SOLVED Local HTTP DCV error: does not resolve to any IP addresses on the internet.

Operating System & Version
CentOS v7.9.2009 kvm
cPanel & WHM Version
v100.0.9

wedwards

Registered
Feb 4, 2022
4
1
3
Netherlands
cPanel Access Level
Root Administrator
Hello,

Since this morning, a server is having trouble renewing certificates.

`/usr/local/cpanel/bin/autossl_check --all` outputs "Local HTTP DCV error: ... does not resolve to any IP addresses on the internet." and "DNS query error (CAA): SERVFAIL (2)" for 8 domains.

tcpdump does not show any SERVFAILs or even CAA lookups. I just see a few AAAA and A lookups, which all succeed. So, I guess AutoSSL queries the authorative nameservers directly. But those return NOERROR. Anyway, this doesn't seem to be matter, as the DCV is still performed without/with faulty CAA records.

What I tried:

  • There was still a faulty NAT configuration. Removed /var/cpanel/cpnat
  • DNSViz, DNSSpy and Verisign don't see any DNSSEC troubles
  • I saw some posts regarding issues with Sectigo, so switched from Sectigo to Let's Encrypt as AutoSSL provider
  • Switch from BIND to PowerDNS to no DNS server (even though the local resolver doesn't seem to be used)
  • Updated resolvers in /etc/resolv.conf from Google to local ones
  • Disabled firewalld (all chains in `iptables -nvL` had no rules)
  • Ensured that default DNS records such as 'ipv6', 'webdisk' and 'webmail' are present
  • `upcp`
  • Reboot

Here's one of the failing domains for inspection:

REDACTED PUBLIC DOMAIN INFO

The subdomains for which the 'local HTTP DCV' fails is not consistent. Actually, it seems completely random:

REDACTED PUCLIC DOMAIN INFO

After re-running `autossl_check --all` a few times, without making any changes, 3 of 11 domains suddenly passed the DCV validation out of nowhere. This leads me to believe that the cPanel Store is experiencing issues.
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
11,812
1,880
363
cPanel Access Level
Root Administrator
Hey there! I edited your post to remove the public domain info for security reaons.

The SSL provider, Secitgo, has been having issues for several weeks now. More details on that can be found here:


The best way to resolve this would be to switch your SSL provider to the Let's Encrypt option.
 

wedwards

Registered
Feb 4, 2022
4
1
3
Netherlands
cPanel Access Level
Root Administrator
Hi,

Hey there! I edited your post to remove the public domain info for security reaons.

The SSL provider, Secitgo, has been having issues for several weeks now. More details on that can be found here:

To be honest, I don't have a problem with the domains being public. Masquerading domains doesn't make anything more secure, and could make the issue harder to debug.

The best way to resolve this would be to switch your SSL provider to the Let's Encrypt option.
As mentioned in the post, I have already tried this. This did not solve the issue.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
11,812
1,880
363
cPanel Access Level
Root Administrator
It definitely will make the issue harder to debug. However, there have been instances where bots scan forums looking for domains or IP addresses, and then attack those sites through automated means. Rare...but it can happen.

If there is an issue where the domain name is critical to the problem, such as this, especially where you've already performed a good chunk of troubleshooting, it's best to open a support ticket with our team directly. Could you do that and then post the number here?
 

wedwards

Registered
Feb 4, 2022
4
1
3
Netherlands
cPanel Access Level
Root Administrator
If there is an issue where the domain name is critical to the problem, such as this, especially where you've already performed a good chunk of troubleshooting, it's best to open a support ticket with our team directly. Could you do that and then post the number here?
I've created a ticket through the cPanel partner, so I don't have access to the ticket number.

I'll make sure to update this thread, though.
 
  • Like
Reactions: cPRex

wedwards

Registered
Feb 4, 2022
4
1
3
Netherlands
cPanel Access Level
Root Administrator
cPanel support worked around the issue by touching `/var/cpanel/dns_flags/has_broken_ipv6`. I am not sure yet why this workaround works. Nothing seems to be wrong with IPv6. I do observe that many of the connections from the authorative nameservers are RST'ed by the server after a SYN+ACK, so something else might be up with the networking stack there. Anyway, if anyone else comes across this post in the future, try checking your IPv6 configuration. (And don't just touch that file and forget about it; IPv6 is the future.)
 

BlueOcean

Registered
May 16, 2022
1
0
0
Calgary
cPanel Access Level
Root Administrator
cPanel support worked around the issue by touching `/var/cpanel/dns_flags/has_broken_ipv6`.
Our regular servers running on several datacenters had no issues. (IPv6 taken care of properly) We have one older on-site development server that was running into AutoSSL renewal issues. There are plenty of DNS isues and solutions provided in th eforum regarding AutoSSL. None of the provided solutions worked, except this one! Older server, no IPv6 setup ever done that we are aware off. Touching the file gave us back all the green success messages in the AutoSSL logs! Thanks for posting!