DCV challenge failure because of remote nameserver

Operating System & Version
Centos 7
cPanel & WHM Version
v86.0.18

Major Tom

Member
Apr 25, 2005
10
1
151
Since a Cpanel l update I am receiving the autossl error

NS DCV: The DNS query to “_cpanel-dcv-test-record.mydomain” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=5sdsdfasdfYz6qCvsZkn5nN24y0HuUpb5fOqqadsr53qn9fe53ghU8WwQHbO6z3”.; HTTP DCV: “cPanel (powered by Sectigo)” forbids DCV HTTP redirections.

This is because my name server just for this domain is remote and I cannot cluster it , it is an outside service (dnsmadeasy). So even when I try maually adding the txt record with the code it is too late.

I searched the forum but could not find a solution for this. Is this failure the indication of another kind of problem? Should autossl fall back to another kind of authentication method and can I force it to? Or must I abandon Autossl?

Any pointers much appreciated.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
Hello,

Hello,

We use two methods for DCV - a DNS DCV check and an HTTP DCV check. If the DNS DCV fails because DNS is remote, then HTTP DCV is performed. What is the output of the HTTP DCV check? I just see:
HTTP DCV: “cPanel (powered by Sectigo)” forbids DCV HTTP redirections.
if you do have a redirect implemented for the domain (including forced https) you'd need to implement a exception to allow the HTTP DCV check to complete.
 

Major Tom

Member
Apr 25, 2005
10
1
151
Thank you Lauren,
Indeed therein lies the problem, however the https is forced somewhere within the owncloud installation files on that subdomain that is failing the validation.

I tried disabling the .htaccess and rerunning autossl but I get the same problem. Yet when enabled the .htaccess does appear to try to cater for the pki folder but is fails all the same:

Here is the relevant part of the .htaccess
Code:
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteCond %{REQUEST_URI} !^/.well-known/(acme-challenge|pki-validation)/.*
  RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
(the .well-known folder, and under it, are correctly owned by the reseller account and other subdomains on that domain are similar and have no problems)

As it still fails, is there likely something I have to place in the owncloud configuration files and take it up with them or by any chance have you come across this before?
 

Major Tom

Member
Apr 25, 2005
10
1
151
Having examined previous logs it is clear that the problem was introduced by a server update. So the rewrite rules to exclude the redirection for this subdomain are
fine because nothing at all has changed since then. It follows that the server update has introduced an autossl problem. I have now changed the dns so that the subdomain is a seperate zone in the actual cpanel nameserver on the box with full authority. And yet, as I said, not only is the http test failing for no reason (as logs show it worked fine before as all other subdomains for the same domain still do), but also the dns-based challenge fails even though the subdomain is now recognised as being controlled by the local nameserver. What have you changed? And how do I change it back?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
Forced redirections to https without an exception included for them have never been able to complete. There haven't been any changes to the exceptions added in the htaccess in any of the last 5 releases:

I'd suggest you open a ticket so that the issue can be investigated further.
 

Major Tom

Member
Apr 25, 2005
10
1
151
Thank you Lauren, the issue is a bit of a mystery then. Not having the time now to deal with the matter, for the time being I momentarily set the nameserver on the machine to be authoratitive for the zone temporarily and passed the test. That gives me 90 days to find time to look into it.
 
  • Like
Reactions: cPanelLauren