SOLVED AutoSSL Renew: DNS DCV – Returned No "TXT" Record

Selwyn Cohen

Member
Jan 28, 2016
11
1
3
The Netherlands
cPanel Access Level
Root Administrator
Last night my server started spamming me with renew failed errors for alot (if not all) of the domains running on my server.

DNS DCV: The DNS query to “_cpanel-dcv-test-record.example.nl” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=P41vq7hHOPfatYqayo0grwo4PLrG5NUIOFHnhDkKTeMed5qoeLzoF6m_Z2G1EZnJ”.;

HTTP DCV: The system queried for a temporary file at “http://example.nl/.well-known/pki-validation/64F6D9F02724FEF6B064F456C539A973.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.

Recently I switched from LetsEncrypt to cPanel's own and when I switched over there also seemed to be no problems. Now that the server is trying to renew the certs I am having problems.

The TXT file is not generated in the user's folder, the folder is.

I had some problems with Mail verification during mail test, so I added a DKIM TXT record for every domain. And changed my exim conf option “Introduce a delay into the SMTP transaction for unknown hosts and messages detected as spam.” to OFF to fix SMTP Transation Time timeouts. I doubt it has anything to do with this.

Hope someone can help me out with this, as all the certificates are running out in 5 days.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
Hello @Selwyn Cohen,

Can you open a support ticket so we can take a closer look at the system to see why the AutoSSL validation process is failing for your domains? Post the ticket number here once it's opened and I'll link this thread to it.

Thank you.
 

Sadie Gecke

Registered
Apr 2, 2019
2
0
76
Minneapolis, Minnesota
cPanel Access Level
Website Owner
Hello, I received a very similar email message this morning. I have also opened the following CPanel support ticket:

Your Support Request ID is: 11836253.

I am the domain and site owner. My hosting service uses CPanel version 78. Thank you for your help.
 

Selwyn Cohen

Member
Jan 28, 2016
11
1
3
The Netherlands
cPanel Access Level
Root Administrator
Hello @Selwyn Cohen,

Can you open a support ticket so we can take a closer look at the system to see why the AutoSSL validation process is failing for your domains? Post the ticket number here once it's opened and I'll link this thread to it.

Thank you.
Hey Michael, I created a support ticket: 11836687


Thanks for your help!
 
Last edited by a moderator:
  • Like
Reactions: cPanelMichael

Sadie Gecke

Registered
Apr 2, 2019
2
0
76
Minneapolis, Minnesota
cPanel Access Level
Website Owner
My hosting provider and CPanel's ticket support resolved my issue. Since I use Cloudflare, I had to pause CF on the particular domain with this issue, run AutoSSL within my domain's CPanel, then resume CF on this domain. It's a little inconvenient that I will have to do this for my domains every 90 days, but oh well... My hosting provider said he thinks that CPanel is working to resolve this issue. Fingers crossed!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
Hello,

To update, it looks like this was the result of a non-working AAAA record in the domain's DNS zone. A misconfigured AAAA DNS zone record will cause DCV to fail, even if the domain uses a properly configured IPv4 address.

Here's a quote from the Version 78 Release Notes explaining how we altered HTTP DCV to prioritize IPv6 addresses over IPv4 addresses:

IPv6 HTTP Domain Control Validation (DCV)
In cPanel & WHM version 78, we altered HTTP DCV to prioritize IPv6 addresses over IPv4 addresses.

HTTP DCV will continue to use IPv4 addresses for DCV domains that do not have AAAA records. If an AAAA record exists, AutoSSL will attempt to run a DCV on the IPv6 address. Any misconfigured AAAA records will cause HTTP DCV to fail, even if you properly configure the A records. Alternatively, you can remove the AAAA records to use IPv4 exclusively.
Thus, removing the bad AAAA record from the domain's DNS zone or adjusting the IPv6 configuration on the system so that the domain resolves to a valid IPv6 address will solve the issue.

. Since I use Cloudflare, I had to pause CF on the particular domain with this issue, run AutoSSL within my domain's CPanel, then resume CF on this domain. It's a little inconvenient that I will have to do this for my domains every 90 days, but oh well... My hosting provider said he thinks that CPanel is working to resolve this issue.
Did you check to see if the IPv6 address assigned to the affected domain was working correctly?

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
I also ran into this issue today with a domain that uses Cloudflare. I'm not seeing any AAAA records on the server or in the Cloudflare configuration, so not sure what the fix is?
Hi @Tearabite,

Can you share the specific AutoSSL log output from WHM >> Manage AutoSSL for the affected domain? Ensure to paste the output in CODE tags and replace real domain names and IP addresses with examples.

