SOLVED [CPANEL-30266] AutoSSL did not renew the certificate

[marekkn]

Looks like issue still exist:
CENTOS 6.10 kvm [lhp201] v84.0.14

#/usr/local/cpanel/bin/autossl_check --user [B]USERNAME[/B]
AutoSSL’s configured provider is “cPanel (powered by Sectigo)”.
This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
Analyzing “gardencity”’s domains …
  Analyzing “[B][I]domain[/I][/B].com” …
    TLS Status: Incomplete
    Certificate expiry: 2/18/20, 12:00 AM UTC (87.88 days from now)
  Attempting to ensure the existence of necessary CAA records …
    No CAA records were created.
  Verifying “cPanel (powered by Sectigo)”’s authorization on domains via DNS CAA records …
    DNS query error: (XID b3ks7x) DNS query ([B][I]domain[/I][/B].com/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
    DNS query error: (XID 8vxbv4) DNS query (www.***domain***.com/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
    DNS query error: (XID b3ks7x) DNS query ([B][I]domain[/I][/B].com/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
    DNS query error: (XID eas2wz) DNS query (mail.[B][I]domain[/I][/B].com/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
    DNS query error: (XID b3ks7x) DNS query ([B][I]domain[/I][/B].com/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
    DNS query error: (XID hn4w48) DNS query (cpanel.[B][I]domain[/I][/B].com/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
    DNS query error: (XID b3ks7x) DNS query ([B][I]domain[/I][/B].com/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
    DNS query error: (XID qpjw5a) DNS query (webdisk.[B][I]domain[/I][/B].com/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
    DNS query error: (XID b3ks7x) DNS query ([B][I]domain[/I][/B].com/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
    DNS query error: (XID sqknkx) DNS query (webmail.[B][I]domain[/I][/B].com/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
    DNS query error: (XID b3ks7x) DNS query ([B][I]domain[/I][/B].com/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
    “cPanel (powered by Sectigo)” is authorized to issue certificates for all domains.
  Performing HTTP DCV (Domain Control Validation) on 9 domains …
    The system failed to determine whether “[B][I]domain[/I][/B].com” is a registered domain because of a DNS error: (XID mtgtnb) DNS returned “SERVFAIL” (code 2) in response to the system’s query for “[B][I]domain[/I][/B].com”’s “NS” records.
    The system failed to determine whether “[B][I]domain[/I][/B].com” is a registered domain because of a DNS error: (XID mtgtnb) DNS returned “SERVFAIL” (code 2) in response to the system’s query for “[B][I]domain[/I][/B].com”’s “NS” records.
    The system failed to determine whether “[B][I]domain[/I][/B].com” is a registered domain because of a DNS error: (XID mtgtnb) DNS returned “SERVFAIL” (code 2) in response to the system’s query for “[B][I]domain[/I][/B].com”’s “NS” records.
    The system failed to determine whether “[B][I]domain[/I][/B].com” is a registered domain because of a DNS error: (XID mtgtnb) DNS returned “SERVFAIL” (code 2) in response to the system’s query for “[B][I]domain[/I][/B].com”’s “NS” records.
    The system failed to determine whether “[B][I]domain[/I][/B].com” is a registered domain because of a DNS error: (XID mtgtnb) DNS returned “SERVFAIL” (code 2) in response to the system’s query for “[B][I]domain[/I][/B].com”’s “NS” records.
    The system failed to determine whether “[B][I]domain[/I][/B].com” is a registered domain because of a DNS error: (XID mtgtnb) DNS returned “SERVFAIL” (code 2) in response to the system’s query for “[B][I]domain[/I][/B].com”’s “NS” records.
  No local DNS DCV is necessary.
Processing “[B]USER*[/B]’s local DCV results …
  Analyzing “[B][I]domain[/I][/B].com”’s DCV results …
    Impediment: NO_UNSECURED_DOMAIN_PASSED_DCV: Every unsecured domain failed DCV.
  The system has completed [B][I]USERNAME[/I][/B] AutoSSL check.


