMAIN.tld/NS): (XID b72m5p) DNS request timeout: cpcontacts.DOMAIN.tld/NS
                DNS does not manage “cpcontacts.DOMAIN.tld”.
        DNS query error (cpcalendars.DOMAIN.tld/NS): (XID h79xvx) DNS request timeout: cpcalendars.DOMAIN.tld/NS
                DNS does not manage “cpcalendars.DOMAIN.tld”.
        DNS query error (researchmethods.DOMAIN.tld/NS): (XID kskwcv) DNS request timeout: researchmethods.DOMAIN.tld/NS
                DNS does not manage “researchmethods.DOMAIN.tld”.
        DNS query error (www.researchmethods.DOMAIN.tld/NS): (XID yhz726) DNS request timeout: www.researchmethods.DOMAIN.tld/NS
                DNS does not manage “www.researchmethods.DOMAIN.tld”.
                DNS does not manage any of this user’s 10 domains.
        DNS query error (researchmethods.DOMAIN.tld/CAA): SERVFAIL (2)
        DNS query error (cpcontacts.DOMAIN.tld/CAA): SERVFAIL (2)
        DNS query error (webdisk.DOMAIN.tld/CAA): SERVFAIL (2)
        DNS query error (cpanel.DOMAIN.tld/CAA): SERVFAIL (2)
        DNS query error (www.researchmethods.DOMAIN.tld/CAA): SERVFAIL (2)
        DNS query error (webmail.DOMAIN.tld/CAA): SERVFAIL (2)
        DNS query error (DOMAIN.tld/CAA): SERVFAIL (2)
                CA authorized: “DOMAIN.tld”
                CA authorized: “researchmethods.DOMAIN.tld”
                CA authorized: “cpcontacts.DOMAIN.tld”
                CA authorized: “webdisk.DOMAIN.tld”
                CA authorized: “cpanel.DOMAIN.tld”
                CA authorized: “www.researchmethods.DOMAIN.tld”
                CA authorized: “webmail.DOMAIN.tld”
        DNS query error (www.DOMAIN.tld/CAA): SERVFAIL (2)
                CA authorized: “www.DOMAIN.tld”
        DNS query error (mail.DOMAIN.tld/CAA): SERVFAIL (2)
                CA authorized: “mail.DOMAIN.tld”
        DNS query error (cpcalendars.DOMAIN.tld/CAA): SERVFAIL (2)
                CA authorized: “cpcalendars.DOMAIN.tld”
                “cPanel (powered by Sectigo)” is authorized to issue certificates for 10 of this user’s 10 domains.
        AutoSSL cannot increase “DOMAIN”’s SSL coverage.
I'm interested to hear if there is a fix.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,259
313
Houston
What is the output of the following?

Code:
nmap -sU -sT <yourIP.or.hostname> -p 53,80,443
What is present in the resolv.conf file at /etc/resolv.conf?

Are your servers using a firewall?

Are your servers NAT routed?
 

Vipereg

Registered
Feb 17, 2020
4
0
1
Italy
cPanel Access Level
Root Administrator
Our structure has 4 servers that do only dns.
Then there is dns clustering write only from hosting servers towards dns's.

We've csf installed with these rules on hosting server:
TCP_IN=20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096,3128
TCP_OUT=20,21,22,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703,3306,56522

No firewall on dns.

- resolv.conf on hosting server & dns (same output for each dns):
search invalid
nameserver 213.136.95.11
nameserver 213.136.95.10
nameserver 2a02:c207::1:53

Nmap from hosting server to itself:
PORT STATE SERVICE
53/tcp closed domain
80/tcp open http
443/tcp open https
53/udp closed domain
80/udp closed http
443/udp closed https

Nmap from hosting server to dns (same output for each dns):
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https
53/udp open|filtered domain
80/udp open|filtered http
443/udp open|filtered https

Nmap from dns to itself (same output for each dns):
PORT STATE SERVICE
53/tcp open domain
80/tcp closed http
443/tcp closed https
53/udp open|filtered domain
80/udp closed http
443/udp closed https

Nmap from dns to hosting server:
PORT STATE SERVICE
53/tcp closed domain
80/tcp open http
443/tcp open https
53/udp closed domain
80/udp open|filtered http
443/udp open|filtered https

The same problem will also occur by using let's encrypt as autossl provider from cpanel.

I've downloaded certbot-auto from let's encrypt and tried wildcard cert with dns check (with a manual script to add dns txt records through cpanel api) and everything goes well... so it's a cpanel internal problem.
 
Last edited:

Vipereg

Registered
Feb 17, 2020
4
0
1
Italy
cPanel Access Level
Root Administrator
I've made this scripts to keep the certificates updated 'cause our customers are losing patience.
I'll hope this will help other in the same situation while we wait for the problem to be resolved.
This is not a perfect solution... but it will keep your customers quiet for a while.
This will put letencrypt's certificate without checking if there is a certificate from another issuer or no certificate at all.
Will only try to issue certificates on domains with this error in autossl logs "The system failed to determine whether “DOMAINTLD” is a registered domain because of a DNS error".

Keep in mind that this will work only if you have:
- autossl logs in /var/cpanel/logs/autossl/
- userdata in /var/cpanel/userdata/
- userdomains in /etc/userdomains
- dig utility (will do a dns check with google's dns (8.8.8.8) and add only resolved fqdn's to current server)
- whmapi1 (needed to install ssl certs)

For example create a folder "fixssl" somewhere.
Go in that folder and launch (you need git installed for this to work):

Code:
 git clone https://github.com/certbot/certbot
then create these three files (fixsslfromlogs.sh, installssl.sh, installssl.pl):

fixsslfromlogs.sh
Code:
#!/bin/bash
pushd `dirname $0` > /dev/null
PROGDIR=`pwd`
CURRENTDATE=`date +"%Y%m%d%H%M"`
popd > /dev/null

foldername=`ls -1 /var/cpanel/logs/autossl|tail -n 1`
if [ "${foldername}" == "" ]; then
  echo "no autossl logs!";
  exit;
fi;

path="/var/cpanel/logs/autossl/${foldername}"

if [ -d ${path} ]; then
  for domain in `cat ${path}/txt|grep "system failed to determine"|awk -F '(' '{print $3}'|awk -F '/' '{print $1}'|awk '{print $1}'|sort|uniq`; do
    count=`cat /etc/userdomains|grep -c "^${domain}:"`;
    if [ $count -eq 1 ]; then
      ${PROGDIR}/installssl.sh ${domain}
    fi;
  done;
fi;

installssl.sh
Code:
#!/bin/bash
pushd `dirname $0` > /dev/null
PROGDIR=`pwd`
CURRENTDATE=`date +"%Y%m%d%H%M"`
popd > /dev/null

if [ "$1" == "" ]; then
  echo "$0 domain"
  exit;
fi;

webroot=1;
if [ "$2" == "dns" ]; then
  webroot=0;
fi;

if [ ! -f ${PROGDIR}/certbot/certbot-auto ]; then
  echo "certbot missing!"
  exit;
fi;

dnscommand="dig +noall +answer A @8.8.8.8"
domain=${1}

count=`cat /etc/userdomains |grep -c "${domain}:"`
if [ $count -eq 0 ]; then
  echo "$domain does not exists!"
  exit;
fi;

user=`cat /etc/userdomains|grep "^${domain}:"|awk -F ':' '{print $2}'|tr -d '[:space:]'`
cd /var/cpanel/userdata/${user}/
domainFile=`grep -ilr "\ ${domain}"|egrep -v -e "cache$" -e "main$" -e "json$" -e "_SSL$"`;
path=`cat "${domainFile}"|grep documentroot|awk '{print $2}'`;

if [ ! -d ${path} ]; then
  echo ${path} does not exists!
  exit;
fi;

function dnsipcheck {
  local domain=$1

  dnsresult=`${dnscommand} ${domain}|grep IN|grep -v CNAME`;
  count=`echo ${dnsresult}|grep -c ""`;
  if [ $count -gt 0 ]; then
    ipaddress=`echo ${dnsresult}|awk '{print $5}'`;
    if [ "$ipaddress" != "" ]; then
      count=`ifconfig|grep inet|awk '{print $2}'|egrep -v -e "^127.0.0.1$" -e "^::1$"|grep -c ${ipaddress}`;
      if [ $count -gt 0 ]; then
        echo "$domain ok";
        return 1;
      fi;
    fi;
  fi;
  echo "$domain bad";
  return 0;
}

cd ${PROGDIR}/certbot/
if [ -f /var/cpanel/userdata/${user}/${domainFile} ]; then
  servername=`cat /var/cpanel/userdata/${user}/${domainFile}|grep "servername:"|awk -F ': ' '{print $2}'`
  serveraliases=`cat /var/cpanel/userdata/${user}/${domainFile}|grep "serveralias:"|awk -F ': ' '{print $2}'`

  basedomain=`cat /var/cpanel/userdata/${user}/main|grep ": ${servername}"|awk -F ': ' '{print $1}'|tr -d ' '|head -n 1`

