Autossl won't update certs

[jndawson]

We discovered a domain that had expired autossl comodo certs installed, but they didn't update when expired a couple of weeks ago. There's nothing in the pending queue, even after trying to run autossl on the account. We tried via both the whm and cpanel interfaces, but keep getting the same error, even after completely removing all related certs from the domain. Error message:

Checking websites for “userdomain” …
11:29:56 AM Analyzing “dev.userdomain.tld” …
11:29:56 AM ERROR TLS Status: Defective
ERROR Defect: NO_SSL: No SSL certificate is installed.
11:29:56 AM Analyzing “newsite.userdomain.tld” …
11:29:56 AM ERROR TLS Status: Defective
ERROR Defect: NO_SSL: No SSL certificate is installed.
11:29:56 AM Analyzing “userdomain.tld” …
11:29:56 AM User-excluded domain: 1 (autodiscover.userdomain.tld)
ERROR TLS Status: Defective
ERROR Defect: NO_SSL: No SSL certificate is installed.

We also noted year-old certs in the /var/cpanel/ssl/installed/certs directory that we removedbut had no effect on the results.

 

[GOT]

Normally when we see this, the first thing to check is that here is nothing in the .htaccess of the site preventing the verification of the cert.
This is the directory where it puts a validation file:
public_html/.well-known/pki-validation/

You could try creating a txt file there and see if you can access it in a browser:
"domain.com/.well-known/pki-validation/test.txt"

Sometimes items in there prevent the verification server from seeing the validation file that gets placed there.

Also do you see any errors when running this in SSH:
/usr/local/cpanel/bin/autossl_check_cpstore_queue --force

Also you should make sure that the domain is correctly pointed to your server. I would verify the DNS and Nameservers for that domain are correct.

 

[jndawson]

Normally when we see this, the first thing to check is that here is nothing in the .htaccess of the site preventing the verification of the cert.

Checked; nope, nothing changed as far as we can tell. Tried removing .htaccess and running autossl already; same errors.

This is the directory where it puts a validation file:
public_html/.well-known/pki-validation/

Since we deleted all of the expired certs, there is nothing in any of the pki-validation directories, which we confirmed after running autossl and getting the errors.

You could try creating a txt file there and see if you can access it in a browser:
"domain.com/.well-known/pki-validation/test.txt"

Sometimes items in there prevent the verification server from seeing the validation file that gets placed there.

Displays nicely; Site's been working fine for years, so didn't expect any issues.

Also do you see any errors when running this in SSH:
/usr/local/cpanel/bin/autossl_check_cpstore_queue --force

Nope. One of the first things we checked.

Also you should make sure that the domain is correctly pointed to your server. I would verify the DNS and Nameservers for that domain are correct.

Site's been working for years, this is an auto-renewal of autossl that didn't work, and then manual renewal, which also isn't working.

 

[jndawson]

We opened a ticket: 10544677

 

[cPanelLauren]

Hi @jndawson

Thanks for noting the Ticket ID I took a look at it and it appears that the issue was found to be a combination of things. First a redirect on the affected domain was keeping the DCV from completing (Comodo does not follow redirects) and second it seems the DNS zone file was missing for the account. Once those two items were reconciled the DCV check was able to complete as expected.

Thanks!