# host -t NS [B][I]domain[/I][/B].com
[B][I]domain[/I][/B].com name server ns2.aplus.net.
[B][I]domain[/I][/B].com name server ns1.aplus.net.
# host [B][I]domain[/I][/B].com ns2.aplus.net.
Using domain server:
Name: ns2.aplus.net.
Address: 2001:1810:4000:4::10#53
Aliases:

[B][I]domain[/I][/B].com has address 96.126.xxx.xxx
[B][I]domain[/I][/B].com mail is handled by 100 mx2c40.carrierzone.com.
[B][I]domain[/I][/B].com mail is handled by 10 mx1c40.carrierzone.com.
[B][I]domain[/I][/B].com mail is handled by 110 mx3c40.carrierzone.com.

 

[ipdroid]

Hi!
Already on v84.0.14 and still some issue on all servers...

 

[Davit Tulashvili]

 

[cPanelLauren]

So I do want to clarify that this issue can occur when there is a misconfiguration on the system as well as due to the case. At this point (and based on the testing I've seen) I'd wager that those of you still experiencing an issue are suffering from some form of configuration issue.

We have an API call that forces some of the DNS workarounds to get past these issues available. Can you please do the following:

whmapi1 set_up_dns_resolver_workarounds

Then if the output is "OK" re-run AutoSSL and let me know the result.

IF that doesn't work can you guys that are still experiencing issues, please run the following for me?


Using one of the domains on the server that is failing DCV:

/scripts/cpdig $domain.com A --verbose

for i in {a..m}; do echo -n "$i.root-servers.net: "; dig -4 "$i".root-servers.net @"$i".root-servers.net +short;done

for gtld in {a..m}; do echo Trying $gtld.gtld-servers.net ; dig +trace +short $domain.com @$gtld.gtld-servers.net; done

/usr/local/cpanel/3rdparty/bin/perl -mCpanel::DnsRoots -e 'use Data::Dumper; print Dumper(Cpanel::DnsRoots->new()->get_ipv4_addresses_for_domain(@ARGV[0]));' $domain.com

Any domain name that needs to be updated to your domain starts with a $domain.com when you paste the results please remove any actual identifying information including IP addresses and domain names.


Thanks!

 

[Arshad Hussain]

So I do want to clarify that this issue can occur when there is a misconfiguration on the system as well as due to the case. At this point (and based on the testing I've seen) I'd wager that those of you still experiencing an issue are suffering from some form of configuration issue.

We have an API call that forces some of the DNS workarounds to get past these issues available. Can you please do the following:

whmapi1 set_up_dns_resolver_workarounds

Then if the output is "OK" re-run AutoSSL and let me know the result.

IF that doesn't work can you guys that are still experiencing issues, please run the following for me?


Using one of the domains on the server that is failing DCV:

/scripts/cpdig $domain.com A --verbose

for i in {a..m}; do echo -n "$i.root-servers.net: "; dig -4 "$i".root-servers.net @"$i".root-servers.net +short;done

for gtld in {a..m}; do echo Trying $gtld.gtld-servers.net ; dig +trace +short $domain.com @$gtld.gtld-servers.net; done

/usr/local/cpanel/3rdparty/bin/perl -mCpanel::DnsRoots -e 'use Data::Dumper; print Dumper(Cpanel::DnsRoots->new()->get_ipv4_addresses_for_domain(@ARGV[0]));' $domain.com

Any domain name that needs to be updated to your domain starts with a $domain.com when you paste the results please remove any actual identifying information including IP addresses and domain names.


Thanks!

