AutoSSL: WARN Local HTTP DCV error" -- Using my own DNS Server and we don't want those cPanel subdomains defined. Workaround?

[vicos]

We use our own DNS server and we do not want all of those cPanel specified subdomains defined, like cpcontacts, webdisk, and so on. Mainly since we don't use those features and for security purposes.

Of course, this causes AutoSSL to issue the "WARN Local HTTP DCV error" at renewal time. The problem is that with the warnings, it won't renew the certificate until the last day when it expires and with occasional hangups at Sectigo, there have been times when the certificate lapsed.

Other than purchasing our own certs, is there a way to tell cPanel that we don't want those subdomains defined so that it never comes up with the AutoSSL check?

 

[cPRex]

Hey there! The best way would be to disable the service subdomains in WHM so they are not created on future accounts:

https://support.cpanel.net/hc/en-us/articles/360061001573-What-are-Service-Subdomains-

You would need to manually remove existing DNS records that are causing confusion, but if you have that turned off future zones will not get created with them.

Let me know if that helps!

 

[vicos]

Thank you @cPRex for such a quik response.

Just so I understand fully, is the AutoSSL renew process verifying all possible service domains, ---or--- is it checking the local DNS records for all A records defined for that subdomain? If the former, then will disabling service domains in WHM stop future DCV?

The reason I ask is because I checked 1 account using the cPanel Zone editor and the only record in there is an MX for the subdomain.

 

[cPRex]

AutoSSL will attempt to verify any domains that exist on the server side. I actually mis-spoke in my last reply when I said you would want to remove the DNS records - you would actually want to remove those domains from Apache so they don't get scanned into AutoSSL at all.

 

[vicos]

remove those domains from Apache

@cPRex How do I do that?

 

[cPRex]

Disabling the Service Subdomains option in WHM >> Tweak Settings will take care of that.

 

[vicos]

Disabling the Service Subdomains option in WHM >> Tweak Settings

1 last question (I promise). After disabling the Service Subdomains, do you know if AutoSSL will force new certs to be generated or will the existing ones just ride until they expire?

 

[cPRex]

No worries at all! Questions are why I'm here!

Once that is disabled, AutoSSL will continue to try to renew certificates. If the current certificate covers domains that you're no longer using, you may get a warning similar to this:

Potential reduced AutoSSL coverage notification

Symptoms You will receive a notification like the following. domain.tld: AutoSSL would normally renew this certificate now, but X of the website’s secured domains just failed DCV. To provide you wi...

support.cpanel.net

which just lets you know that the new certificate doesn't cover everything the old one did.

The existing SSLs on the machine will stay in place until they come up for renewal. Simply disabling the service subdomains does not force the SSLs to expire.

 

[vicos]

I need to transfer a domain from another cPanel server where Service Subdomains are enabled to a server where they are not. Is the transfer program smart enough to detect this and make sure the subdomains don't get inserted into Apache config? Running 100.0.9 on the new server and 76.0 on the old server.

 

[cPRex]

When the cPanel versions are that far apart, I'm not sure. In general, we don't transfer the DNS zones as they get recreated on the Destination machine using the correct IP addresses and settings on that machine. I'd expect this to work in modern versions, but the only advice I have coming from version 76 would be to try it and see how it behaves.

 

[vicos]

OK, thank you. I think I will move the domain first, then switch off the service domains on the server.