SOLVED Potential reduced AutoSSL coverage

Status
Not open for further replies.

PPNSteve

Well-Known Member
Mar 13, 2003
412
3
168
Somewhere in Ilex Forest
cPanel Access Level
Root Administrator
Twitter
AutoSSL would normally renew this certificate now, but 9 of the website’s secured domains just failed DCV. To provide you with more time to resolve these problems, AutoSSL will defer the renewal until Nov 17, 2018 at 1:35:24 AM UTC. After that time, AutoSSL will request a replacement certificate that excludes any domains that fail DCV.

example error messages:
Code:
www.[REDACTED].org (checked on Nov 15, 2018 at 4:46:36 AM UTC)
DNS DCV: The DNS query to “_cpanel-dcv-test-record.[REDACTED].org” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=[REDACTED][REDACTED][REDACTED][REDACTED]”.; HTTP DCV: “www.[REDACTED].org” does not resolve to any IPv4 addresses on the internet.

mail.[REDACTED].net (checked on Nov 15, 2018 at 4:46:36 AM UTC)
DNS DCV: The DNS query to “_cpanel-dcv-test-record.[REDACTED].net” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=[REDACTED][REDACTED][REDACTED][REDACTED]”.; HTTP DCV: “mail.[REDACTED].net” does not resolve to any IPv4 addresses on the internet.

[REDACTED].org (checked on Nov 15, 2018 at 4:46:36 AM UTC)
DNS DCV: The DNS query to “_cpanel-dcv-test-record.[REDACTED].org” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=[REDACTED][REDACTED][REDACTED][REDACTED]”.; HTTP DCV: “[REDACTED].org” does not resolve to any IPv4 addresses on the internet.
and so on for the .com, .net, and .org of this parked (alias) domain..

WHM v76.0.7
 
Last edited by a moderator:

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,012
648
263
Houston
cPanel Access Level
DataCenter Provider
Hi @PPNSteve

The issue here is that both the HTTP DCV and DNS DCV checks are failing.

HTTP DCV: “www.[REDACTED].org” does not resolve to any IPv4 addresses on the internet.

DNS DCV: The DNS query to “_cpanel-dcv-test-record.[REDACTED].org” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=[REDACTED][REDACTED][REDACTED][REDACTED]”.

To allow you time to resolve this issue cPanel is deferring the renewal of the domain that DID pass the DCV until Nov 17, 2018 so potentially you can get all the domains secured. If you don't want these domains secured or attempted to be secured you can exclude them from the autossl check through cPanel.


Thanks!
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,012
648
263
Houston
cPanel Access Level
DataCenter Provider
Well, first of all, you'll need to identify why the DNS and HTTP DCV checks are failing. HTTP DCV is the primary method the DNS DCV is just a fallback.

Typically what I do, to get an idea of what is going wrong is to run a curl request against the failing domain:

Code:
curl -kvv domain.tld
The output of this typically tells me the issue right away - you can even run the request against the full path if you place a text file in the user's .well-known/pki-validation/ (comodo) or .well-known/acme-challenge (Let's Encrypt) directory
 

PPNSteve

Well-Known Member
Mar 13, 2003
412
3
168
Somewhere in Ilex Forest
cPanel Access Level
Root Administrator
Twitter
Ok I get html or a test txt message I placed in the suggested full path folder when checking via curl.

Code:
[email protected] [~]# curl -kvv [REDACTED].com/.well-known/pki-validation/test.txt
* About to connect() to [REDACTED].com port 80 (#0)
*   Trying 2607:[REDACTED]::2... connected
* Connected to [REDACTED].com (2607:[REDACTED]::2) port 80 (#0)
> GET /.well-known/pki-validation/test.txt HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: [REDACTED].com
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 16 Nov 2018 00:19:02 GMT
< Server: Apache
< Last-Modified: Fri, 16 Nov 2018 00:17:51 GMT
< Accept-Ranges: bytes
< Content-Length: 78
< Content-Type: text/plain
<
* Connection #0 to host [REDACTED].com left intact
* Closing connection #0
NOTE: this is a test file used for curl testing.. see, it works properly here.
[email protected] [~]#
so the dns / http request IS working correctly but the AutoSSL DCV isn't seeing / processing this one domain group.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello @PPNSteve,

We'd like to take a closer look at your system to verify there's not an issue with the AutoSSL feature stemming from recent changes in cPanel & WHM version 76. Could you open a support ticket and then post the ticket number here? I'll link this thread to the ticket and ensure it's promptly investigated.

Thank you.
 
Status
Not open for further replies.