I ran the command and got following error:-

[[email protected] ~]# whmapi1 set_up_dns_resolver_workarounds

perl: warning: Setting locale failed.

perl: warning: Please check that your locale settings:

LANGUAGE = (unset),

LC_ALL = (unset),

LC_CTYPE = "UTF-8",

LANG = "en_IN.UTF-8"

are supported and installed on your system.

perl: warning: Falling back to a fallback locale ("en_IN.UTF-8").

perl: warning: Setting locale failed.

perl: warning: Please check that your locale settings:

LANGUAGE = (unset),

LC_ALL = (unset),

LC_CTYPE = "UTF-8",

LANG = "en_IN.UTF-8"

are supported and installed on your system.

perl: warning: Falling back to a fallback locale ("en_IN.UTF-8").

---

data:

flags: {}



metadata:

command: set_up_dns_resolver_workarounds

reason: OK

result: 1

version: 1

Please see the result is OK but didn't fix the issue.

Regards,
Arshad

 

[meetsos]

Version v84.0.14
but still having the same problem...

 

[alibaba4567]

So I do want to clarify that this issue can occur when there is a misconfiguration on the system as well as due to the case. At this point (and based on the testing I've seen) I'd wager that those of you still experiencing an issue are suffering from some form of configuration issue.

We have an API call that forces some of the DNS workarounds to get past these issues available. Can you please do the following:

whmapi1 set_up_dns_resolver_workarounds

Then if the output is "OK" re-run AutoSSL and let me know the result.

IF that doesn't work can you guys that are still experiencing issues, please run the following for me?


Using one of the domains on the server that is failing DCV:

/scripts/cpdig $domain.com A --verbose

for i in {a..m}; do echo -n "$i.root-servers.net: "; dig -4 "$i".root-servers.net @"$i".root-servers.net +short;done

for gtld in {a..m}; do echo Trying $gtld.gtld-servers.net ; dig +trace +short $domain.com @$gtld.gtld-servers.net; done

/usr/local/cpanel/3rdparty/bin/perl -mCpanel::DnsRoots -e 'use Data::Dumper; print Dumper(Cpanel::DnsRoots->new()->get_ipv4_addresses_for_domain(@ARGV[0]));' $domain.com

Any domain name that needs to be updated to your domain starts with a $domain.com when you paste the results please remove any actual identifying information including IP addresses and domain names.


Thanks!

here are my results:

[[email protected]** ~]# whmapi1 set_up_dns_resolver_workarounds

---

data:

  flags: {}



metadata:

  command: set_up_dns_resolver_workarounds

  reason: OK

  result: 1

  version: 1

[[email protected]***** ~]#

[[email protected]***** ~]# for i in {a..m}; do echo -n "$i.root-servers.net: "; dig -4 "$i".root-servers.net @"$i".root-servers.net +short;done

a.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 a.root-servers.net @a.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

b.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 b.root-servers.net @b.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

c.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 c.root-servers.net @c.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

d.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 d.root-servers.net @d.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

e.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 e.root-servers.net @e.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

f.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 f.root-servers.net @f.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

g.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 g.root-servers.net @g.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

h.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 h.root-servers.net @h.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

i.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 i.root-servers.net @i.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

j.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 j.root-servers.net @j.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

k.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 k.root-servers.net @k.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

l.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 l.root-servers.net @l.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

m.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 m.root-servers.net @m.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

[[email protected]**** ~]#

[[email protected]*** ~]# for gtld in {a..m}; do echo Trying $gtld.gtld-servers.net ; dig +trace +short **.com @$gtld.gtld-servers.net; done

Trying a.gtld-servers.net

A ... from server ... in 0 ms.

Trying b.gtld-servers.net

A ... from server ... in 0 ms.

Trying c.gtld-servers.net

A ... from server ... in 0 ms.

Trying d.gtld-servers.net

A ... from server ... in 0 ms.

Trying e.gtld-servers.net

A ... from server ... in 0 ms.

Trying f.gtld-servers.net

A ... from server ... in 0 ms.

Trying g.gtld-servers.net

A ... from server ... in 0 ms.

Trying h.gtld-servers.net

A ... from server ... in 0 ms.

Trying i.gtld-servers.net

A ... from server ... in 0 ms.

