Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED AutoSSL Renew: DNS DCV – Returned No "TXT" Record

Discussion in 'Security' started by Selwyn Cohen, Mar 31, 2019.

  1. Selwyn Cohen

    Selwyn Cohen Member

    Joined:
    Jan 28, 2016
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    The Netherlands
    cPanel Access Level:
    Root Administrator
    Last night my server started spamming me with renew failed errors for alot (if not all) of the domains running on my server.

    DNS DCV: The DNS query to “_cpanel-dcv-test-record.example.nl” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=P41vq7hHOPfatYqayo0grwo4PLrG5NUIOFHnhDkKTeMed5qoeLzoF6m_Z2G1EZnJ”.;

    HTTP DCV: The system queried for a temporary file at “http://example.nl/.well-known/pki-validation/64F6D9F02724FEF6B064F456C539A973.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.

    Recently I switched from LetsEncrypt to cPanel's own and when I switched over there also seemed to be no problems. Now that the server is trying to renew the certs I am having problems.

    The TXT file is not generated in the user's folder, the folder is.

    I had some problems with Mail verification during mail test, so I added a DKIM TXT record for every domain. And changed my exim conf option “Introduce a delay into the SMTP transaction for unknown hosts and messages detected as spam.” to OFF to fix SMTP Transation Time timeouts. I doubt it has anything to do with this.

    Hope someone can help me out with this, as all the certificates are running out in 5 days.
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,005
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Selwyn Cohen,

    Can you open a support ticket so we can take a closer look at the system to see why the AutoSSL validation process is failing for your domains? Post the ticket number here once it's opened and I'll link this thread to it.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Sadie Gecke

    Sadie Gecke Registered

    Joined:
    Apr 2, 2019
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    76
    Location:
    Minneapolis, Minnesota
    cPanel Access Level:
    Website Owner
    Hello, I received a very similar email message this morning. I have also opened the following CPanel support ticket:

    Your Support Request ID is: 11836253.

    I am the domain and site owner. My hosting service uses CPanel version 78. Thank you for your help.
     
  4. Selwyn Cohen

    Selwyn Cohen Member

    Joined:
    Jan 28, 2016
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    The Netherlands
    cPanel Access Level:
    Root Administrator
    Hey Michael, I created a support ticket: 11836687


    Thanks for your help!
     
    #4 Selwyn Cohen, Apr 2, 2019
    Last edited by a moderator: Apr 3, 2019
    cPanelMichael likes this.
  5. Sadie Gecke

    Sadie Gecke Registered

    Joined:
    Apr 2, 2019
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    76
    Location:
    Minneapolis, Minnesota
    cPanel Access Level:
    Website Owner
    My hosting provider and CPanel's ticket support resolved my issue. Since I use Cloudflare, I had to pause CF on the particular domain with this issue, run AutoSSL within my domain's CPanel, then resume CF on this domain. It's a little inconvenient that I will have to do this for my domains every 90 days, but oh well... My hosting provider said he thinks that CPanel is working to resolve this issue. Fingers crossed!
     
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,005
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    To update, it looks like this was the result of a non-working AAAA record in the domain's DNS zone. A misconfigured AAAA DNS zone record will cause DCV to fail, even if the domain uses a properly configured IPv4 address.

    Here's a quote from the Version 78 Release Notes explaining how we altered HTTP DCV to prioritize IPv6 addresses over IPv4 addresses:

    Thus, removing the bad AAAA record from the domain's DNS zone or adjusting the IPv6 configuration on the system so that the domain resolves to a valid IPv6 address will solve the issue.

    Did you check to see if the IPv6 address assigned to the affected domain was working correctly?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Tearabite

    Tearabite Well-Known Member

    Joined:
    Nov 28, 2010
    Messages:
    83
    Likes Received:
    12
    Trophy Points:
    58
    Location:
    Southern California
    cPanel Access Level:
    Root Administrator
    I also ran into this issue today with a domain that uses Cloudflare. I'm not seeing any AAAA records on the server or in the Cloudflare configuration, so not sure what the fix is?
     
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,005
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi @Tearabite,

    Can you share the specific AutoSSL log output from WHM >> Manage AutoSSL for the affected domain? Ensure to paste the output in CODE tags and replace real domain names and IP addresses with examples.

