AutoSSL: WARN Local HTTP DCV error" -- Using my own DNS Server and we don't want those cPanel subdomains defined. Workaround?

vicos

Well-Known Member
Apr 18, 2003
89
4
158
We use our own DNS server and we do not want all of those cPanel specified subdomains defined, like cpcontacts, webdisk, and so on. Mainly since we don't use those features and for security purposes.

Of course, this causes AutoSSL to issue the "WARN Local HTTP DCV error" at renewal time. The problem is that with the warnings, it won't renew the certificate until the last day when it expires and with occasional hangups at Sectigo, there have been times when the certificate lapsed.

Other than purchasing our own certs, is there a way to tell cPanel that we don't want those subdomains defined so that it never comes up with the AutoSSL check?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,430
1,634
363
cPanel Access Level
Root Administrator

vicos

Well-Known Member
Apr 18, 2003
89
4
158
Thank you @cPRex for such a quik response.

Just so I understand fully, is the AutoSSL renew process verifying all possible service domains, ---or--- is it checking the local DNS records for all A records defined for that subdomain? If the former, then will disabling service domains in WHM stop future DCV?

The reason I ask is because I checked 1 account using the cPanel Zone editor and the only record in there is an MX for the subdomain.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,430
1,634
363
cPanel Access Level
Root Administrator
AutoSSL will attempt to verify any domains that exist on the server side. I actually mis-spoke in my last reply when I said you would want to remove the DNS records - you would actually want to remove those domains from Apache so they don't get scanned into AutoSSL at all.
 

vicos

Well-Known Member
Apr 18, 2003
89
4
158
Disabling the Service Subdomains option in WHM >> Tweak Settings
1 last question (I promise). After disabling the Service Subdomains, do you know if AutoSSL will force new certs to be generated or will the existing ones just ride until they expire?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,430
1,634
363
cPanel Access Level
Root Administrator
No worries at all! Questions are why I'm here!

Once that is disabled, AutoSSL will continue to try to renew certificates. If the current certificate covers domains that you're no longer using, you may get a warning similar to this:


which just lets you know that the new certificate doesn't cover everything the old one did.

The existing SSLs on the machine will stay in place until they come up for renewal. Simply disabling the service subdomains does not force the SSLs to expire.
 

vicos

Well-Known Member
Apr 18, 2003
89
4
158
I need to transfer a domain from another cPanel server where Service Subdomains are enabled to a server where they are not. Is the transfer program smart enough to detect this and make sure the subdomains don't get inserted into Apache config? Running 100.0.9 on the new server and 76.0 on the old server.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,430
1,634
363
cPanel Access Level
Root Administrator
When the cPanel versions are that far apart, I'm not sure. In general, we don't transfer the DNS zones as they get recreated on the Destination machine using the correct IP addresses and settings on that machine. I'd expect this to work in modern versions, but the only advice I have coming from version 76 would be to try it and see how it behaves.
 

vicos

Well-Known Member
Apr 18, 2003
89
4
158
OK, thank you. I think I will move the domain first, then switch off the service domains on the server.
 
  • Like
Reactions: cPRex