Trying j.gtld-servers.net

A ... from server ... in 0 ms.

Trying k.gtld-servers.net

A ... from server ... in 0 ms.

Trying l.gtld-servers.net

A ... from server ... in 0 ms.

Trying m.gtld-servers.net

A ... from server ... in 0 ms.

[[email protected]***** ~]#

[[email protected]*** ~]# /usr/local/cpanel/3rdparty/bin/perl -mCpanel::DnsRoots -e 'use Data::Dumper; print Dumper(Cpanel::DnsRoots->new()->get_ipv4_addresses_for_domain(@ARGV[0]));' $**.com

warn [-e] DNS query failure (.com/A): DNS::Unbound::X::ResolveError: DNS query resolution failure

        ==> X::Tiny::create('DNS::Unbound::X', 'ResolveError', 'number', '-3', 'string', 'syntax error') (called in /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/DNS/Unbound.pm at line 181)

        ==> DNS::Unbound::_create_resolve_error('-3') (called in /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/DNS/Unbound.pm at line 467)

        ==> DNS::Unbound::_check_promises(DNS::Unbound=HASH(0x1e64430)) (called in /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/DNS/Unbound.pm at line 442)

        ==> DNS::Unbound::process(DNS::Unbound=HASH(0x1e64430)) (called in /usr/local/cpanel/Cpanel/DNS/Unbound.pm at line 515)

        ==> Cpanel::DNS::Unbound::_poll_for_queries(Cpanel::DNS::Unbound=HASH(0x1e77f88), ARRAY(0x1fc0600)) (called in /usr/local/cpanel/Cpanel/DNS/Unbound.pm at line 502)

        ==> Cpanel::DNS::Unbound::recursive_queries(Cpanel::DNS::Unbound=HASH(0x1e77f88), ARRAY(0x20055a0)) (called in /usr/local/cpanel/Cpanel/DNS/Unbound.pm at line 359)

        ==> Cpanel::DNS::Unbound::recursive_query_or_die(Cpanel::DNS::Unbound=HASH(0x1e77f88), '.com', 'A') (called in /usr/local/cpanel/Cpanel/DNS/Unbound.pm at line 427)

        ==> (eval)(Cpanel::DNS::Unbound=HASH(0x1e77f88), '.com', 'A') (called in /usr/local/cpanel/Cpanel/DNS/Unbound.pm at line 427)

        ==> Cpanel::DNS::Unbound::recursive_query(Cpanel::DNS::Unbound=HASH(0x1e77f88), '.com', 'A') (called in /usr/local/cpanel/Cpanel/DnsRoots.pm at line 82)

        ==> Cpanel::DnsRoots::get_ipv4_addresses_for_domain(Cpanel::DnsRoots=HASH(0x1fd4b20), '.com') (called in -e at line 1)

        ...propagated at /usr/local/cpanel/Cpanel/DNS/Unbound.pm, line 378



[[email protected]** ~]# /usr/local/cpanel/3rdparty/bin/perl -mCpanel::DnsRoots -e 'use Data::Dumper; print Dumper(Cpanel::DnsRoots->new()->get_ipv4_addresses_for_domain(@ARGV[0]));' ****.com

warn [-e] DNS query failure ([B][B].com/A): Cpanel::Exception::Timeout/(XID jg2hpm) DNS query ([/B][/B].com/A) timeout!

at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 374.

        Cpanel::DNS::Unbound::_die_if_query_failed(HASH(0xa9ba40)) called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 363

        Cpanel::DNS::Unbound::recursive_query_or_die(Cpanel::DNS::Unbound=HASH(0x93ef78), "****.com", "A") called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 427

        eval {...} called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 427

        Cpanel::DNS::Unbound::recursive_query(Cpanel::DNS::Unbound=HASH(0x93ef78), "****.com", "A") called at /usr/local/cpanel/Cpanel/DnsRoots.pm line 82

