AutoSSL not renewing on subdomains with (TLS incomplete)

weswillis

Registered
Apr 24, 2018
3
0
1
Cleveland, OH
cPanel Access Level
Root Administrator
My SSL certificates provided by let's encrypt and set up using cpanel's autossl are not automatically renewing.


I have 3 domains with about 12 subdomains on one of them.
Autossl runs every 24 hours (I have the logs) but the certificates are close to expiration (some of them within 30 days, 1 of them expired 3 days ago) but did not renew.

These certificates were all issued by let's encrypt, I've had let's encrypt and autossl
installed for over a year. I do have my SSH port number changed from the default if that is meaningful.


THE AUTOSSL checks run every 24 hours and I have the logs from the past 30 days to see that it runs.

I have about a dozen subdomains of 1 domain, and most, but not all - have the entry of
"TLS Status: Incomplete" in the autossl logs.

Ther are a few of them though that do say:
TLS Status: OK

Their certificates expire at different dates, but 1 of them has expired within the past week and it did not auto renew.

I did find a pattern though:

the subdomains that have a TLS status of "OK"
do not have the following type of listing in the autossl log:

Local HTTP DCV error (www.subdomainname.domainname.tld): “www.subdomainname.domainname.tld” does not resolve to any IPv4 addresses on the internet.

What I've done:

I did more searching and found SOLVED - AutoSSL Not Generating Signing Request

But I did confirm that I do have A records (ones that are www.subdomainname and subdomainname ) for all of my subdomains.

found
AutoSSL does not resolve to any IPv4 addresses on the internet.

which suggested to output
cat /var/cpanel/cpnat

and then run
/scripts/build_cpnat
if the cat outputted nothing; I did that;
and then re-ran the autossl script within cpanel; and same result
(I did it once more; then as sudo, and same result)

What other steps should I take?
 

weswillis

Registered
Apr 24, 2018
3
0
1
Cleveland, OH
cPanel Access Level
Root Administrator
I also modified my ssh port back to the default; restarted ssh service; and confirmed that I was unable to login using the old (changed) port; ran the autossl once more; and still received the same results in the log.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
6,845
544
263
Houston
cPanel Access Level
DataCenter Provider
Hi @weswillis


Is the error in the AutoSSL logs for the domains that do not pass that they don't resolve to any IP addresses on the internet? You did specify that the ones without the error did not have that error, just wanted to make sure that the ones that didn't pass did.

which suggested to output
cat /var/cpanel/cpnat

and then run
/scripts/build_cpnat
if the cat outputted nothing; I did that;
This is only valid if you've got a NAT routed setup if your server isn't NAT routed this won't be useful.

What is the output of the following and do they match? (please remove the actual IP)

Code:
 grep IP /var/cpanel/users/$user
grep ip /var/cpanel/userdata/$user/sub.domain.tld
 

weswillis

Registered
Apr 24, 2018
3
0
1
Cleveland, OH
cPanel Access Level
Root Administrator
Hi @weswillis


Is the error in the AutoSSL logs for the domains that do not pass that they don't resolve to any IP addresses on the internet? You did specify that the ones without the error did not have that error, just wanted to make sure that the ones that didn't pass did.
I've confirmed that yes, the Local HTTP DCV error (immediately below) for a particular subdomain is only present when that same subdomain has entry of "TLS Status: Incomplete".

Local HTTP DCV error (www.subdomainname.domainname.tld): “www.subdomainname.domainname.tld” does not resolve to any IPv4 addresses on the internet.


Over the weekend, interestingly a lot has changed;
autossl ran about 15-20 times in 1 day while I was away, which is quite unusual (I check logs, normally
it only runs once per day).

Additionally, 3 of my subdomain certificates renewed (2 of which were ready for renewal, 1 was already expired).

A new error appears in the log well as follows:

ERROR Local DNS DCV error (www.subdomainname.domainname.tld): The DNS query to “_cpanel-dcv-test-record.domainname.tld” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record={A-LONG-HASH-STRING}”.

I've confirmed that these LOCAL DNS DCV errors only occur for entries that have the "TLS Status: Incomplete" on them.

I also found
AutoSSL DNS DCV – Returned No "TXT" Record
which I think maybe the culprit here;

I am using v74.0.6 of whm.
===

I checked as instructed;

grep IP /var/cpanel/users/$user
grep ip /var/cpanel/userdata/$user/sub.domain.tld

the IP addresses at the 2 above commands match

the contents of grep ip /var/cpanel/userdata/$user/sub.domain.tld is
ip: **.**.**.**
ipv6: ~
scriptalias: