SOLVED [CPANEL-23803] AutoSSL "No document root exists for the domain" errors since whm v76

[krispilo]

Since one of our servers upgraded to v76, we're getting errors on renewing certificates for domains which worked fine via AutoSSL before. The local DCV checks work fine but the HTTP DCV Comodo verification fail with a strange message about the document root, it then tries a DNS DCV check but because the DNS isn't managed for the domain by cpanel this also fails.

These are the errors (I've replaced the actual domain name as it belongs to a customer)

WARN Comodo HTTP DCV verification failure (www.exampledomain.co.uk): (XID nvyqnu) No document root exists for the domain “co.uk”, and there are no parent domains of “co.uk” that have document roots.
WARN AutoSSL will attempt a DNS-based DCV for “www.exampledomain.co.uk”.
3:56:25 PM WARN Comodo DNS DCV verification failure: wwwexampledomain.co.uk
WARN AutoSSL will attempt a DNS-based DCV for “exampledomain.co.uk”.
WARN AutoSSL cannot secure “www.exampledomain.co.uk”.
WARN AutoSSL cannot secure “exampledomain.co.uk”.

Does anyone know what the document root error means?

Has something changed in AutoSSL so it can no longer secure domains where cpanel doesn't directly control the DNS?

This is only happening on v76 servers, our other servers which are still on v74 have no problem securing domains they don't control the DNS for as long as the domain resolves to the server.

 

[Dave Braddock]

Ditto. Same problem! We had to point the NS records directly at the server so it could do a DNS DCV instead:

WARN Comodo HTTP DCV verification failure (exampledomain.co.nz): (XID e4saz8) No document root exists for the domain “co.nz”, and there are no parent domains of “co.nz” that have document roots.
WARN AutoSSL will attempt a DNS-based DCV for “exampledomain.co.nz”.
WARN Comodo HTTP DCV verification failure (www.exampledomain.co.nz): (XID qakdfu) No document root exists for the domain “co.nz”, and there are no parent domains of “co.nz” that have document roots.
WARN AutoSSL will attempt a DNS-based DCV for “www.exampledomain.co.nz”.

CENTOS 7.5 vmware v76.0.5

 

[krispilo]

Thanks Dave, it's good to have this confirmed by someone else. I wonder if it's something to do with the TLD having the co. subdomain, maybe the verification script assumes that the site's domain will always follow the highest level TLD, in which case this is going to cause problems on a lot of sites once the update rolls out.

 

[dcas]

Just adding a 'me to' to this thread. Getting exactly the same warning:

WARN Comodo HTTP DCV verification failure (mydomain.com.au): (XID mkwad8) No document root exists for the domain “com.au”, and there are no parent domains of “com.au” that have document roots.

@Dave Braddock - Can you point me to documentation for doing a DNS based DCV?

 

[ARSA]

Same problem. Read that as of V76 Autossl can only perform DNS validation on internal DNS systems, not external DNS. On one server we have Letsencrypt installed and that renewed certs just fine post V76.

 

[dcas]

I've installed the Let's Encrypt plugin - The Let's Encrypt Plugin - cPanel Knowledge Base - cPanel Documentation and I've been able to get certificates issued for the domain.

 

[cPWilliamL]

Hi,

We apologize for the inconvenience. The issue(CPANEL-23803) has already been corrected in v76.0.6:
76 Change Log - Change Logs - cPanel Documentation

Fixed case CPANEL-23803: Fix cPStore HTTP DCV for subdomains of unowned domains.

Please do feel free to open a ticket with us if you continue to face issues.

Thanks,

 

[dru5412]

Hi,

We apologize for the inconvenience. The issue(CPANEL-23803) has already been corrected in v76.0.6:
76 Change Log - Change Logs - cPanel Documentation


Please do feel free to open a ticket with us if you continue to face issues.

Thanks,

This is causing SIGNIFICANT issues for our customers, is there any indication as to when this release is going to be pushed out?

Can you provide any work around details for the number of domains that now do not have a valid SSL on mail.domain


Thanks

 

[cPanelMichael]

Hello @dru5412,

Version 76.0.6 is currently published to the EDGE and CURRENT release tiers. I'll update this thread as soon as it's published to the RELEASE tier. In the meantime, you can temporarily set your release tier to CURRENT via WHM >> Update Preferences and then perform a cPanel update if you'd like this fix sooner.

Thank you.

 

[dru5412]

Just applied the update, and re-run the auto ssl but still getting same errors


ERROR “cPanel (powered by Comodo)” forbids DCV HTTP redirections.
WARN Local HTTP DCV error (removed.co.uk): The system queried for a temporary file at “http://www.removed.co.uk/.well-know...0F8FAFBB.txt/?SID=2vk5bmf2gm1aslkqsb6q1dd1v7”, which was redirected from “http://removed.co.uk/.well-known/pki-validation/14855C0808A5DBC6816096F50F8FAFBB.txt”. The web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “removed.co.uk” resolved to an IP address “1.2.3.4” that does not exist on this server.

 

[dru5412]

Going to raise a ticket now. Thanks

 

[cPanelMichael]

Going to raise a ticket now. Thanks

Hi @dru5412,

Can you post the ticket number here once it's opened? I'll be sure to monitor the ticket and update this thread with the outcome.

Thank you.

 

[krispilo]

Michael,

I've upgraded our server to V76.0.6 and can confirm this has fixed the 'No Document Exists' error against the TLD issue which stopped the HTTP DCV working. A certificate has now successfully been installed. Thanks for getting this sorted.

 

[Dave Braddock]

Just adding a 'me to' to this thread. Getting exactly the same warning:

@Dave Braddock - Can you point me to documentation for doing a DNS based DCV?

Good that you found a workaround. I didn't follow any documentation; I saw that the HTTP validation failed, and the DNS validation also then failed because I guessed (correctly) that the DNS was hosted elsewhere. I copied the DNS, and got the customer to temporarily point the NS records to the server, at which point the DNS validation worked.

 

[Dave Braddock]

Just applied the update, and re-run the auto ssl but still getting same errors


ERROR “cPanel (powered by Comodo)” forbids DCV HTTP redirections.
WARN Local HTTP DCV error (removed.co.uk): The system queried for a temporary file at “http://www.removed.co.uk/.well-know...0F8FAFBB.txt/?SID=2vk5bmf2gm1aslkqsb6q1dd1v7”, which was redirected from “http://removed.co.uk/.well-known/pki-validation/14855C0808A5DBC6816096F50F8FAFBB.txt”. The web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “removed.co.uk” resolved to an IP address “1.2.3.4” that does not exist on this server.

Sounds like you've got other issues - the server is trying to create a hidden text file and then read it from outside, but the domain name looks like it ends up on another server. That's the big drawback with auto SSL - it requires you to effectively make the site live first, and then add the SSL.