        Cpanel::DnsRoots::get_ipv4_addresses_for_domain(Cpanel::DnsRoots=HASH(0x9fe8b8), "****.com") called at -e line 1



[[email protected]***** ~]#

 

[cPanelLauren]

I ran the command and got following error:-

[[email protected] ~]# whmapi1 set_up_dns_resolver_workarounds

perl: warning: Setting locale failed.

perl: warning: Please check that your locale settings:

LANGUAGE = (unset),

LC_ALL = (unset),

LC_CTYPE = "UTF-8",

LANG = "en_IN.UTF-8"

are supported and installed on your system.

perl: warning: Falling back to a fallback locale ("en_IN.UTF-8").

perl: warning: Setting locale failed.

perl: warning: Please check that your locale settings:

LANGUAGE = (unset),

LC_ALL = (unset),

LC_CTYPE = "UTF-8",

LANG = "en_IN.UTF-8"

are supported and installed on your system.

perl: warning: Falling back to a fallback locale ("en_IN.UTF-8").

---
found
data:

flags: {}



metadata:

command: set_up_dns_resolver_workarounds

reason: OK

result: 1

version: 1

Please see the result is OK but didn't fix the issue.

Regards,
Arshad

I believe your issue has been investigated in Ticket ID 13774021 - the findings from one of our L3 analysts was identified as

When someone on the public internet makes a DNS query to port 53 on <YOURPUBLICIP>, it reaches your cPanel server (server1.yourhostname.com). Your server responds authoritatively to DNS queries for the domains on it. However, when this server makes a DNS query to port 53 on <YOURPUBLICIP>, it hits a recursive resolving nameserver on the same local network, running dnsmasq. Whether or not this responds authoritatively seems to depend on what queries have been made to it.

This is a pretty unique issue and not one that is commonly occurring. They provided some steps to resolve the issue as well.

The best fix for this would be to ensure that any outgoing requests from this server (192.168.1.206) to port 53 on <YOURPUBLICIP> get redirected back to port 53 on <YOURPRIVATEIP> This is often called "hairpin" or "loopback" or "reflection" NAT.

 

[cPanelLauren]

here are my results:

[[email protected]** ~]# whmapi1 set_up_dns_resolver_workarounds

---

data:

  flags: {}



metadata:

  command: set_up_dns_resolver_workarounds

  reason: OK

  result: 1

  version: 1

[[email protected]***** ~]#

[[email protected]***** ~]# for i in {a..m}; do echo -n "$i.root-servers.net: "; dig -4 "$i".root-servers.net @"$i".root-servers.net +short;done

a.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 a.root-servers.net @a.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

b.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 b.root-servers.net @b.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

c.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 c.root-servers.net @c.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

d.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 d.root-servers.net @d.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

e.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 e.root-servers.net @e.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

f.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 f.root-servers.net @f.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

g.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 g.root-servers.net @g.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

h.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 h.root-servers.net @h.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

i.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 i.root-servers.net @i.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

j.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 j.root-servers.net @j.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

k.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 k.root-servers.net @k.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

l.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 l.root-servers.net @l.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

m.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 m.root-servers.net @m.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

[[email protected]**** ~]#

[[email protected]*** ~]# for gtld in {a..m}; do echo Trying $gtld.gtld-servers.net ; dig +trace +short **.com @$gtld.gtld-servers.net; done

Trying a.gtld-servers.net

A ... from server ... in 0 ms.

Trying b.gtld-servers.net

A ... from server ... in 0 ms.

Trying c.gtld-servers.net

A ... from server ... in 0 ms.

Trying d.gtld-servers.net

A ... from server ... in 0 ms.

Trying e.gtld-servers.net

A ... from server ... in 0 ms.

Trying f.gtld-servers.net

A ... from server ... in 0 ms.

Trying g.gtld-servers.net

A ... from server ... in 0 ms.

Trying h.gtld-servers.net

A ... from server ... in 0 ms.

Trying i.gtld-servers.net

A ... from server ... in 0 ms.

