LetsEncrypt Wildcard DNS verification when not using cPanel's name servers

[Fozzie]

I want to create a wildcard certificate through the Lets Encrypt SSL page however I have to use DNS verification for this which is fine, yet cPanel does not display the TXT record it wants me to add it just blatantly assumes that we're using cPanel's DNS manager, how do I get the TXT record so I can actually add it to my domain?

This seems like a massive oversight as the TXT record isn't exactly meant to be secret.

 

[cPanelLauren]

The txt record that is added when we do this is automatically generated and as of right now you cannot successfully perform DNS DCV with AutoSSL if your server is not authoritative for the domain. This is also noted in the documentation under Limitations for Wildcard Domains:

Limitations
If you use the Let’s Encrypt plugin to issue certificates for wildcard domains, be aware that:

• This plugin cannot use HTTP DCV challenges to issue certificates for wildcard domains. This is because Let’s Encrypt does not support this type of challenge. For more information, read Let’s Encrypt’s HTTP-01 challenge type documentation.
• You cannot use this plugin to obtain certificates for wildcard domains if you use third-party DNS hosting. You must host DNS on your local cPanel & WHM server or within the server’s DNS cluster.

 

[Fozzie]

The txt record that is added when we do this is automatically generated and as of right now you cannot successfully perform DNS DCV with AutoSSL if your server is not authoritative for the domain. This is also noted in the documentation under Limitations for Wildcard Domains:

Why though? Why is there not a text box that pops up saying the TXT record to add? Why did the development team just assume everyone is going to use cPanel's DNS?

 

[cPanelLauren]

As I don't have specifics I can assume that this was done this way to match with the existing method of DCV check generation - we auto-generate the HTTP CSR Hash as well. It looks like one of our teams is working on something for this (I see an improvement case marked as To Do) but there is no timeframe for competition. I'd also assume they'd have to change the way the entire module works doing this since for all other certificate types the fallback to HTTP DCV check will bypass the need for locally managed nameservers.