SOLVED Potential reduced AutoSSL coverage

[PPNSteve]

AutoSSL would normally renew this certificate now, but 9 of the website’s secured domains just failed DCV. To provide you with more time to resolve these problems, AutoSSL will defer the renewal until Nov 17, 2018 at 1:35:24 AM UTC. After that time, AutoSSL will request a replacement certificate that excludes any domains that fail DCV.

example error messages:

www.[REDACTED].org (checked on Nov 15, 2018 at 4:46:36 AM UTC)
DNS DCV: The DNS query to “_cpanel-dcv-test-record.[REDACTED].org” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=[REDACTED][REDACTED][REDACTED][REDACTED]”.; HTTP DCV: “www.[REDACTED].org” does not resolve to any IPv4 addresses on the internet.

mail.[REDACTED].net (checked on Nov 15, 2018 at 4:46:36 AM UTC)
DNS DCV: The DNS query to “_cpanel-dcv-test-record.[REDACTED].net” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=[REDACTED][REDACTED][REDACTED][REDACTED]”.; HTTP DCV: “mail.[REDACTED].net” does not resolve to any IPv4 addresses on the internet.

[REDACTED].org (checked on Nov 15, 2018 at 4:46:36 AM UTC)
DNS DCV: The DNS query to “_cpanel-dcv-test-record.[REDACTED].org” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=[REDACTED][REDACTED][REDACTED][REDACTED]”.; HTTP DCV: “[REDACTED].org” does not resolve to any IPv4 addresses on the internet.

and so on for the .com, .net, and .org of this parked (alias) domain..

WHM v76.0.7

 

[cPanelLauren]

Hi @PPNSteve

The issue here is that both the HTTP DCV and DNS DCV checks are failing.

HTTP DCV: “www.[REDACTED].org” does not resolve to any IPv4 addresses on the internet.

DNS DCV: The DNS query to “_cpanel-dcv-test-record.[REDACTED].org” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=[REDACTED][REDACTED][REDACTED][REDACTED]”.

To allow you time to resolve this issue cPanel is deferring the renewal of the domain that DID pass the DCV until Nov 17, 2018 so potentially you can get all the domains secured. If you don't want these domains secured or attempted to be secured you can exclude them from the autossl check through cPanel.


Thanks!

 

[PPNSteve]

Yes, I see that you understand what is happening.. now how do I fix it?

Be aware these are domains that have been on the system for quite a while now and have previously been (and are currently) secured via AutoSSL

 

[cPanelLauren]

Well, first of all, you'll need to identify why the DNS and HTTP DCV checks are failing. HTTP DCV is the primary method the DNS DCV is just a fallback.

Typically what I do, to get an idea of what is going wrong is to run a curl request against the failing domain:

curl -kvv domain.tld

The output of this typically tells me the issue right away - you can even run the request against the full path if you place a text file in the user's .well-known/pki-validation/ (comodo) or .well-known/acme-challenge (Let's Encrypt) directory

 

[PPNSteve]

Ok I get html or a test txt message I placed in the suggested full path folder when checking via curl.

[email protected] [~]# curl -kvv [REDACTED].com/.well-known/pki-validation/test.txt
* About to connect() to [REDACTED].com port 80 (#0)
*   Trying 2607:[REDACTED]::2... connected
* Connected to [REDACTED].com (2607:[REDACTED]::2) port 80 (#0)
> GET /.well-known/pki-validation/test.txt HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: [REDACTED].com
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 16 Nov 2018 00:19:02 GMT
< Server: Apache
< Last-Modified: Fri, 16 Nov 2018 00:17:51 GMT
< Accept-Ranges: bytes
< Content-Length: 78
< Content-Type: text/plain
<
* Connection #0 to host [REDACTED].com left intact
* Closing connection #0
NOTE: this is a test file used for curl testing.. see, it works properly here.
[email protected] [~]#

so the dns / http request IS working correctly but the AutoSSL DCV isn't seeing / processing this one domain group.

 

[cPanelMichael]

Hello @PPNSteve,

We'd like to take a closer look at your system to verify there's not an issue with the AutoSSL feature stemming from recent changes in cPanel & WHM version 76. Could you open a support ticket and then post the ticket number here? I'll link this thread to the ticket and ensure it's promptly investigated.

Thank you.

 

[PPNSteve]

OK Thanks..

Your Support Request ID is: 10742907

 

[cPAusaf]

Issue looks to have been related to DNS and is resolved now.