Trying j.gtld-servers.net

A ... from server ... in 0 ms.

Trying k.gtld-servers.net

A ... from server ... in 0 ms.

Trying l.gtld-servers.net

A ... from server ... in 0 ms.

Trying m.gtld-servers.net

A ... from server ... in 0 ms.

[[email protected]***** ~]#

[[email protected]*** ~]# /usr/local/cpanel/3rdparty/bin/perl -mCpanel::DnsRoots -e 'use Data::Dumper; print Dumper(Cpanel::DnsRoots->new()->get_ipv4_addresses_for_domain(@ARGV[0]));' $**.com

warn [-e] DNS query failure (.com/A): DNS::Unbound::X::ResolveError: DNS query resolution failure

        ==> X::Tiny::create('DNS::Unbound::X', 'ResolveError', 'number', '-3', 'string', 'syntax error') (called in /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/DNS/Unbound.pm at line 181)

        ==> DNS::Unbound::_create_resolve_error('-3') (called in /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/DNS/Unbound.pm at line 467)

        ==> DNS::Unbound::_check_promises(DNS::Unbound=HASH(0x1e64430)) (called in /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/DNS/Unbound.pm at line 442)

        ==> DNS::Unbound::process(DNS::Unbound=HASH(0x1e64430)) (called in /usr/local/cpanel/Cpanel/DNS/Unbound.pm at line 515)

        ==> Cpanel::DNS::Unbound::_poll_for_queries(Cpanel::DNS::Unbound=HASH(0x1e77f88), ARRAY(0x1fc0600)) (called in /usr/local/cpanel/Cpanel/DNS/Unbound.pm at line 502)

        ==> Cpanel::DNS::Unbound::recursive_queries(Cpanel::DNS::Unbound=HASH(0x1e77f88), ARRAY(0x20055a0)) (called in /usr/local/cpanel/Cpanel/DNS/Unbound.pm at line 359)

        ==> Cpanel::DNS::Unbound::recursive_query_or_die(Cpanel::DNS::Unbound=HASH(0x1e77f88), '.com', 'A') (called in /usr/local/cpanel/Cpanel/DNS/Unbound.pm at line 427)

        ==> (eval)(Cpanel::DNS::Unbound=HASH(0x1e77f88), '.com', 'A') (called in /usr/local/cpanel/Cpanel/DNS/Unbound.pm at line 427)

        ==> Cpanel::DNS::Unbound::recursive_query(Cpanel::DNS::Unbound=HASH(0x1e77f88), '.com', 'A') (called in /usr/local/cpanel/Cpanel/DnsRoots.pm at line 82)

        ==> Cpanel::DnsRoots::get_ipv4_addresses_for_domain(Cpanel::DnsRoots=HASH(0x1fd4b20), '.com') (called in -e at line 1)

        ...propagated at /usr/local/cpanel/Cpanel/DNS/Unbound.pm, line 378



[[email protected]** ~]# /usr/local/cpanel/3rdparty/bin/perl -mCpanel::DnsRoots -e 'use Data::Dumper; print Dumper(Cpanel::DnsRoots->new()->get_ipv4_addresses_for_domain(@ARGV[0]));' ****.com

warn [-e] DNS query failure ([B][B].com/A): Cpanel::Exception::Timeout/(XID jg2hpm) DNS query ([/B][/B].com/A) timeout!

at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 374.

        Cpanel::DNS::Unbound::_die_if_query_failed(HASH(0xa9ba40)) called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 363

        Cpanel::DNS::Unbound::recursive_query_or_die(Cpanel::DNS::Unbound=HASH(0x93ef78), "****.com", "A") called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 427

        eval {...} called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 427

        Cpanel::DNS::Unbound::recursive_query(Cpanel::DNS::Unbound=HASH(0x93ef78), "****.com", "A") called at /usr/local/cpanel/Cpanel/DnsRoots.pm line 82

        Cpanel::DnsRoots::get_ipv4_addresses_for_domain(Cpanel::DnsRoots=HASH(0x9fe8b8), "****.com") called at -e line 1



[[email protected]***** ~]#

Can you tell me about your IP routing configuration on the server? Are you NAT Routed or no? What's present in /etc/resolv.conf? It's also pretty interesting you can reach the gtld servers but not the root servers.