Also, please post the output from the command below:

Code:
cat /usr/local/cpanel/version
Thank you.
 

Tearabite

Well-Known Member
Nov 28, 2010
84
12
58
Southern California
cPanel Access Level
Root Administrator
Thanks @cPanelMichael

We ended up pausing Cloudflare and forcing AutoSSL to renew the certs, so now I have 89 days to prevent it from happening again.. the problem was with the mail.fakeaccount domain.

# cat /usr/local/cpanel/version
11.76.0.21

Code:
Log for the AutoSSL run for “AfakeAccount”: Wednesday, April 3, 2019 1:37:22 PM GMT-0700 (cPanel (powered by Comodo))

 1:37:22 PM AutoSSL’s configured provider is “cPanel (powered by Comodo)”.
 This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
 Checking websites for “AfakeAccount” …
 1:37:23 PM Analyzing “xyz.AfakeAccountldie.com” …
 1:37:23 PM TLS Status: Incomplete
 Certificate expiry: 7/2/19, 12:00 AM UTC (89.14 days from now)
 1:37:23 PM Analyzing “AfakeAccountldie.com” …
 1:37:23 PM TLS Status: Incomplete
 Certificate expiry: 7/3/19, 12:00 AM UTC (90.14 days from now)
 1:37:23 PM Analyzing “fakedomain.AfakeAccountldie.com” …
 1:37:23 PM TLS Status: Incomplete
 Certificate expiry: 7/2/19, 12:00 AM UTC (89.14 days from now)
 1:37:23 PM Performing DCV (Domain Control Validation) …
 1:37:23 PM Local HTTP DCV OK: xyz.net
 Local HTTP DCV OK: fakedomain.com
 WARN Local HTTP DCV error (AfakeAccountldie.com): The system failed to fetch the DCV (Domain Control Validation) file at “http://AfakeAccountldie.com/.well-known/pki-validation/D874BDF309D268528C1C0F74A286447A.txt” because of an error: The system failed to send an HTTP (Hypertext Transfer Protocol) “GET” request to “http://AfakeAccountldie.com/.well-known/pki-validation/D874BDF309D268528C1C0F74A286447A.txt” because of an error: Could not connect to 'AfakeAccountldie.com:80': Network is unreachable . The domain “AfakeAccountldie.com” resolved to an IP address “2606:4700:30:0:0:0:681c:1c55” that does not exist on this server.
 Local HTTP DCV OK: www.xyz.net (via xyz.net)
 Local HTTP DCV OK: mail.xyz.net (via xyz.net)
 Local HTTP DCV OK: www.fakedomain.com (via fakedomain.com)
 Local HTTP DCV OK: cpanel.xyz.net (via xyz.net)
 WARN Local HTTP DCV error (www.AfakeAccountldie.com): The system failed to fetch the DCV (Domain Control Validation) file at “http://www.AfakeAccountldie.com/.well-known/pki-validation/B82D8A09038F7028C07D673A9A04BB8A.txt” because of an error (cached): Could not connect to '2606:4700:30:0:0:0:681c:1c55:80': Network is unreachable .
 Local HTTP DCV OK: mail.fakedomain.com (via fakedomain.com)
 Local HTTP DCV OK: webdisk.xyz.net (via xyz.net)
 Local HTTP DCV OK: webmail.xyz.net (via xyz.net)
 WARN Local HTTP DCV error (mail.AfakeAccountldie.com): The system failed to fetch the DCV (Domain Control Validation) file at “http://mail.AfakeAccountldie.com/.well-known/pki-validation/3482F109F84F13321CFC1F9A0B307517.txt” because of an error (cached): Could not connect to '2606:4700:30:0:0:0:681c:1c55:80': Network is unreachable .
 Local HTTP DCV OK: cpanel.fakedomain.com (via fakedomain.com)
 Local HTTP DCV OK: cpanel.AfakeAccountldie.com
 Local HTTP DCV OK: webdisk.fakedomain.com (via fakedomain.com)
 Local HTTP DCV OK: webmail.fakedomain.com (via fakedomain.com)
 Local HTTP DCV OK: webdisk.AfakeAccountldie.com
 Local HTTP DCV OK: webmail.AfakeAccountldie.com
 WARN Local HTTP DCV error (xyz.AfakeAccountldie.com): “xyz.AfakeAccountldie.com” does not resolve to any IP addresses on the internet.
 WARN Local HTTP DCV error (fakedomain.AfakeAccountldie.com): “fakedomain.AfakeAccountldie.com” does not resolve to any IP addresses on the internet.
