Unable to install SSL for autodiscover with Let's Encrypt

[Nermin]

Hello, I am receiving email from my server every day regarding inability to install SSL for autodiscover for all of my domains (150 domains on server). I have posted error for one of accounts, but all of them get the same error.

This is the error log:

uwbgroup.ba: AutoSSL would normally renew this certificate now, but 1 of the website’s secured domains just failed DCV. To provide you with more time to resolve this problem, AutoSSL will defer the renewal until Jan 7, 2022 at 1:57:50 AM UTC. After that time, AutoSSL will request a replacement certificate that excludes any domains that fail DCV. At the time of this notice, the certificate will expire in 11 days, 19 hours, 21 minutes, and 56 seconds.

AutoSSL did not renew the certificate for “uwbgroup.ba”. You must take action to keep this site secure. The “LetsEncrypt” AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problem: autodiscover.uwbgroup.ba (checked on Dec 29, 2021 at 6:35:48 AM UTC) DNS DCV: No local authority: “autodiscover.uwbgroup.ba”; HTTP DCV: The system queried for a temporary file at “https://autodiscover.uwbgroup.ba/.well-known/acme-challenge/4JKHHUMREST07MBXBR87Y6IBFMHIGWZ3”, which was redirected from “http://autodiscover.uwbgroup.ba/.well-known/acme-challenge/4JKHHUMREST07MBXBR87Y6IBFMHIGWZ3”. The web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. For the most current status, navigate to the “SSL/TLS Status” interface. You can also exclude domains from future renewal attempts, which would cease future notifications. The certificate that is installed on this website contains the following properties: Expiration: Monday, January 10, 2022 at 1:57:50 AM UTC Domain Names: autodiscover.uwbgroup.ba cpanel.uwbgroup.ba cpcalendars.uwbgroup.ba cpcontacts.uwbgroup.ba mail.uwbgroup.ba uwbgroup.ba webdisk.uwbgroup.ba webmail.uwbgroup.ba www.uwbgroup.ba Subject: commonName webdisk.uwbgroup.ba Issuer: countryName US organizationName Let's Encrypt commonName R3 The system generated this notice on Wednesday, December 29, 2021 at 6:35:53 AM UTC.

Here is log from WHM Auto SSL:
Log for the AutoSSL run for “uwbgroup”: Wednesday, December 29, 2021 7:43:43 AM GMT+0100 (Let’s Encrypt™)
7:43:43 AM AutoSSL’s configured provider is “Let’s Encrypt™”.
Analyzing “uwbgroup”’s domains …
7:45:43 AM Analyzing “uwbgroup.ba” (website) …
7:45:43 AM TLS Status: Ready for Renewal
WARN Certificate expiry: 1/10/22, 1:57 AM UTC (11.8 days from now)
7:45:43 AM Attempting to ensure the existence of necessary CAA records …
7:45:44 AM No CAA records were created.
7:45:44 AM Verifying 10 domains’ management status …
Verifying “Let’s Encrypt™”’s authorization on 10 domains via DNS CAA records …
7:45:44 AM “webdisk.uwbgroup.ba” is managed.
“cpanel.uwbgroup.ba” is managed.
“mail.uwbgroup.ba” is managed.
“www.uwbgroup.ba” is managed.
“uwbgroup.ba” is managed.
“webmail.uwbgroup.ba” is managed.
“cpcontacts.uwbgroup.ba” is managed.
“cpcalendars.uwbgroup.ba” is managed.
“autodiscover.uwbgroup.ba” is managed.
“*.uwbgroup.ba” is managed.
All of this user’s 10 domains are managed.
CA authorized: “uwbgroup.ba”
CA authorized: “*.uwbgroup.ba”
CA authorized: “autodiscover.uwbgroup.ba”
CA authorized: “mail.uwbgroup.ba”
CA authorized: “cpcontacts.uwbgroup.ba”
CA authorized: “cpcalendars.uwbgroup.ba”
CA authorized: “webmail.uwbgroup.ba”
CA authorized: “www.uwbgroup.ba”
CA authorized: “cpanel.uwbgroup.ba”
7:45:45 AM CA authorized: “webdisk.uwbgroup.ba”
“Let’s Encrypt™” is authorized to issue certificates for 10 of this user’s 10 domains.
7:45:45 AM Performing HTTP DCV (Domain Control Validation) on 9 domains …
7:45:46 AM Redirection #1 (cpanel.uwbgroup.ba): http://cpanel.uwbgroup.ba/.well-known/acme-challenge/XP5_T60KU_9_SS-WNAW5BL700IUB_668 → https://cpanel.uwbgroup.ba/.well-known/acme-challenge/XP5_T60KU_9_SS-WNAW5BL700IUB_668
Redirection #1 (webdisk.uwbgroup.ba): http://webdisk.uwbgroup.ba/.well-known/acme-challenge/IYZ5_E3TSWVGTQ7R9U2W-WJH6MQOBFIU → https://webdisk.uwbgroup.ba/.well-known/acme-challenge/IYZ5_E3TSWVGTQ7R9U2W-WJH6MQOBFIU
Redirection #1 (webmail.uwbgroup.ba): http://webmail.uwbgroup.ba/.well-known/acme-challenge/64YX6XF0NGQIOVKX-10Y2HF42YN81DYY → https://webmail.uwbgroup.ba/.well-known/acme-challenge/64YX6XF0NGQIOVKX-10Y2HF42YN81DYY
Redirection #1 (cpcontacts.uwbgroup.ba): http://cpcontacts.uwbgroup.ba/.well-known/acme-challenge/PAZBPOP40GR7-H4O425QE4N8_C79CQYX → https://cpcontacts.uwbgroup.ba/.well-known/acme-challenge/PAZBPOP40GR7-H4O425QE4N8_C79CQYX
Redirection #1 (cpcalendars.uwbgroup.ba): http://cpcalendars.uwbgroup.ba/.well-known/acme-challenge/U4K6SXFUHTU6YPLMIQ7E5Z6OSLBQUO1B → https://cpcalendars.uwbgroup.ba/.well-known/acme-challenge/U4K6SXFUHTU6YPLMIQ7E5Z6OSLBQUO1B
Redirection #1 (autodiscover.uwbgroup.ba): http://autodiscover.uwbgroup.ba/.well-known/acme-challenge/RHXMNGYZTR4NQQSC3A7IGOKXMQ2VT7V- → https://autodiscover.uwbgroup.ba/.well-known/acme-challenge/RHXMNGYZTR4NQQSC3A7IGOKXMQ2VT7V-
Local HTTP DCV OK: uwbgroup.ba
Local HTTP DCV OK: www.uwbgroup.ba
Local HTTP DCV OK: mail.uwbgroup.ba
Local HTTP DCV OK: cpanel.uwbgroup.ba
Local HTTP DCV OK: webdisk.uwbgroup.ba
Local HTTP DCV OK: webmail.uwbgroup.ba
Local HTTP DCV OK: cpcontacts.uwbgroup.ba
Local HTTP DCV OK: cpcalendars.uwbgroup.ba
WARN Local HTTP DCV error (autodiscover.uwbgroup.ba): The system queried for a temporary file at “https://autodiscover.uwbgroup.ba/.well-known/acme-challenge/RHXMNGYZTR4NQQSC3A7IGOKXMQ2VT7V-”, which was redirected from “http://autodiscover.uwbgroup.ba/.well-known/acme-challenge/RHXMNGYZTR4NQQSC3A7IGOKXMQ2VT7V-”. The web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
7:45:46 AM Verifying local authority for 2 domains …
7:45:46 AM No local authority: “autodiscover.uwbgroup.ba”
No local authority: “*.uwbgroup.ba”
7:45:46 AM No local DNS DCV is necessary.
7:45:46 AM Processing “uwbgroup”’s local DCV results …
7:45:46 AM Analyzing “uwbgroup.ba”’s DCV results …
7:45:46 AM ERROR Impediment: SECURED_DOMAIN_DCV_FAILURE: One or more currently-secured domains failed DCV.
7:45:46 AM The system has completed “uwbgroup”’s AutoSSL check.


It used to work flawlessly but now it does not for some reason.

Thank you!

Nermin

 

[andrew.n]

Does autodiscover.uwbgroup.ba exists as a subdomain? If you place some files under this subdomain manually are you able to access them? In most of the cases some rules in .htaccess file prevents the files to be reached correctly.

 

[Nermin]

I have created autodiscover.uwbgroup.ba subdomain and put test.html in it and I can access them.
Link: https://autodiscover.uwbgroup.ba/test.html
Here is htaccess file content:
# BEGIN WordPress
# Direktive (redovi) između `BEGIN WordPress` i `END WordPress` su
# dinamički generisani, i trebali bi ih mijenjati samo koristeći WordPress filtere.
# Sve promijene direktiva između navedenih markera biti će prebrisane.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php73” package as the default “PHP” programming language.
<IfModule mime_module>
AddHandler application/x-httpd-ea-php73 .php .php7 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit

# BEGIN cPanel-generated php ini directives, do not edit
# Manual editing of this file may result in unexpected behavior.
# To make changes to this file, use the cPanel MultiPHP INI Editor (Home >> Software >> MultiPHP INI Editor)
# For more information, read our documentation (PHP Home - EasyApache 4 - cPanel Documentation)
<IfModule php7_module>
php_flag display_errors Off
php_value max_execution_time 90
php_value max_input_time 180
php_value max_input_vars 5000
php_value memory_limit 256M
php_value post_max_size 51M
php_value session.gc_maxlifetime 1440
php_value session.save_path "/var/cpanel/php/sessions/ea-php73"
php_value upload_max_filesize 50M
php_flag zlib.output_compression Off
</IfModule>
<IfModule lsapi_module>
php_flag display_errors Off
php_value max_execution_time 90
php_value max_input_time 180
php_value max_input_vars 5000
php_value memory_limit 256M
php_value post_max_size 51M
php_value session.gc_maxlifetime 1440
php_value session.save_path "/var/cpanel/php/sessions/ea-php73"
php_value upload_max_filesize 50M
php_flag zlib.output_compression Off
</IfModule>
# END cPanel-generated php ini directives, do not edit

END of htaccess file.

Thank you!

 

[andrew.n]

Try to rename your htaccess file and see if you can manually renew the SSL certificate now.

 

[Nermin]

Try to rename your htaccess file and see if you can manually renew the SSL certificate now.

I have renamed htaccess and same problem occurs. All accounts have this issue. Cca 120 accounts have this issue, some of them are on Cloudfare (10 accouts), a few of them are Joomla CMS and 90% are Wordpress.

 

[andrew.n]

and are those subdomains responding? do they have the right A records pointing to the server?

 

[Nermin]

Yes they have. Let's Encrypt was installing SSL just fine for years, until three months ago.
If I create subdomain autodiscover in cPanel it will install SSL for it, but without creating subdomain it does not install.
And by default cPanel will create DNS for cpanel, webmail, webdisk, cpcalendars, cpcontacts, autodiscover. It installs SSL for cpanel, webmail, webdisk, cpcalendars, cpcontacts but for autodiscover it will not install.

 

[andrew.n]

and if you remove the current certificate from that domain name and issue a new one will that install correctly? I think I had the same issue earlier and I was told that manual renewal of those certificates won't work but AutoSSL will renew them fine automatically shortly before the expiration date (in 72 hours).

 

[Nermin]

I have removed current certficate, and tried to install a new one. It installs everything but autodiscover.domain.com.

Here is log:
DNS DCV: No local authority: “autodiscover.kancelarijski.ba”; HTTP DCV: The system queried for a temporary file at “https://autodiscover.kancelarijski.ba/.well-known/acme-challenge/UI7NQ9U150NEZXPP-VOEX74IQ66Q0JPE”, which was redirected from “http://autodiscover.kancelarijski.ba/.well-known/acme-challenge/UI7NQ9U150NEZXPP-VOEX74IQ66Q0JPE”. The web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.

Other domains on server, before SSL expiraton, will install SLL for all subdomains but not for autodiscover with same error for all accounts

 

[Nermin]

I have disabled "Thunderbird and Outlook autodiscover and autoconfig support (enables service subdomain and SRV record creation) " and it is gone

 

[andrew.n]

Maybe it is worth to Submit a Ticket at cPanel so the guys can also have a look.

 

[cPanelAnthony]

Hello! A ticket would be helpful; can you open one using the link in my signature and provide me with the ticket ID?