 

[Arshad Hussain]

I believe your issue has been investigated in Ticket ID 13774021 - the findings from one of our L3 analysts was identified as



This is a pretty unique issue and not one that is commonly occurring. They provided some steps to resolve the issue as well.

Hi,
Thanks for the reply. But Lauren, I just checked autosssl on subdomains/domains and surprisingly I found that autossl domain1.com got renewed on 23rdNov.2019. But, some of them are still showing the same error. I tried other accounts but it didn't happen again. It also happened once few days back that I have reported in email. My question is if there is any misconfiguration in our iptables it must not allow to autossl any of our domains/subdomains. Moreover, all the configuration of my servers are unaltered since a very long time and autossl was working fine on all. I also see many have reported the similar issue on the forum. How could the same issue be faced by many, if the problem is in of server side?
Even I have checked the iptables with command, iptables -L, But couldn't figure out any issue.
On running the following command, I got this today:-
[[email protected] ~]# whmapi1 set_up_dns_resolver_workarounds
---
data:
flags: {}

metadata:
command: set_up_dns_resolver_workarounds
reason: OK
result: 1
version: 1

If you still think the issue is related to iptables, then could you please suggest me some links related to this and BAD REFERRAL.

Thanks & Regards,
Arshad

 

[cPanelLauren]

Hi,
Thanks for the reply. But Lauren, I just checked autosssl on subdomains/domains and surprisingly I found that autossl domain1.com got renewed on 23rdNov.2019. But, some of them are still showing the same error. I tried other accounts but it didn't happen again. It also happened once few days back that I have reported in email. My question is if there is any misconfiguration in our iptables it must not allow to autossl any of our domains/subdomains. Moreover, all the configuration of my servers are unaltered since a very long time and autossl was working fine on all. I also see many have reported the similar issue on the forum. How could the same issue be faced by many, if the problem is in of server side?
Even I have checked the iptables with command, iptables -L, But couldn't figure out any issue.
If you still think the issue is related to iptables, then could you please suggest me some links related to this and BAD REFERRAL.

Thanks & Regards,
Arshad

For your issue, because it's being actively worked in the ticket system and they have access to the server, I'd suggest continuing to work with them to identify/resolve this. That will be the best and most efficient place to get the assistance you need.

 

[alibaba4567]

Can you tell me about your IP routing configuration on the server? Are you NAT Routed or no? What's present in /etc/resolv.conf? It's also pretty interesting you can reach the gtld servers but not the root servers.

Hi Lauren, I have 3 public IPs configured. I am not on NAT routed.
My result of /etc/resolv.conf is:
[root @ **** ~] # cat /etc/resolv.conf
search your-server.de
nameserver 213.133.98.98
nameserver 213.133.99.99
nameserver 213.133.100.100

 

[alibaba4567]

Hello, I have completely deactivated the firewall of my two servers and they have renewed my certificates. I don't understand why, since there should be outward communication. I will check with my server provider.

 

[LuisVJatar]

DNS DCV: The system failed to determine whether “st” is a registered domain because of a DNS error: (XID k2wdnd) DNS query (/NS) timeout!; HTTP DCV: The system failed to determine whether “st” is a registered domain because of a DNS error: (XID k2wdnd) DNS query (/NS) timeout!
i have the ticket nr
13843909 - AutoSSL did not renew the certificate for ...

 

[cPanelLauren]

Hello, I have completely deactivated the firewall of my two servers and they have renewed my certificates. I don't understand why, since there should be outward communication. I will check with my server provider.

Sounds like a misconfiguration, and the provider should be able to get you pointed in the right direction. I am glad to hear that your certificates were able to be renewed.