    Also, please post the output from the command below:

    Code:
    cat /usr/local/cpanel/version
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Tearabite

    Tearabite Well-Known Member

    Joined:
    Nov 28, 2010
    Messages:
    83
    Likes Received:
    12
    Trophy Points:
    58
    Location:
    Southern California
    cPanel Access Level:
    Root Administrator
    Thanks @cPanelMichael

    We ended up pausing Cloudflare and forcing AutoSSL to renew the certs, so now I have 89 days to prevent it from happening again.. the problem was with the mail.fakeaccount domain.

    # cat /usr/local/cpanel/version
    11.76.0.21

    Code:
    Log for the AutoSSL run for “AfakeAccount”: Wednesday, April 3, 2019 1:37:22 PM GMT-0700 (cPanel (powered by Comodo))
    
     1:37:22 PM AutoSSL’s configured provider is “cPanel (powered by Comodo)”.
     This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
     Checking websites for “AfakeAccount” …
     1:37:23 PM Analyzing “xyz.AfakeAccountldie.com” …
     1:37:23 PM TLS Status: Incomplete
     Certificate expiry: 7/2/19, 12:00 AM UTC (89.14 days from now)
     1:37:23 PM Analyzing “AfakeAccountldie.com” …
     1:37:23 PM TLS Status: Incomplete
     Certificate expiry: 7/3/19, 12:00 AM UTC (90.14 days from now)
     1:37:23 PM Analyzing “fakedomain.AfakeAccountldie.com” …
     1:37:23 PM TLS Status: Incomplete
     Certificate expiry: 7/2/19, 12:00 AM UTC (89.14 days from now)
     1:37:23 PM Performing DCV (Domain Control Validation) …
     1:37:23 PM Local HTTP DCV OK: xyz.net
     Local HTTP DCV OK: fakedomain.com
     WARN Local HTTP DCV error (AfakeAccountldie.com): The system failed to fetch the DCV (Domain Control Validation) file at “http://AfakeAccountldie.com/.well-known/pki-validation/D874BDF309D268528C1C0F74A286447A.txt” because of an error: The system failed to send an HTTP (Hypertext Transfer Protocol) “GET” request to “http://AfakeAccountldie.com/.well-known/pki-validation/D874BDF309D268528C1C0F74A286447A.txt” because of an error: Could not connect to 'AfakeAccountldie.com:80': Network is unreachable . The domain “AfakeAccountldie.com” resolved to an IP address “2606:4700:30:0:0:0:681c:1c55” that does not exist on this server.
     Local HTTP DCV OK: www.xyz.net (via xyz.net)
     Local HTTP DCV OK: mail.xyz.net (via xyz.net)
     Local HTTP DCV OK: www.fakedomain.com (via fakedomain.com)
     Local HTTP DCV OK: cpanel.xyz.net (via xyz.net)
     WARN Local HTTP DCV error (www.AfakeAccountldie.com): The system failed to fetch the DCV (Domain Control Validation) file at “http://www.AfakeAccountldie.com/.well-known/pki-validation/B82D8A09038F7028C07D673A9A04BB8A.txt” because of an error (cached): Could not connect to '2606:4700:30:0:0:0:681c:1c55:80': Network is unreachable .
     Local HTTP DCV OK: mail.fakedomain.com (via fakedomain.com)
     Local HTTP DCV OK: webdisk.xyz.net (via xyz.net)
     Local HTTP DCV OK: webmail.xyz.net (via xyz.net)
     WARN Local HTTP DCV error (mail.AfakeAccountldie.com): The system failed to fetch the DCV (Domain Control Validation) file at “http://mail.AfakeAccountldie.com/.well-known/pki-validation/3482F109F84F13321CFC1F9A0B307517.txt” because of an error (cached): Could not connect to '2606:4700:30:0:0:0:681c:1c55:80': Network is unreachable .
     Local HTTP DCV OK: cpanel.fakedomain.com (via fakedomain.com)
     Local HTTP DCV OK: cpanel.AfakeAccountldie.com
     Local HTTP DCV OK: webdisk.fakedomain.com (via fakedomain.com)
     Local HTTP DCV OK: webmail.fakedomain.com (via fakedomain.com)
     Local HTTP DCV OK: webdisk.AfakeAccountldie.com
     Local HTTP DCV OK: webmail.AfakeAccountldie.com
     WARN Local HTTP DCV error (xyz.AfakeAccountldie.com): “xyz.AfakeAccountldie.com” does not resolve to any IP addresses on the internet.
     WARN Local HTTP DCV error (fakedomain.AfakeAccountldie.com): “fakedomain.AfakeAccountldie.com” does not resolve to any IP addresses on the internet.
