Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How will DNS based DCV for autoSSL work in v74?

Discussion in 'Security' started by chuckcintron, Jun 29, 2018.

Tags:
  1. chuckcintron

    chuckcintron Member

    Joined:
    May 17, 2012
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    I tried to research and find detailed information about how upcoming DNS based DCV will work for autoSSL, in upcoming cPanel v74.

    I couldn't find anything.

    Can someone describe how this will work? I'm hoping it means I will simply get a TXT entry to add to DNS (or if DNS is on the local server, cPanel will insert the record directly). All my DNS are over at AWS Route53 or under my customer's external control -- so I would need to be able to get the TXT record and either manually put it into Route53 or write code to do it via API calls.

    If the above is true - then is it a 'set and forget' record, or will the TXT entry have to be modified when renewals happen?

    I'm really hoping it is 'set once and never worry about touching it again'.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,870
    Likes Received:
    1,811
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @chuckcintron,

    In cPanel & WHM version 74, if the HTTP-based DCV method fails, then AutoSSL will automatically run a DNS-based DCV method. As part of the DNS-based DCV method, a DNS record (CNAME record for Comodo, TXT record for Let's Encrypt) is automatically added to domain name's DNS zone on the cPanel & WHM server. The DNS record in the DNS zone for the domain name is added/removed/modified automatically as needed (Comodo and Let's Encrypt have different requirements for the DNS records).

    As far as domains that use a remote server for DNS (e.g. a domain registrar, CloudFlare), I'm checking with a Development team member responsible for the feature to see if there's a path to DNS-based DCV succeeding under such a scenario. I'll update this thread once I receive more information.

    We'll publish documentation with more information on this new feature works near the time cPanel & WHM version 74 is released to the EDGE release tier.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,870
    Likes Received:
    1,811
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @chuckcintron,

    To update, while it might be possible to get DNS-based DCV to succeed when a domain's DNS is hosted on a remote server, it would require that you make use of AutoSSL hooks and setup a custom script that automatically pushes the DNS record changes to the remote DNS server immediately after the AutoSSL process starts. Manually adding the records at the remote DNS provider isn't really a viable option at this point because the DCV request will timeout if the record isn't propagated within a short window of time after AutoSSL is initiated.

    You can review the AutoSSL hooks that were included as part of cPanel & WHM version 72 at:

    Guide to Standardized Hooks - Whostmgr Functions - Developer Documentation - cPanel Documentation

    In summary, the feature is primarily designed to work when the DNS for a domain name is hosted by the local cPanel & WHM server (or the servers in a supported DNS cluster environment). You might be able to workaround this through the use of a custom script if the remote DNS host provides an API for you to use.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. chuckcintron

    chuckcintron Member

    Joined:
    May 17, 2012
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    ok, thanks - understood. So this won't be a viable option for me and I'll have to stick with HTTP validation.

    Not to sound snarky...but cPanel realizes that many customers run DNS from their registrar or elsewhere, right? It would have been nice if there was a simple "here's your TXT record, go add it to DNS", like other services provide.
     
  5. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,676
    Likes Received:
    85
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    DNS validation really just wouldn't be recommended for non-wildcard certificates. If you require wildcard certificates (with Let's Encrypt) you have to use DNS validation. But it is much, much, much slower than HTTP validation even if you control the DNS for the domain. This is because you have to reload the DNS zone and allow for at least a few seconds for the changes to propagate to each DNS server.

    This is why I don't really understand the fascination with DNS validation and why I don't see the fascination in wildcard certificates. Maybe 1 out of every 100 domain names will have a need for a wildcard certificate, but I can't see it being much more than that.

    If you are wanting to use DNS for a non-wildcard certificate, my question would be why? If the domain name's web service isn't pointing to a server you control, why do you need a certificate? Generate the certificate from the server handling the web service for that domain name. If there are any outliers to this, I can't imagine they'd be plentiful and for those few, few cases, best to handle those on a case by case basis instead of trying to create a cookie cutter that's used once and then forgotten about.
     
  6. chuckcintron

    chuckcintron Member

    Joined:
    May 17, 2012
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Running Wordpress multisite, with mapped domain names and DNS services from a mix of client-managed via domain registrar and my white-label nameservers sitting on top of AWS (via combination of route 53 and S3 buckets).
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,870
    Likes Received:
    1,811
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @chuckcintron,

    I encourage you to submit a feature request for that added functionality:

    Submit A Feature Request

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice