In Progress ZC-5555 - Auto SSL Connection refused

[nunogato]

Hi Everyone.

I'm not able to renew SSL with Auto SSL, always getting the error "Could not connect to 'XXXX.XXX:80': Connection refused." (domain removed for security)

Already disabled cphulk and firewall to check if it was refusing connections.

Tried from different servers to access to port 80 and it's working, also when doing a request on the browser it replies with the right result.

I'm not behind cloudflare or any other "filter" the domain is pointed directly to the VPS IP

Same error happens with both "cPanel (powered by Sectigo)" and "Let's Encrypt"

AutoSSL’s configured provider is “Let’s Encrypt™”.
Cached Let’s Encrypt DCV (Domain Control Validation) values: 0
Looking for potential NAT (Network Address Translation) problems …
        This server does not use NAT.
Analyzing 1 user …
        Analyzing “user”’s domains …
                Analyzing “XXXX.XXX” (website) …
                        TLS Status: Defective
                        Defect: NO_SSL: No SSL certificate is installed.
                Attempting to ensure the existence of necessary CAA records …
                        No CAA records were created.
                Verifying 10 domains’ management status …
                Verifying “Let’s Encrypt™”’s authorization on 10 domains via DNS CAA records …
                        CA authorized: “XXXX.XXX”
                        CA authorized: “*.XXXX.XXX”
                        CA authorized: “ipv6.XXXX.XXX”
                        CA authorized: “cpanel.XXXX.XXX”
                        CA authorized: “www.XXXX.XXX”
                        “XXXX.XXX” is managed.
                        “www.XXXX.XXX” is managed.
                        “ipv6.XXXX.XXX” is managed.
                        “mail.XXXX.XXX” is managed.
                        “cpanel.XXXX.XXX” is managed.
                        “webdisk.XXXX.XXX” is managed.
                        “webmail.XXXX.XXX” is managed.
                        “cpcontacts.XXXX.XXX” is managed.
                        “cpcalendars.XXXX.XXX” is managed.
                        “*.XXXX.XXX” is managed.
                        All of this user’s 10 domains are managed.
                        CA authorized: “cpcalendars.XXXX.XXX”
                        CA authorized: “mail.XXXX.XXX”
                        CA authorized: “webmail.XXXX.XXX”
                        CA authorized: “webdisk.XXXX.XXX”
                        CA authorized: “cpcontacts.XXXX.XXX”
                        “Let’s Encrypt™” is authorized to issue certificates for 10 of this user’s 10 domains.
                Performing HTTP DCV (Domain Control Validation) on 9 domains …
                        Local HTTP DCV error (XXXX.XXX): The system failed to fetch the DCV (Domain Control Validation) file at “http://XXXX.XXX/.well-known/acme-challenge/SHDPQ6HZZCEK_DU_JPN760HWKO7B2G9_” because of an error: The system failed to send an HTTP (Hypertext Transfer Protocol) “GET” request to “http://XXXX.XXX/.well-known/acme-challenge/SHDPQ6HZZCEK_DU_JPN760HWKO7B2G9_” because of an error: Could not connect to 'XXXX.XXX:80': Connection refused.
                        Local HTTP DCV error (www.XXXX.XXX): The system failed to fetch the DCV (Domain Control Validation) file at “http://www.XXXX.XXX/.well-known/acme-challenge/0QUB_FMWHMAKR76FHRAMR0L7B9JA29PU” because of an error (cached): Could not connect to '2a01:7e00:0000:0000:f03c:92ff:fe28:e8c6:80': Connection refused.
                        Local HTTP DCV error (ipv6.XXXX.XXX): “ipv6.XXXX.XXX” does not resolve to any IP addresses on the internet.
                        Local HTTP DCV error (mail.XXXX.XXX): The system failed to fetch the DCV (Domain Control Validation) file at “http://mail.XXXX.XXX/.well-known/acme-challenge/HQBG3S6DNSN0IQ3HCLVX7-RRX62P6KM2” because of an error (cached): Could not connect to '2a01:7e00:0000:0000:f03c:92ff:fe28:e8c6:80': Connection refused.
                        Local HTTP DCV error (cpanel.XXXX.XXX): “cpanel.XXXX.XXX” does not resolve to any IP addresses on the internet.
                        Local HTTP DCV error (webdisk.XXXX.XXX): “webdisk.XXXX.XXX” does not resolve to any IP addresses on the internet.
                        Local HTTP DCV error (webmail.XXXX.XXX): “webmail.XXXX.XXX” does not resolve to any IP addresses on the internet.
                        Local HTTP DCV error (cpcontacts.XXXX.XXX): “cpcontacts.XXXX.XXX” does not resolve to any IP addresses on the internet.
                        Local HTTP DCV error (cpcalendars.XXXX.XXX): “cpcalendars.XXXX.XXX” does not resolve to any IP addresses on the internet.
                Verifying local authority for 10 domains …
                        No local authority: “www.XXXX.XXX”
                        No local authority: “webdisk.XXXX.XXX”
                        No local authority: “mail.XXXX.XXX”
                        No local authority: “*.XXXX.XXX”
                        No local authority: “cpanel.XXXX.XXX”
                        No local authority: “webmail.XXXX.XXX”
                        No local authority: “XXXX.XXX”
                        No local authority: “ipv6.XXXX.XXX”
                        No local authority: “cpcalendars.XXXX.XXX”
                        No local authority: “cpcontacts.XXXX.XXX”
                No local DNS DCV is necessary.
Processing “user”’s local DCV results …
        Analyzing “XXXX.XXX”’s DCV results …
                Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV.
        The system has completed “user”’s AutoSSL check.

