Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

AutoSSL Renew Issue

Discussion in 'Security' started by nelsomnio, Apr 15, 2019.

  1. nelsomnio

    nelsomnio Member

    Joined:
    Jun 28, 2018
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Chile
    cPanel Access Level:
    DataCenter Provider
    Hi everyone,

    Last week, cPanel began to renew many certificates of our clients, distributed throughout our 8 cPanel servers, so they began to get several notifications.

    So last Friday, I ran the AutoSSL again (as usual), but today Monday I came across the surprise that everyone (almost everyone, or at least those who were renewing certificate) are showing the following errror message (one example of many):

    (CENTOS 7.6 vmware [cp178] v78.0.20)
    i.imgur.com/a0vMq5r.png
    It is important to mention that DNS servers are remote, we manage them on another server, we have always worked in this way, renewing cerfificates without major inconveniences.

    As far as I could understand, cPanel is making queries to TXT records (for each domain) to perform a verification of the SSL certificate, unfortunately these records like "_cpanel-dcv-test-record" do I have to manually add them in our client's DNS? one by one?.

    Is there another alternative to be able to renew the certificates? since having more than a thousand clients this is very counterproductive.

    I will be very grateful for your guidance.

    Many thanks.

    For some reason, the screenshot with the logs is no longer visible.

    Here it is :)
     

    Attached Files:

    #1 nelsomnio, Apr 15, 2019
    Last edited by a moderator: Apr 15, 2019
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,466
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @nelsomnio

    We use two DCV checks the first is the HTTP DCV is a curl request and the fallback (second) is a DNS DCV check. In your case the DNS DCV check won't work as you're using remote DNS. The HTTP DCV check needs to succeed in order for your domain to retrieve a certificate.

    To troubleshoot issues a lot of times I'll use the following to check (you would need to add the test.txt file to the pki-validation directory for this to work):

    Code:
    curl -kvv domain.tld/.well-known/pki-validation/test.txt
    When you run that let us know if the IP matches the IP of your server (don't include the actual IP address) and if it's successful.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. nelsomnio

    nelsomnio Member

    Joined:
    Jun 28, 2018
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Chile
    cPanel Access Level:
    DataCenter Provider
    Hi, thanks for the response!

    MYSITE.cl: example domain (currently in the server)
    200.29.0.XXX: IP cPanel.
    cp178.XXX.cl: DNS cPanel


    This is the output:
    Code:
    [[email protected] /]# curl -kvv MYSITE.cl/.well-known/pki-validation/A32F631917A4AC53FAEC173769F9DE71.txt
    * About to connect() to MYSITE.cl port 80 (#0)
    *   Trying 200.29.0.XXX...
    * Connected to MYSITE.cl (200.29.0.XXX) port 80 (#0)
    > GET /.well-known/pki-validation/A32F631917A4AC53FAEC173769F9DE71.txt HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: MYSITE.cl
    > Accept: */*
    >
    < HTTP/1.1 200 OK
    < Date: Tue, 16 Apr 2019 19:16:32 GMT
    < Server: Apache
    < Last-Modified: Wed, 10 Apr 2019 13:26:28 GMT
    < Accept-Ranges: bytes
    < Content-Length: 64
    < Content-Type: text/plain
    <
    * Connection #0 to host MYSITE.cl left intact
    BDa9MXmlH_bi_x6UMir3VRSXBYRBcuAa3Nn0Rj0J6jRFcceMh4ckKjoldtS_ElmZ

    This is a ping directly to the DNS of the page (MYSITE.cl -> 200.29.0.XXX [server]), which is correctly resolve:

    Code:
    [[email protected] /]# ping MYSITE.cl
    PING MYSITE.cl (200.29.0.XXX) 56(84) bytes of data.
    64 bytes from cp178.XXX.cl (200.29.0.XXX): icmp_seq=1 ttl=64 time=0.034 ms
    64 bytes from cp178.XXX.cl (200.29.0.XXX): icmp_seq=2 ttl=64 time=0.047 ms
    64 bytes from cp178.XXX.cl (200.29.0.XXX): icmp_seq=3 ttl=64 time=0.042 ms
    64 bytes from cp178.XXX.cl (200.29.0.XXX): icmp_seq=4 ttl=64 time=0.032 ms
    ^C
    --- MYSITE.cl ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 2999ms
    rtt min/avg/max/mdev = 0.032/0.038/0.047/0.009 Fpas
    Additionally I attach a DNS Check resolution tests:
     

    Attached Files:

    #3 nelsomnio, Apr 16, 2019
    Last edited: Apr 16, 2019
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,466
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @nelsomnio


    If you run that domain through something like intodns.com's check do you get any errors back?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. nelsomnio

    nelsomnio Member

    Joined:
    Jun 28, 2018
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Chile
    cPanel Access Level:
    DataCenter Provider
    I just did tests with intoDNS for the same domain "MYSITE.cl"

    The only messages it shows are informative :
    • Different subnets: WARNING: Not all of your nameservers are in different subnets
    • Different autonomous systems: WARNING: Single point of failur
    • SOA MNAME entry WARNING: SOA MNAME (dns1.XXX.net) is not listed as a primary nameserver at your parent nameserver!
    I doubt that this caused a problem, anyway I attach the DNS-Zone of the same example domain.

    What other kind of test can I do?, thank you very much!
     

    Attached Files:

  6. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,466
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice