Local HTTP DCV error 404 w/ AutoSSL + LetsEncrypt

Operating System & Version
AlmaLinux 8
cPanel & WHM Version
106.0.9

joshhowa

Member
Oct 17, 2022
5
0
1
United States
cPanel Access Level
Root Administrator
I'm new to all of this, so I will try my best to explain what is happening.

The registrar for all of my Domains are via Google. I set my name servers to the ones suggested by adding the Linode name servers to all of them and then Added them all to my cPanel, but I am getting the following error when trying to run AutoSSL on my domains.

DNS DCV: No local authority: “****.***”; HTTP DCV: The system queried for a temporary file at “http://****.***/.well-known/acme-challenge/2FHTFP_IJ4L4B5JRLA1CUD0RPEAJYDB2”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
Things I have tried already tried:

 

rbairwell

Well-Known Member
May 28, 2022
98
42
18
Mansfield, Nottingham, UK
cPanel Access Level
Root Administrator
TL;DR:
Your server is not currently recognising http://howard.codes as a valid website - have you created an account on the server with that domain name? (And, if you have, is your server IP 96.126.107.210 which is being returned from Linode's nameservers? If it isn't, you'll need to update that record).

Once you've done that, Let's Encrypt/cPanel should be able to run AutoSSL using web based authentication (which is it trying to do by creating a dummy file in ./well-known/acme-challenge : but since your domain name isn't resolving to the server, it's hitting a 404 and failing). Please allow a few hours after updating nameserver records for them to propagate correctly.

Long explanation:

Okay, the way DCV works is by generating a random subdomain (or a few) on the domain name and checking if that can be resolved correctly: however, this only works if the domain name is using the cPanel server as the nameservers - if you use secondary/backup/remote nameservers (such as Linode's own namesevers) then there may be a delay in propagation of the "test subdomains" which times out before Lets Encrypt has a chance to validate. It appears from your DNS records that you are using Linode as your primary nameserver and so these subdomains don't stand a chance of being created in time.

If you have "root/WHM" access to the server, see Linode's cPanel DNS Services guide which should resolve this.

Otherwise if the server has the domain setup, the domain name is pointing at the server, and the website is resolving correctly on http (not https), then Let's Encrypt should be able to do web validation (which it is trying to do - see the 404 error) and just make the certificate for the site.
 
  • Like
Reactions: cPRex

joshhowa

Member
Oct 17, 2022
5
0
1
United States
cPanel Access Level
Root Administrator
well, pinging my domain does indeed give me the IP address (the correct one), with zero packet loss.

Google is the registrar for all of my domains, but they are managed through my host (Linode) and I can confirm that they indeed are pointing to my IP address. Which is why this is confusing to me.

I can visit my websites now and they work fine, but are not secured of course. Outside of what I have tried, I am running out of things to check for.
 

rbairwell

Well-Known Member
May 28, 2022
98
42
18
Mansfield, Nottingham, UK
cPanel Access Level
Root Administrator
I can visit my websites now and they work fine
There's at least one configuration problem then. I've just tried going to http://howard.codes/ (mentioned in your first post) and I'm getting the default cPanel "No site here" page - however, that's coming to me over IPv6 from 2600:3c03:0:0:f03c:93ff:fe77:73e4 (if somebody's connection has IPv6 enabled, Windows tends to use that as default). You can check this via Website test: www.howard.codes the "Same website on IPv6 and IPv4" is coming up bad. You probably need to tweak the AAAA records at Linode to point to the server.

However, SSL issuance should still work as that uses port 80 over IPv4 and Let's Debug shows no errors stopping this. Can you try making a folder called .well-known in public_html and adding a test file in there just to check that http://www.howard.codes/.well-known/testfile.txt works?
 

joshhowa

Member
Oct 17, 2022
5
0
1
United States
cPanel Access Level
Root Administrator
I was able to create a test txt file and place it in the folder where AutoSSL apparently places the file for the DCV process. And it works for me. I can navigate to this url and it opens the text file in my browser.


I verified the ip4 and ipv6 address and cross-referenced them with what's in my Linode domain managers. The a records points to the correct IP for ip4, ip6, and the www A records. Just for due diligence sake, I added a wildcard A record for subdomains, I'll wait for changes to propagate and test it. But I have a feeling it won't help.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
13,463
2,114
363
cPanel Access Level
Root Administrator
Does this command, run from the local cPanel server experiencing the AutoSSL issues, return the correct nameservers for your domain?

Code:
/usr/local/cpanel/3rdparty/bin/perl -MCpanel::DnsRoots -MData::Dumper -e 'print Dumper(Cpanel::DnsRoots->new()->get_nameservers_for_domain("domain.com"));'
Just replace "domain.com" with the actual domain you're working with.
 

joshhowa

Member
Oct 17, 2022
5
0
1
United States
cPanel Access Level
Root Administrator
Does this command, run from the local cPanel server experiencing the AutoSSL issues, return the correct nameservers for your domain?

Code:
/usr/local/cpanel/3rdparty/bin/perl -MCpanel::DnsRoots -MData::Dumper -e 'print Dumper(Cpanel::DnsRoots->new()->get_nameservers_for_domain("domain.com"));'
Just replace "domain.com" with the actual domain you're working with.
Yes, this is what it returned.


$VAR1 = {
'ns4.linode.com' => '162.159.26.99',
'ns3.linode.com' => '162.159.25.129',
'ns2.linode.com' => '162.159.24.39',
'ns1.linode.com' => '162.159.27.72',
'ns5.linode.com' => '162.159.24.25'
};