 WARN Local HTTP DCV error (www.xyz.AfakeAccountldie.com): “www.xyz.AfakeAccountldie.com” does not resolve to any IP addresses on the internet.
 WARN Local HTTP DCV error (www.fakedomain.AfakeAccountldie.com): “www.fakedomain.AfakeAccountldie.com” does not resolve to any IP addresses on the internet.
 1:37:30 PM ERROR Local DNS DCV error (AfakeAccountldie.com): The DNS query to “_cpanel-dcv-test-record.AfakeAccountldie.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=pq9DHh15Km0T0tcJIr7wu5f97iigRBUdzPBC65tZmpLdaPt64EhsdPNgVB6VZSjm”.
 ERROR Local DNS DCV error (www.AfakeAccountldie.com): The DNS query to “_cpanel-dcv-test-record.AfakeAccountldie.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=pq9DHh15Km0T0tcJIr7wu5f97iigRBUdzPBC65tZmpLdaPt64EhsdPNgVB6VZSjm”.
 ERROR Local DNS DCV error (mail.AfakeAccountldie.com): The DNS query to “_cpanel-dcv-test-record.AfakeAccountldie.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=pq9DHh15Km0T0tcJIr7wu5f97iigRBUdzPBC65tZmpLdaPt64EhsdPNgVB6VZSjm”.
 ERROR Local DNS DCV error (xyz.AfakeAccountldie.com): The DNS query to “_cpanel-dcv-test-record.AfakeAccountldie.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=pq9DHh15Km0T0tcJIr7wu5f97iigRBUdzPBC65tZmpLdaPt64EhsdPNgVB6VZSjm”.
 ERROR Local DNS DCV error (fakedomain.AfakeAccountldie.com): The DNS query to “_cpanel-dcv-test-record.AfakeAccountldie.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=pq9DHh15Km0T0tcJIr7wu5f97iigRBUdzPBC65tZmpLdaPt64EhsdPNgVB6VZSjm”.
 ERROR Local DNS DCV error (www.xyz.AfakeAccountldie.com): The DNS query to “_cpanel-dcv-test-record.AfakeAccountldie.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=pq9DHh15Km0T0tcJIr7wu5f97iigRBUdzPBC65tZmpLdaPt64EhsdPNgVB6VZSjm”.
 ERROR Local DNS DCV error (www.fakedomain.AfakeAccountldie.com): The DNS query to “_cpanel-dcv-test-record.AfakeAccountldie.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=pq9DHh15Km0T0tcJIr7wu5f97iigRBUdzPBC65tZmpLdaPt64EhsdPNgVB6VZSjm”.
 1:37:30 PM Analyzing “xyz.AfakeAccountldie.com”’s DCV results …
 1:37:30 PM ERROR Impediment: NO_UNSECURED_DOMAIN_PASSED_DCV: Every unsecured domain failed DCV.
 1:37:30 PM Analyzing “AfakeAccountldie.com”’s DCV results …
 1:37:30 PM ERROR Impediment: NO_UNSECURED_DOMAIN_PASSED_DCV: Every unsecured domain failed DCV.
 1:37:30 PM Analyzing “fakedomain.AfakeAccountldie.com”’s DCV results …
 1:37:30 PM ERROR Impediment: NO_UNSECURED_DOMAIN_PASSED_DCV: Every unsecured domain failed DCV.
 1:37:30 PM The system has completed the AutoSSL check for “AfakeAccount”.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
WARN Local HTTP DCV error (www.AfakeAccountldie.com): The system failed to fetch the DCV (Domain Control Validation) file at “http://www.AfakeAccountldie.com/.well-known/pki-validation/B82D8A09038F7028C07D673A9A04BB8A.txt” because of an error (cached): Could not connect to '2606:4700:30:0:0:0:681c:1c55:80': Network is unreachable .
The log output quoted above show that AutoSSL was attempting to connect to an IPv6 address that wasn't reachable. Case CPANEL-25899 fixes this in version 78.0.15:

Implemented case CPANEL-25899: Fallback to IPv4 DCV when IPv6 DCV fails for known proxies.

# cat /usr/local/cpanel/version
11.76.0.21
Can you verify if the issue persists after updating to cPanel & WHM version 78?

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
Any idea (or a link that shows) when V78 will go "Stable" ?
It's tentatively planned for publication next week, but note that publication dates are always subject to change.

Thank you.
 
  • Like
Reactions: Tearabite