  domainscommand="";
  if [ "${basedomain}" == "main_domain" ]; then
    basedomain=${servername};
  else
    serveraliases="${serveraliases} ${domainFile}";
  fi;

  if [ "${basedomain}" != "main_domain" ]; then
    dnsipcheck ${basedomain}
    if [ $? -eq 1 ]; then
      domainscommand="${domainscommand} -d ${basedomain}";
    fi;
  fi;

  for alias in `echo autodiscover cpanel webdisk webmail mail www`; do
    dnsipcheck ${alias}.${basedomain}
    if [ $? -gt 0 ]; then
      domainscommand="${domainscommand} -d ${alias}.${basedomain}"
    fi;
  done;

  for alias in `echo ${serveraliases}`; do
    dnsipcheck ${alias}
    if [ $? -gt 0 ]; then
      domainscommand="${domainscommand} -d ${alias}"
    fi;
  done;

  if [ "$domainscommand" == "" ]; then
    echo "no hosts resolved for $domainFile ssl!"
    exit;
  fi;

  firstdomain=`echo $domainscommand|awk '{print $2}'`;

  ./certbot-auto certonly -n ${domainscommand} --webroot -w ${path} --expand
fi;

cd ${PROGDIR}
cpapi1 --user=${user} SSL delete ${domainFile}
./installssl.pl $firstdomain $domain

installssl.pl
Code:
#!/usr/local/cpanel/3rdparty/bin/perl

use strict;
use LWP::UserAgent;
use LWP::Protocol::https;
use MIME::Base64;
use IO::Socket::SSL;
use URI::Escape;

my $user = "root";
my $pass = "rootpass";

my $auth = "Basic " . MIME::Base64::encode( $user . ":" . $pass );

my $ua = LWP::UserAgent->new(
    ssl_opts   => { verify_hostname => 0, SSL_verify_mode => 'SSL_VERIFY_NONE', SSL_use_cert => 0 },
);

my $folder = $ARGV[0];
my $dom = $ARGV[1];

my $certfile = "/etc/letsencrypt/live/$folder/cert.pem";
my $keyfile = "/etc/letsencrypt/live/$folder/privkey.pem";
my $cafile =  "/etc/letsencrypt/live/$folder/chain.pem";

my $certdata;
my $keydata;
my $cadata;

open(my $certfh, '<', $certfile) or die "cannot open file $certfile";
    {
        local $/;
        $certdata = <$certfh>;
    }
    close($certfh);

open(my $keyfh, '<', $keyfile) or die "cannot open file $keyfile";
    {
        local $/;
        $keydata = <$keyfh>;
    }
    close($keyfh);

open(my $cafh, '<', $cafile) or die "cannot open file $cafile";
    {
        local $/;
        $cadata = <$cafh>;
    }
    close($cafh);

my $cert = uri_escape($certdata);
my $key = uri_escape($keydata);
my $ca = uri_escape($cadata);

system("whmapi1 installssl domain=${dom} crt=${cert} cabundle=${ca} key=${key}");
chmod +x fixsslfromlogs.sh
chmod +x installssl.sh
chmod +x installssl.pl

then launch fixsslfromlogs.sh
 
Last edited:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,259
313
Houston
cPanel's implementation of AutoSSL won't work with the configuration you have, 53 UDP needs to be open on the web server, to determine authority. It never gets passed this:

Code:
   Verifying “cPanel (powered by Sectigo)”’s authorization on 10 domains via DNS CAA records …
        DNS query error (DOMAIN.tld/NS): (XID pqyyr8) DNS request timeout: DOMAIN.tld/NS
                DNS does not manage “DOMAIN.tld”.

I am glad that you were able to find a solution that works for you.
 

Vipereg

Registered
Feb 17, 2020
4
0
1
Italy
cPanel Access Level
Root Administrator
cPanel's implementation of AutoSSL won't work with the configuration you have, 53 UDP needs to be open on the web server, to determine authority. It never gets passed this:

Code:
   Verifying “cPanel (powered by Sectigo)”’s authorization on 10 domains via DNS CAA records …
        DNS query error (DOMAIN.tld/NS): (XID pqyyr8) DNS request timeout: DOMAIN.tld/NS
                DNS does not manage “DOMAIN.tld”.

I am glad that you were able to find a solution that works for you.
My fault... i didn't mention udp ports in & out:

TCP_IN=20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096,3128
TCP_OUT=20,21,22,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703,3306,56522
UDP_IN=20,21,53,3306
UDP_OUT=20,21,53,113,123,873,6277,3306,24441

As you can see hosting server has no problem on port 53 (tcp/udp in/out).
We've 4 servers that do only dns.
No dns installed on hosting servers.
So it is normal for port 53 to be closed on the hosting server during an nmap scan (tcp/udp).

