In Progress ZC-5555 - Auto SSL Connection refused

Operating System & Version
CentOS 7.9
cPanel & WHM Version
v94.0.4

nunogato

Registered
Apr 14, 2021
4
0
1
London
cPanel Access Level
Root Administrator
Hi Everyone.

I'm not able to renew SSL with Auto SSL, always getting the error "Could not connect to 'XXXX.XXX:80': Connection refused." (domain removed for security)

Already disabled cphulk and firewall to check if it was refusing connections.

Tried from different servers to access to port 80 and it's working, also when doing a request on the browser it replies with the right result.

I'm not behind cloudflare or any other "filter" the domain is pointed directly to the VPS IP

Same error happens with both "cPanel (powered by Sectigo)" and "Let's Encrypt"

Code:
AutoSSL’s configured provider is “Let’s Encrypt™”.
Cached Let’s Encrypt DCV (Domain Control Validation) values: 0
Looking for potential NAT (Network Address Translation) problems …
        This server does not use NAT.
Analyzing 1 user …
        Analyzing “user”’s domains …
                Analyzing “XXXX.XXX” (website) …
                        TLS Status: Defective
                        Defect: NO_SSL: No SSL certificate is installed.
                Attempting to ensure the existence of necessary CAA records …
                        No CAA records were created.
                Verifying 10 domains’ management status …
                Verifying “Let’s Encrypt™”’s authorization on 10 domains via DNS CAA records …
                        CA authorized: “XXXX.XXX”
                        CA authorized: “*.XXXX.XXX”
                        CA authorized: “ipv6.XXXX.XXX”
                        CA authorized: “cpanel.XXXX.XXX”
                        CA authorized: “www.XXXX.XXX”
                        “XXXX.XXX” is managed.
                        “www.XXXX.XXX” is managed.
                        “ipv6.XXXX.XXX” is managed.
                        “mail.XXXX.XXX” is managed.
                        “cpanel.XXXX.XXX” is managed.
                        “webdisk.XXXX.XXX” is managed.
                        “webmail.XXXX.XXX” is managed.
                        “cpcontacts.XXXX.XXX” is managed.
                        “cpcalendars.XXXX.XXX” is managed.
                        “*.XXXX.XXX” is managed.
                        All of this user’s 10 domains are managed.
                        CA authorized: “cpcalendars.XXXX.XXX”
                        CA authorized: “mail.XXXX.XXX”
                        CA authorized: “webmail.XXXX.XXX”
                        CA authorized: “webdisk.XXXX.XXX”
                        CA authorized: “cpcontacts.XXXX.XXX”
                        “Let’s Encrypt™” is authorized to issue certificates for 10 of this user’s 10 domains.
                Performing HTTP DCV (Domain Control Validation) on 9 domains …
                        Local HTTP DCV error (XXXX.XXX): The system failed to fetch the DCV (Domain Control Validation) file at “http://XXXX.XXX/.well-known/acme-challenge/SHDPQ6HZZCEK_DU_JPN760HWKO7B2G9_” because of an error: The system failed to send an HTTP (Hypertext Transfer Protocol) “GET” request to “http://XXXX.XXX/.well-known/acme-challenge/SHDPQ6HZZCEK_DU_JPN760HWKO7B2G9_” because of an error: Could not connect to 'XXXX.XXX:80': Connection refused.
                        Local HTTP DCV error (www.XXXX.XXX): The system failed to fetch the DCV (Domain Control Validation) file at “http://www.XXXX.XXX/.well-known/acme-challenge/0QUB_FMWHMAKR76FHRAMR0L7B9JA29PU” because of an error (cached): Could not connect to '2a01:7e00:0000:0000:f03c:92ff:fe28:e8c6:80': Connection refused.
                        Local HTTP DCV error (ipv6.XXXX.XXX): “ipv6.XXXX.XXX” does not resolve to any IP addresses on the internet.
                        Local HTTP DCV error (mail.XXXX.XXX): The system failed to fetch the DCV (Domain Control Validation) file at “http://mail.XXXX.XXX/.well-known/acme-challenge/HQBG3S6DNSN0IQ3HCLVX7-RRX62P6KM2” because of an error (cached): Could not connect to '2a01:7e00:0000:0000:f03c:92ff:fe28:e8c6:80': Connection refused.
                        Local HTTP DCV error (cpanel.XXXX.XXX): “cpanel.XXXX.XXX” does not resolve to any IP addresses on the internet.
                        Local HTTP DCV error (webdisk.XXXX.XXX): “webdisk.XXXX.XXX” does not resolve to any IP addresses on the internet.
                        Local HTTP DCV error (webmail.XXXX.XXX): “webmail.XXXX.XXX” does not resolve to any IP addresses on the internet.
                        Local HTTP DCV error (cpcontacts.XXXX.XXX): “cpcontacts.XXXX.XXX” does not resolve to any IP addresses on the internet.
                        Local HTTP DCV error (cpcalendars.XXXX.XXX): “cpcalendars.XXXX.XXX” does not resolve to any IP addresses on the internet.
                Verifying local authority for 10 domains …
                        No local authority: “www.XXXX.XXX”
                        No local authority: “webdisk.XXXX.XXX”
                        No local authority: “mail.XXXX.XXX”
                        No local authority: “*.XXXX.XXX”
                        No local authority: “cpanel.XXXX.XXX”
                        No local authority: “webmail.XXXX.XXX”
                        No local authority: “XXXX.XXX”
                        No local authority: “ipv6.XXXX.XXX”
                        No local authority: “cpcalendars.XXXX.XXX”
                        No local authority: “cpcontacts.XXXX.XXX”
                No local DNS DCV is necessary.
Processing “user”’s local DCV results …
        Analyzing “XXXX.XXX”’s DCV results …
                Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV.
        The system has completed “user”’s AutoSSL check.

