Switched to PowerDNS, seems to have broken AutoSSL

janipewter

Active Member
Jan 2, 2013
44
3
8
cPanel Access Level
Root Administrator
Apologies if this has been posted before, I did have a look but couldn't find anyone with the same issue.

I switched to PowerDNS yesterday, and now I've noticed that when AutoSSL runs, I get a lot of errors. I'm not sure if these two things are related, as I haven't manually run AutoSSL for a long time until today but I never had this problem before.

The reason why I manually ran AutoSSL today is because I have just created a subdomain on one of my domains and I wanted HTTPS on it immediately. Then I noticed a lot of these errors in the log (account name and main domain name changed for privacy):

Code:
12:47:57 PM Checking websites for “myuser” …
12:47:57 PM The website “share.mydomain.co.uk”, owned by “myuser”, has no SSL certificate. AutoSSL will attempt to obtain a new certificate and install it.
12:47:57 PM The website “mydomain.co.uk”, owned by “myuser”, has a valid SSL certificate, but additional SSL coverage may be possible for the domains “mail.mydomain.co.uk” and “www.mail.mydomain.co.uk”. The system will attempt to replace this certificate with one that includes these additional domains.
12:47:57 PM WARN The domain “www.mail.mydomain.co.uk” failed domain control validation: “www.mail.mydomain.co.uk” does not resolve to any IPv4 addresses on the internet. at bin/autossl_check.pl line 512.

The subdomain I recently created was share.mydomain.co.uk - that's the one I wanted it to grab the SSL cert for. However there is a warning that www.mail.mydomain.co.uk has failed DCV because it doesn't resolve. This is quite right, as I have never created it, and I assume it's a system thing. mail.mydomain.co.uk does resolve to my server IP, however it just leads to the site on mydomain.co.uk with a certificate warning because the common name does not match (the cert is for mydomain.co.uk).

The log has the warning for the mail.whatever.tld failure for every domain that I host on my server (about 30). None of my users actually use the webmail anyway, and I think mail.whatever.tld looks ugly - and even then, the webmail is accessed through whatever.tld/mail - NOT mail.whatever.tld
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
The subdomain I recently created was share.mydomain.co.uk - that's the one I wanted it to grab the SSL cert for. However there is a warning that www.mail.mydomain.co.uk has failed DCV because it doesn't resolve. This is quite right, as I have never created it, and I assume it's a system thing. mail.mydomain.co.uk does resolve to my server IP, however it just leads to the site on mydomain.co.uk with a certificate warning because the common name does not match (the cert is for mydomain.co.uk).
Hello,

Could you verify if any changes have been made to the "mail" DNS entries for the accounts? Or, is an independent subdomain or addon domain name created for "mail" under the affected accounts?

Thank you.
 

janipewter

Active Member
Jan 2, 2013
44
3
8
cPanel Access Level
Root Administrator
Thanks for the reply. None of the accounts have independent subdomains or addon domains created for "mail" nor "www.mail"

I checked three random accounts and in all three, mail.mydomain.co.uk is a CNAME of mydomain.co.uk. I assume this is the intended behaviour of cpanel.

Two things of interest that I have stumbled upon though, are:

When I enter Advanced DNS Zone Editor, in the Select a Domain dropdown menu, it lists mydomain.co.uk and mail.mydomain.co.uk. If I select the latter, I get the following error at the bottom of the page (where the records should be):

Error

Failed to fetch zone file for mail.mydomain.co.uk

The system did not find any zone records.

When I selected the main mydomain.co.uk and hit the Reset Zone File button and it created a whole load of new records, which look like they are all cpanel things. Examples are A records for webdisk.mydomain.co.uk, cpcalendars.mydomain.co.uk etc. It did not create one for www.mail.mydomain.co.uk

Lastly, it's worth pointing out that AutoSSL is in fact not broken as the thread title suggests. It did successfully fetch and install the SSL cert for share.mydomain.co.uk, within the hour. It's just very annoying that I get a huge list of errors because of the other issue described above.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
Hello,

Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here and we will update this thread with the outcome.

Thank you.