 

[cPanelLauren]

DNS DCV: The system failed to determine whether “st” is a registered domain because of a DNS error: (XID k2wdnd) DNS query (/NS) timeout!; HTTP DCV: The system failed to determine whether “st” is a registered domain because of a DNS error: (XID k2wdnd) DNS query (/NS) timeout!
i have the ticket nr
13843909 - AutoSSL did not renew the certificate for ...

I checked in on this issue and can see that an L2 analyst is going to be addressing it shortly.

 

[dc01]

Hey there,

We're also having timeout problems and unable to renew expired certs using AutoSSL. cPanel is up to date - just saw a minor update today to 11.84.0.15 which was applied, but failures are still happening. Seems to be DNS related and we've been going in circles trying to clear up every possible DNS issue including setting /etc/resolv.conf with new nameservers, disabling IPv6.
/scripts/cpdig works.
$i.root-servers.net dig loop works.
$gtld.gtld-servers.net dig loop works.
/usr/local/cpanel/3rdparty/bin/perl -mCpanel::DnsRoots -e 'use Data::Dumper; print Dumper(Cpanel::DnsRoots->new()->get_ipv4_addresses_for_domain(@ARGV[0]));' DOMAIN.TLD fails:

warn [-e] DNS query failure (DOMAIN.TLD/A): Cpanel::Exception::Timeout/(XID 4ps3c6) DNS query (DOMAIN.TLD/A) timeout!
 at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 376.
        Cpanel::DNS::Unbound::_die_if_query_failed(HASH(0xf28398)) called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 365
        Cpanel::DNS::Unbound::recursive_query_or_die(Cpanel::DNS::Unbound=HASH(0xb83048), "DOMAIN.TLD", "A") called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 429
        eval {...} called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 429
        Cpanel::DNS::Unbound::recursive_query(Cpanel::DNS::Unbound=HASH(0xb83048), "DOMAIN.TLD", "A") called at /usr/local/cpanel/Cpanel/DnsRoots.pm line 82
        Cpanel::DnsRoots::get_ipv4_addresses_for_domain(Cpanel::DnsRoots=HASH(0xf28158), "DOMAIN.TLD") called at -e line 1

        (in cleanup)    (in cleanup)  at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/DNS/Unbound.pm line 536 during global destruction.

Assistance would be appreciated. Thanks!

-dc01.

 

[cPanelLauren]

Hello,

We've confirmed internally that the behavior persisting, in this case, is almost always a misconfiguration of the firewall resulting in incorrectly configured hairpinning. For reference on what this is the wiki may be helpful: Hairpinning - Wikipedia

For some reference you can try the commands I listed earlier in the thread but ultimately this will need to be resolved locally. We recently switched our DNS resolver to unbound which is less fault-tolerant than the internal method we were utilizing previously.

 

[speedy200man]

Same here... ticket ID #470786 (on buycpanel.com)
It seems that the host ip (on vmbr0) cannot return the result from dig to the virtual machine (vmbr1), even if the connections are bridged.
Is there any way I can fix this so the dig resolver would look to the virtual machine internal lan ip ?

[EDIT] After adding this inside proxmox, the dig command works from proxmox to the virtual machine (that's the 10.10.... ip, where the .100 is the internal gateway):

iptables -t nat -A POSTROUTING -o vmbr1 -s 10.10.10.0/24 -d 10.10.10.10 -p udp -m udp --dport 53 -j SNAT --to-source 10.10.10.100
iptables -t nat -A POSTROUTING -o vmbr1 -s 10.10.10.0/24 -d 10.10.10.10 -p tcp -m tcp --dport 53 -j SNAT --to-source 10.10.10.100

iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 10.10.10.10:53
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to 10.10.10.10:53

Now the problem I need to solve is for the dig command to work from inside the virtual machine...

 

[speedy200man]

So, the only way I could make it work is by enabling promisc mode on the vm adapter:
ip link set vmbr1 promisc on