Domain has DNS records pointing to server and website is live, yet can't complete DCV.

[Lucidity]

I have many domains on my VPS and they are all covered by AutoSSL, yet one won't pass the Domain Control Verification.

The domain is literally live right now to the world, yet when I run AutoSSL it won't issue an SSL for this specific domain.

I have an A Record pointing to my server, which makes the domain live. The MX records are left to what they were before (pointing to G Suite), and there are also some NS (Delegated subdomain name server) records pointing the www version to my two nameservers.

Am I doing something wrong? I figured instead of changing the overall nameservers and then adding MX records back on my end, I would just leave my clients already configured MX records on their domain registrars end and just add an A record to point to my server.

 

[cPWilliamL]

Hi @Lucidity,

Sorry to hear you are having issues with AutoSSL. Have you checked the logs for a specific error? You can view the logs at WHM > Manage AutoSSL > Logs, or you can run the check manually from the command line:

/usr/local/cpanel/bin/autossl_check --user $username

Thanks,

 

[Lucidity]

Yes! And I am very confused with the results.

It actually doesn't even list the domain by itself in the logs, it just lists a bunch of subdomains that can't be verified (changed for security reasons):

8:17:15 AM The website “oldsubdomainfortesting.maindomain.com”, owned by “user”, has a faulty SSL certificate (OPENSSL_VERIFY:0:18:DEPTH_ZERO_SELF_SIGNED_CERT NOT_ALL_DOMAINS). AutoSSL will attempt to replace this certificate.
8:17:16 AM WARN The domain “mail.livedomain.ca” failed domain control validation: “mail.livedomain.ca” does not resolve to any IPv4 addresses on the internet.
8:17:16 AM WARN The domain “whm.livedomain.ca” failed domain control validation: “whm.livedomain.ca” does not resolve to any IPv4 addresses on the internet.
8:17:16 AM WARN The domain “cpanel.livedomain.ca” failed domain control validation: “cpanel.livedomain.ca” does not resolve to any IPv4 addresses on the internet.
8:17:16 AM WARN The domain “webdisk.livedomain.ca” failed domain control validation: “webdisk.livedomain.ca” does not resolve to any IPv4 addresses on the internet.
8:17:16 AM WARN The domain “webmail.livedomain.ca” failed domain control validation: “webmail.livedomain.ca” does not resolve to any IPv4 addresses on the internet.
8:17:16 AM WARN AutoSSL will defer the renewal of “oldsubdomainfortesting.maindomain.com”’s certificate because 1 domain (mail.livedomain.ca) that the current certificate secures failed DCV. If AutoSSL renewed the certificate now, that domain would lose SSL coverage. AutoSSL will defer “oldsubdomainfortesting.maindomain.com”’s certificate renewal until 11/11/18, 7:03 PM UTC (3 days before expiry) or until all of “oldsubdomainfortesting.maindomain.com”’s currently secured domains pass DCV. at bin/autossl_check.pl line 500, <DATA> line 1.
​

So I am just all-around confused.

The website “oldsubdomainfortesting.maindomain.com” redirects to "livedomain.ca", and that website is currently live right now on my server, public, with no SSL certificate

 

[cPWilliamL]

The AutoSSL functions resolve the domain using the root DNS servers, so if you are blocking or filtering these, then this could be the cause. Does a 'dig $domain +trace' complete properly? Also, feel welcome to open a ticket with us and we will perform some advanced debugging with the resolver module.

 

[Lucidity]

I'm not really sure what the dig command means I think I'll open a ticket, thanks!