The system finished checking 1 user.
Emptying Let’s Encrypt’s DCV (Domain Control Validation) cache …

 

[cPRex]

Hey there! It seems like there may be an issue with the DNS on that specific machine. Can you try running the following command:

/usr/local/cpanel/3rdparty/bin/perl -MCpanel::DnsRoots -MData::Dumper -e 'print Dumper(Cpanel::DnsRoots->new()->get_nameservers_for_domain("domain.com"));'

Just replace "domain.com" with the actual domain you're working with, and see if that returns the correct nameservers for your domain.

 

[nunogato]

Hey there! It seems like there may be an issue with the DNS on that specific machine. Can you try running the following command:

/usr/local/cpanel/3rdparty/bin/perl -MCpanel::DnsRoots -MData::Dumper -e 'print Dumper(Cpanel::DnsRoots->new()->get_nameservers_for_domain("domain.com"));'

Just replace "domain.com" with the actual domain you're working with, and see if that returns the correct nameservers for your domain.

Yes, it does return the right nameservers (outside server)

The errors on the autossl that return "does not resolve to any IP addresses on the internet." I know why as these are not configured on the DNS and can be solved easily by just adding them but then they become "connection refused" issues

➜  ~ /usr/local/cpanel/3rdparty/bin/perl -MCpanel::DnsRoots -MData::Dumper -e 'print Dumper(Cpanel::DnsRoots->new()->get_nameservers_for_domain("XXXX.XXXX"));'
$VAR1 = {
          'ns1.linode.com' => '162.159.27.72',
          'ns5.linode.com' => '162.159.24.25',
          'ns4.linode.com' => '162.159.26.99',
          'ns3.linode.com' => '162.159.25.129',
          'ns2.linode.com' => '162.159.24.39'
        };
➜  ~

 

[cPRex]

Thanks for running that test. It might be best to have our team examine this directly on the system, so could you submit a ticket? Please post the ticket number here so I can follow along and make sure this thread stays updated.

 

[nunogato]

Thanks for running that test. It might be best to have our team examine this directly on the system, so could you submit a ticket? Please post the ticket number here so I can follow along and make sure this thread stays updated.

ticket number 94316420

 

[cPRex]

Thanks for taking care of that. It looks like there is an issue with ea-nginx not listening on IPv6, so the AutoSSL tools are not responding properly with that in use. We recommended that you switch to Apache in order to get this working. If there's still issues after that, please let us know!

 

[nunogato]

Yes, seems that the installed ea-nginx does not support ipv6, to fix this, and as the server was not serving webpages on IPV6 due to the nginx issue, solved this by just removing the IPV6 entries from the DNS.

I Think this should be addressed by whm/cpanel dev team as the ea-nginx was installed using easyapache4 and there's no mention that it does not support ipv6.

 

[cPRex]

For sure - we have case ZC-5555 open with our developers to work on this, and I'll keep this thread updated with any progress that receives.

 

[cPRex]

Update - the specific case has been moved over to EA-10021, and IPv6 support will be included with Nginx when version v1.21.1-3 of ea-nginx is released.