The autossl isn't working with Sectigo or Let's encrypt. The error is the same.
If i use certbot-auto from commandline everything goes well.

Now... to eliminate any firewall problem I did this test with the firewall turned off and with autossl using let's encrypt:

Code:
Log for the AutoSSL run for “USER”: Tuesday, February 25, 2020 11:01:45 AM GMT+0100 (Let’s Encrypt™)
11:01:45 AM AutoSSL’s configured provider is “Let’s Encrypt™”.
Analyzing “USER”’s domains …
11:01:46 AM Analyzing “DOMAIN.TLD” …
11:01:46 AM TLS Status: Ready for Renewal
WARN Certificate expiry: 3/24/20, 1:17 AM UTC (27.64 days from now)
11:01:46 AM Attempting to ensure the existence of necessary CAA records …
11:01:46 AM No CAA records were created.
11:01:46 AM Verifying “Let’s Encrypt™”’s authorization on domains via DNS CAA records …
11:02:16 AM WARN DNS query error: (XID vs6jex) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
WARN DNS query error: (XID s93jh3) DNS query (www.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
WARN DNS query error: (XID vs6jex) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
WARN DNS query error: (XID mmwe8g) DNS query (mail.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
WARN DNS query error: (XID vs6jex) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
WARN DNS query error: (XID 3cgatn) DNS query (cpanel.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
WARN DNS query error: (XID vs6jex) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
WARN DNS query error: (XID huthyh) DNS query (webdisk.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
WARN DNS query error: (XID vs6jex) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
WARN DNS query error: (XID rjrjwa) DNS query (webmail.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
WARN DNS query error: (XID vs6jex) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
WARN DNS query error: (XID jentjq) DNS query (autodiscover.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
WARN DNS query error: (XID vs6jex) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
“Let’s Encrypt™” is authorized to issue certificates for all domains.
11:02:16 AM Performing HTTP DCV (Domain Control Validation) on 7 domains …
11:02:46 AM ERROR The system failed to determine whether “DOMAIN.TLD” is a registered domain because of a DNS error: (XID jhpdry) DNS query (DOMAIN.TLD/NS) timeout!
ERROR The system failed to determine whether “DOMAIN.TLD” is a registered domain because of a DNS error: (XID jhpdry) DNS query (DOMAIN.TLD/NS) timeout!
ERROR The system failed to determine whether “DOMAIN.TLD” is a registered domain because of a DNS error: (XID jhpdry) DNS query (DOMAIN.TLD/NS) timeout!
ERROR The system failed to determine whether “DOMAIN.TLD” is a registered domain because of a DNS error: (XID jhpdry) DNS query (DOMAIN.TLD/NS) timeout!
ERROR The system failed to determine whether “DOMAIN.TLD” is a registered domain because of a DNS error: (XID jhpdry) DNS query (DOMAIN.TLD/NS) timeout!
ERROR The system failed to determine whether “DOMAIN.TLD” is a registered domain because of a DNS error: (XID jhpdry) DNS query (DOMAIN.TLD/NS) timeout!
ERROR The system failed to determine whether “DOMAIN.TLD” is a registered domain because of a DNS error: (XID jhpdry) DNS query (DOMAIN.TLD/NS) timeout!
11:02:46 AM No local DNS DCV is necessary.
11:02:46 AM Processing “USER”’s local DCV results …
11:02:46 AM Analyzing “DOMAIN.TLD”’s DCV results …
11:02:46 AM ERROR Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV.
11:02:46 AM The system has completed “USER”’s AutoSSL check.
The same domain with certbot-auto from commandline gives this:

Code:
./certbot-auto certonly -n -d DOMAIN.TLD -d autodiscover.DOMAIN.TLD -d cpanel.DOMAIN.TLD -d webdisk.DOMAIN.TLD -d webmail.DOMAIN.TLD -d mail.DOMAIN.TLD -d www.DOMAIN.TLD -d www.DOMAIN.TLD -d mail.DOMAIN.TLD --webroot -w /home/USERHOME/public_html --expand
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for autodiscover.DOMAIN.TLD
http-01 challenge for cpanel.DOMAIN.TLD
http-01 challenge for mail.DOMAIN.TLD
http-01 challenge for DOMAIN.TLD
http-01 challenge for webdisk.DOMAIN.TLD
http-01 challenge for webmail.DOMAIN.TLD
http-01 challenge for www.DOMAIN.TLD
Using the webroot path /home/USERHOME/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem
   Your cert will expire on 2020-05-25. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
I also applied for a wildcard certificate:

