SOLVED AutoSSL update script throws dnsadmin error when renewing

[tudorh]

Hi,

Our main domain (also used for the host) suddenly won't renew whereas subdomains used by WHM are working ok.

So:
example.com - Old certificate (expired)
host.example.com/whm - New certificate

Both are AutoSSL certificates.

AutoSSL throws this error:

# /usr/local/cpanel/bin/autossl_check --user=example
AutoSSL’s configured provider is “cPanel (powered by Sectigo)”.
This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
Analyzing “example”’s domains …
    Analyzing “demo.preview.example.com” (website) …
        TLS Status: Ready for Renewal
        Certificate expiry: 9/27/21, 12:00 AM UTC (4.7 days from now)
    Analyzing “example.com” (website) …
        TLS Status: Defective
        Defect: NO_SSL: No SSL certificate is installed.
    Attempting to ensure the existence of necessary CAA records …
        get_zones_for_domains(): dnsadmin failed to answer a request that it accepted. at /usr/local/cpanel/Cpanel/DnsUtils/AskDnsAdmin.pm line 130.
Failed to begin “example”’s DCV: Can't use string ("0") as an ARRAY ref while "strict refs" in use at /usr/local/cpanel/Cpanel/SSL/Auto/Run/CAA.pm line 69.

I have tried:
- restarting the server
- (force) updating the server to the latest version of WHM
- disabling and enabling AutoSSL on the account
- restarting the DNS server
- running whmapi1 delete_ssl_vhost host=example.com

I can't work out:
- why the main domain would be sending a different certificate to the host domain;
- why dnsadmin would fail to answer the request; or
- why CAA.pm would be getting a string "0"


Any ideas?

 

[cPRex]

Hey there! I see there is an issue with the dnsadmin service so I'm wondering if just restarting that would help this situation. Can you try running the following command to do that?

/scripts/restartsrv_dnsadmin

Let me know if that helps!

 

[tudorh]

Hey there! I see there is an issue with the dnsadmin service so I'm wondering if just restarting that would help this situation. Can you try running the following command to do that?

/scripts/restartsrv_dnsadmin

Let me know if that helps!

Thanks!

Unfortunately not.

[root@example user]# /scripts/restartsrv_dnsadmin
Waiting for “dnsadmin” to restart gracefully ……waiting for “dnsadmin” to initialize ………finished.

Service Status
    dnsadmin (dnsadmin - dormant mode) is running as root with PID 1143 (systemd+/proc check method).

Startup Log
    Sep 22 15:57:28 host.example.com systemd[1]: Starting cPanel DNS admin service...
    Sep 22 15:57:29 host.example.com restartsrv_dnsadmin[1143]: Starting PID 1143: dnsadmin-dormant
    Sep 22 15:57:30 host.example.com systemd[1]: Started cPanel DNS admin service.

dnsadmin restarted successfully.
[root@example user]# /usr/local/cpanel/bin/autossl_check --user=example
AutoSSL’s configured provider is “cPanel (powered by Sectigo)”.
This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
Analyzing “example”’s domains …
    Analyzing “demo.preview.example.com” (website) …
        TLS Status: Ready for Renewal
        Certificate expiry: 9/27/21, 12:00 AM UTC (4.12 days from now)
    Analyzing “example.com” (website) …
        TLS Status: Defective
        Defect: NO_SSL: No SSL certificate is installed.
    Attempting to ensure the existence of necessary CAA records …
        get_zones_for_domains(): dnsadmin failed to answer a request that it accepted. at /usr/local/cpanel/Cpanel/DnsUtils/AskDnsAdmin.pm line 130.
Failed to begin “example”’s DCV: Can't use string ("0") as an ARRAY ref while "strict refs" in use at /usr/local/cpanel/Cpanel/SSL/Auto/Run/CAA.pm line 69.

I believe that's just the same as be restarting the DNS server, no?

 

[tudorh]

I've lodged a support ticket: 94365493

 

[tudorh]

The issue turned out to be caused by the DNS Zone not being able to be generated into the /var/named/example.com.db file.

I reset the DNS Zone using the account's CPanel -> Zone editor -> Action -> Reset DNS Zone (but this wiped all our additions to the DNS Zone, of course).

This allowed the zone file to be recreated and for AutoSSL to renew the domain.

However, then the wrong certficate was being presented. Instead of the certificate for example.com, it presented the certificate for subdomain.example.com. I noticed that, although example.com was the "main domain", the subdomain was listed first.

Deleting the subdomain corrected this issue.

The technician suggested that this started around the same time as the recent upgrade.

I therefore speculate that the issue was caused by the script presuming that the main domain was the first domain in the Zone Manager. Since the subdomain was listed first, it could have confused the script from a mismatch and declared there to be no domains in the zone during the recent upgrade.

 

[cPRex]

I'm glad our team was able to help track that down!