The system finished checking 1 user.
Emptying Let’s Encrypt’s DCV (Domain Control Validation) cache …
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
4,836
597
273
cPanel Access Level
Root Administrator
Hey there! It seems like there may be an issue with the DNS on that specific machine. Can you try running the following command:

Code:
/usr/local/cpanel/3rdparty/bin/perl -MCpanel::DnsRoots -MData::Dumper -e 'print Dumper(Cpanel::DnsRoots->new()->get_nameservers_for_domain("domain.com"));'
Just replace "domain.com" with the actual domain you're working with, and see if that returns the correct nameservers for your domain.
 

nunogato

Registered
Apr 14, 2021
4
0
1
London
cPanel Access Level
Root Administrator
Hey there! It seems like there may be an issue with the DNS on that specific machine. Can you try running the following command:

Code:
/usr/local/cpanel/3rdparty/bin/perl -MCpanel::DnsRoots -MData::Dumper -e 'print Dumper(Cpanel::DnsRoots->new()->get_nameservers_for_domain("domain.com"));'
Just replace "domain.com" with the actual domain you're working with, and see if that returns the correct nameservers for your domain.
Yes, it does return the right nameservers (outside server)

The errors on the autossl that return "does not resolve to any IP addresses on the internet." I know why as these are not configured on the DNS and can be solved easily by just adding them but then they become "connection refused" issues

Code:
➜  ~ /usr/local/cpanel/3rdparty/bin/perl -MCpanel::DnsRoots -MData::Dumper -e 'print Dumper(Cpanel::DnsRoots->new()->get_nameservers_for_domain("XXXX.XXXX"));'
$VAR1 = {
          'ns1.linode.com' => '162.159.27.72',
          'ns5.linode.com' => '162.159.24.25',
          'ns4.linode.com' => '162.159.26.99',
          'ns3.linode.com' => '162.159.25.129',
          'ns2.linode.com' => '162.159.24.39'
        };
➜  ~
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
4,836
597
273
cPanel Access Level
Root Administrator
Thanks for running that test. It might be best to have our team examine this directly on the system, so could you submit a ticket? Please post the ticket number here so I can follow along and make sure this thread stays updated.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
4,836
597
273
cPanel Access Level
Root Administrator
Thanks for taking care of that. It looks like there is an issue with ea-nginx not listening on IPv6, so the AutoSSL tools are not responding properly with that in use. We recommended that you switch to Apache in order to get this working. If there's still issues after that, please let us know!
 

nunogato

Registered
Apr 14, 2021
4
0
1
London
cPanel Access Level
Root Administrator
Yes, seems that the installed ea-nginx does not support ipv6, to fix this, and as the server was not serving webpages on IPV6 due to the nginx issue, solved this by just removing the IPV6 entries from the DNS.

I Think this should be addressed by whm/cpanel dev team as the ea-nginx was installed using easyapache4 and there's no mention that it does not support ipv6.