Code:
./certbot-auto certonly -n -d '*.DOMAIN.TLD' --manual --preferred-challenges dns --manual-auth-hook /myscripts/ssl/dnstxt.sh --manual-public-ip-logging-ok
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for DOMAIN.TLD
Running manual-auth-hook command: /myscripts/ssl/dnstxt.sh
Output from manual-auth-hook command dnstxt.sh:
DOMAIN.TLD
1ZsLqaUpYpUPgQ3ssR-ZVoLr_r0sTnqEI6xzjCFPt4c
---
metadata:
  command: addzonerecord
  reason: "\n"
  result: 1
  version: 1
whmapi1 addzonerecord domain=DOMAIN.TLD name=_acme-challenge class=IN ttl=86400 type=TXT txtdata=1ZsLqaUpYpUPgQ3ssR-ZVoLr_r0sTnqEI6xzjCFPt4c

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/DOMAIN.TLD-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/DOMAIN.TLD-0001/privkey.pem
   Your cert will expire on 2020-05-25. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
Now:
- same issuer (let'sencrypt)
- autossl isn't working (i think it's using webroot check because of "well-known" folders in webroots)
- certbot-auto works (with webroot and dns challenge)
- firewall is off

logic suggests that it is a cpanel problem... what do you think?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,259
313
Houston
So it is normal for port 53 to be closed on the hosting server during an nmap scan (tcp/udp).
I can attest to this as well if you're not running a nameserver on the webserver - nothing is listening on 53 and it shows as closed. I also apologize as I missed that you had tested this with a nameserver installed previously.

Also, keep in mind that Sectigo and Let's Encrypt are completely separate and the process for AutoSSL with Sectigo is a LOT different than CertBot's Let's Encrypt.

That wouldn't be the issue then, since the port is open, which brings us back to it originating from dnsroots being unable to complete the biggest issue being it doesn't perform the HTTP DCV check from what I can see, it looks like it stops with DNS when it fails.

A really interesting ticket came through in regard to dnsmasq intercepting and responding to DNS queries and I wonder if that's similar to what's going on here. I asked previously but it's pretty important to know now, are your servers NAT routed? If so I am curious if we're running into a similar issue as the ticket I found. You might be able to test this (if they are NAT routed) by doing something like the following:

Code:
dig @publicIP version.bind txt chaos +short
You'd need pdns or bind on the server for this to function properly and it might be best to do this with one of them installed to rule out the cluster as an issue.

Are you using cPanel's DNS Clustering or a custom configuration?
 

Kati1509

Registered
Aug 22, 2019
3
0
1
Santiago
cPanel Access Level
Root Administrator
Hi, i have this issue and my server is NAT routed, what can i do?

6:15:48 PM Analyzing “domain.com” …
6:15:48 PM ERROR TLS Status: Defective
ERROR Defect: NO_SSL: No SSL certificate is installed.
6:15:48 PM Attempting to ensure the existence of necessary CAA records …
6:15:48 PM No CAA records were created.
6:15:48 PM Verifying 3 domains’ DNS management …
Verifying “cPanel (powered by Sectigo)”’s authorization on 3 domains via DNS CAA records …
6:16:02 PM WARN DNS query error (www.domain.com/NS): SERVFAIL (2)
6:16:03 PM WARN DNS query error (domain.com/CAA): SERVFAIL (2)
6:16:03 PM CA authorized: “domain.com”
6:16:05 PM WARN DNS query error (mail.domain.com/NS): SERVFAIL (2)
6:16:08 PM WARN DNS query error (domain.com/NS): SERVFAIL (2)
6:16:08 PM ERROR DNS does not manage “domain.com”.
ERROR DNS does not manage “www.domain.com”.
ERROR DNS does not manage “mail.domain.com”.
DNS does not manage any of this user’s 3 domains.
6:16:14 PM WARN DNS query error (mail.domain.com/CAA): SERVFAIL (2)
6:16:14 PM CA authorized: “mail.domain.com”
6:16:14 PM WARN DNS query error (www.domain.com/CAA): SERVFAIL (2)
6:16:14 PM CA authorized: “www.domain.com”
“cPanel (powered by Sectigo)” is authorized to issue certificates for 3 of this user’s 3 domains.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,259
313
Houston
Are DNS lookups successful on the server? Like for example can you telnet to another server? Is the domain managed? i.e.,is it registered and does it resolve to the server?