Pending Publication [CPANEL-30418] SSL for DNSOnly Server

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,366
799
263
Houston
Hi @ImperialTrader

My apologies I missed your last response. I was able to replicate the apache error on a standalone DNSOnly server.

Looking at the case that enabled support for this, there are detailed test instructions and the portion relevant to your case are as follows:

  1. able DNS clustering (in WHM or via CLI WHM API) on all servers
  2. Generate an API key/token on each DNSONLY server
  3. Via your (full license) cPanel&WHM server, add a trust relationship to each DNSONLY server, using the API key/token from your DNSONLY server, and set to Synchronize
  4. Synchronize DNS zones to your DNSONLY servers
  5. Sanity Check: Your DNSONLY server hostname(s) should resolve in DNS. If not, verify the accuracy of steps and actions performed. Make certain your server hostname(s) resolve in DNS to the appropriate IPv4/IPv6 address(es). If the hostnames do not resolve, you can expect failure.
  6. Via CLI/SSH on each DNSONLY server, execute the following

    /usr/local/cpanel/bin/checkallsslcerts --allow-retry --verbose
  7. In v84 DNSONLY you should see the "DNS DCV preflight check" result in success
  8. In v84 DNSONLY you may see and should be able to safely ignore a one-time warning that the "Apache TLS index database" does not yet not exist after a new installation.


    Can you run through these steps and ensure everything is configured as indicated here?





 

ImperialTrader

Well-Known Member
Aug 31, 2014
144
16
18
Egypt
cPanel Access Level
Root Administrator
Hi @ImperialTrader

My apologies I missed your last response. I was able to replicate the apache error on a standalone DNSOnly server.

Looking at the case that enabled support for this, there are detailed test instructions and the portion relevant to your case are as follows:

  1. able DNS clustering (in WHM or via CLI WHM API) on all servers
  2. Generate an API key/token on each DNSONLY server
  3. Via your (full license) cPanel&WHM server, add a trust relationship to each DNSONLY server, using the API key/token from your DNSONLY server, and set to Synchronize
  4. Synchronize DNS zones to your DNSONLY servers
  5. Sanity Check: Your DNSONLY server hostname(s) should resolve in DNS. If not, verify the accuracy of steps and actions performed. Make certain your server hostname(s) resolve in DNS to the appropriate IPv4/IPv6 address(es). If the hostnames do not resolve, you can expect failure.
  6. Via CLI/SSH on each DNSONLY server, execute the following

    /usr/local/cpanel/bin/checkallsslcerts --allow-retry --verbose
  7. In v84 DNSONLY you should see the "DNS DCV preflight check" result in success
  8. In v84 DNSONLY you may see and should be able to safely ignore a one-time warning that the "Apache TLS index database" does not yet not exist after a new installation.

    Can you run through these steps and ensure everything is configured as indicated here?
I already have all these steps except point 3, in my (full license) WHM server, I added a trust relationship to my DNSONLY server using the API from DNSONLY server but set to (Write-Only) and in the DNSONLY server, I added a trust relationship to all my other (full license) servers as (Standalone).

But just for now, I changed both servers to (Synchronize) to each other and I run the command
/usr/local/cpanel/bin/checkallsslcerts --allow-retry --verbose
Find the attached screenshot with the output.
 

Attachments

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,366
799
263
Houston
Hello,


The issue is the DNS DCV is not completed. You can check for the DNS record yourself as well (or for any of them for that matter) I only see an A record, and NS that point to AWS. It would seem that this may not be possible if you're hosting DNS outside the server.

The HTTPS DCV preflight check is expected to fail on DNSOnly (IMO it shouldn't even be attempted to run which I'm going to open an improvement case for) because apache is not needed on those systems and is disabled.
 

ImperialTrader

Well-Known Member
Aug 31, 2014
144
16
18
Egypt
cPanel Access Level
Root Administrator
Hello,

The issue is the DNS DCV is not completed. You can check for the DNS record yourself as well (or for any of them for that matter) I only see an A record, and NS that point to AWS. It would seem that this may not be possible if you're hosting DNS outside the server.

The HTTPS DCV preflight check is expected to fail on DNSOnly (IMO it shouldn't even be attempted to run which I'm going to open an improvement case for) because apache is not needed on those systems and is disabled.
Yes, my server is in AWS and I'm using Route53 for DNS Management.
And what is the solution now? :)
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,366
799
263
Houston
I don't believe you'd be able to use the free certificate. I need to confirm this tomorrow, but as far as I can tell without http dcv and remotely hosted ns there'd be no way to perform the DCV check.

I'll update here with my findings, tomorrow. If you do end up needing to purchase a certificate, you'll want to make sure that cpsrvd can restart without issues.
 

ImperialTrader

Well-Known Member
Aug 31, 2014
144
16
18
Egypt
cPanel Access Level
Root Administrator
I don't believe you'd be able to use the free certificate. I need to confirm this tomorrow, but as far as I can tell without http dcv and remotely hosted ns there'd be no way to perform the DCV check.

I'll update here with my findings, tomorrow. If you do end up needing to purchase a certificate, you'll want to make sure that cpsrvd can restart without issues.
Ok, I'm waiting for you, and I'm ready to purchase the SSL now!
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,366
799
263
Houston
Hi @ImperialTrader

I'm discussing this with the team that implemented this feature and they're asking if you would please open a ticket with us so they can investigate the issue further and hopefully get you a resolution for this. I did find an open case about HTTP DCV failing on DNSOnly - CPANEL-30418 but that only addresses part of the issue. If you do open the ticket with us please update here with the ticket ID so I can update the ticket as well as the team.

Thanks!
 

ImperialTrader

Well-Known Member
Aug 31, 2014
144
16
18
Egypt
cPanel Access Level
Root Administrator
Hi @ImperialTrader

I'm discussing this with the team that implemented this feature and they're asking if you would please open a ticket with us so they can investigate the issue further and hopefully get you a resolution for this. I did find an open case about HTTP DCV failing on DNSOnly - CPANEL-30418 but that only addresses part of the issue. If you do open the ticket with us please update here with the ticket ID so I can update the ticket as well as the team.

Thanks!
I created a ticket.
The Support Ticket ID is: 93443506
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,366
799
263
Houston
They have informed me that this issue will be solved on version 86.
I'm gonna wait for this version, no problem.
Hi @ImperialTrader also, despite the support team not mentioning it, I spoke to the team responsible for the SSL's for DNSOnly and they let me know they were able to get the information they needed from you opening the ticket as well.
I'm sorry for all the confusion, it was an unusual ask as we already were aware of what was going on with your server, but the team needed a bit more data and I appreciate your patience.

Looking at the case today, it looks like the data they got from your server allowed them to finalize the resolution for the issue :)

v86 should be put to RELEASE this week or at the latest next.
 

ImperialTrader

Well-Known Member
Aug 31, 2014
144
16
18
Egypt
cPanel Access Level
Root Administrator
Hi @ImperialTrader also, despite the support team not mentioning it, I spoke to the team responsible for the SSL's for DNSOnly and they let me know they were able to get the information they needed from you opening the ticket as well.
I'm sorry for all the confusion, it was an unusual ask as we already were aware of what was going on with your server, but the team needed a bit more data and I appreciate your patience.

Looking at the case today, it looks like the data they got from your server allowed them to finalize the resolution for the issue :)

v86 should be put to RELEASE this week or at the latest next.
Yea, that's awesome :)
 
  • Love
Reactions: cPanelLauren