     WARN Local HTTP DCV error (www.xyz.AfakeAccountldie.com): “www.xyz.AfakeAccountldie.com” does not resolve to any IP addresses on the internet.
     WARN Local HTTP DCV error (www.fakedomain.AfakeAccountldie.com): “www.fakedomain.AfakeAccountldie.com” does not resolve to any IP addresses on the internet.
     1:37:30 PM ERROR Local DNS DCV error (AfakeAccountldie.com): The DNS query to “_cpanel-dcv-test-record.AfakeAccountldie.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=pq9DHh15Km0T0tcJIr7wu5f97iigRBUdzPBC65tZmpLdaPt64EhsdPNgVB6VZSjm”.
     ERROR Local DNS DCV error (www.AfakeAccountldie.com): The DNS query to “_cpanel-dcv-test-record.AfakeAccountldie.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=pq9DHh15Km0T0tcJIr7wu5f97iigRBUdzPBC65tZmpLdaPt64EhsdPNgVB6VZSjm”.
     ERROR Local DNS DCV error (mail.AfakeAccountldie.com): The DNS query to “_cpanel-dcv-test-record.AfakeAccountldie.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=pq9DHh15Km0T0tcJIr7wu5f97iigRBUdzPBC65tZmpLdaPt64EhsdPNgVB6VZSjm”.
     ERROR Local DNS DCV error (xyz.AfakeAccountldie.com): The DNS query to “_cpanel-dcv-test-record.AfakeAccountldie.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=pq9DHh15Km0T0tcJIr7wu5f97iigRBUdzPBC65tZmpLdaPt64EhsdPNgVB6VZSjm”.
     ERROR Local DNS DCV error (fakedomain.AfakeAccountldie.com): The DNS query to “_cpanel-dcv-test-record.AfakeAccountldie.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=pq9DHh15Km0T0tcJIr7wu5f97iigRBUdzPBC65tZmpLdaPt64EhsdPNgVB6VZSjm”.
     ERROR Local DNS DCV error (www.xyz.AfakeAccountldie.com): The DNS query to “_cpanel-dcv-test-record.AfakeAccountldie.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=pq9DHh15Km0T0tcJIr7wu5f97iigRBUdzPBC65tZmpLdaPt64EhsdPNgVB6VZSjm”.
     ERROR Local DNS DCV error (www.fakedomain.AfakeAccountldie.com): The DNS query to “_cpanel-dcv-test-record.AfakeAccountldie.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=pq9DHh15Km0T0tcJIr7wu5f97iigRBUdzPBC65tZmpLdaPt64EhsdPNgVB6VZSjm”.
     1:37:30 PM Analyzing “xyz.AfakeAccountldie.com”’s DCV results …
     1:37:30 PM ERROR Impediment: NO_UNSECURED_DOMAIN_PASSED_DCV: Every unsecured domain failed DCV.
     1:37:30 PM Analyzing “AfakeAccountldie.com”’s DCV results …
     1:37:30 PM ERROR Impediment: NO_UNSECURED_DOMAIN_PASSED_DCV: Every unsecured domain failed DCV.
     1:37:30 PM Analyzing “fakedomain.AfakeAccountldie.com”’s DCV results …
     1:37:30 PM ERROR Impediment: NO_UNSECURED_DOMAIN_PASSED_DCV: Every unsecured domain failed DCV.
     1:37:30 PM The system has completed the AutoSSL check for “AfakeAccount”.
    
     
  10. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,005
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    The log output quoted above show that AutoSSL was attempting to connect to an IPv6 address that wasn't reachable. Case CPANEL-25899 fixes this in version 78.0.15:

    Implemented case CPANEL-25899: Fallback to IPv4 DCV when IPv6 DCV fails for known proxies.

    Can you verify if the issue persists after updating to cPanel & WHM version 78?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Tearabite

    Tearabite Well-Known Member

    Joined:
    Nov 28, 2010
    Messages:
    83
    Likes Received:
    12
    Trophy Points:
    58
    Location:
    Southern California
    cPanel Access Level:
    Root Administrator
    Thanks CPM -
    Any idea (or a link that shows) when V78 will go "Stable" ?
     
  12. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,005
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    It's tentatively planned for publication next week, but note that publication dates are always subject to change.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Tearabite likes this.
  13. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,005
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice