When AutoSSL runs, it performs a few checks that need to pass before a certificate can be issued successfully.
Many times these failures can be attributed to DNS checks not validating or returning similar failures when attempting to perform lookups to the domains.
Many of our users are accustomed to using standard tools such as "dig" when performing DNS lookups to attempt to diagnose issues reported by AutoSSL.
However, sometimes dig does not detect the same failures that AutoSSL does. This is due in part that AutoSSL performs DNS lookups using the Unbound library.
To perform these lookups similarly, you can use the following cPanel provided script which performs these lookups using Unbound as well:
$ /scripts/cpdig
Usage: cpdig <domain name> <type> [--verbose]
If this script returns an empty response or if you are using the "--verbose" flag and the output does not return the results of the record, then there is going to be an issue that prevents AutoSSL from issuing the certificate.
In this example, we are trying to perform a dig on domain.tld. As shown with the "--verbose" flag, "/scripts/cpdig" returns a list of failures it has encountered.
(Note: the output has been truncated for visibility)
[root@the ~]$ /scripts/cpdig domain.tld A --verbose
[1590223145] libunbound[26100:0] notice: sendto failed: Operation not permitted
[1590223145] libunbound[26100:0] notice: remote address is 192.0.2.0 port 53
[1590223145] libunbound[26100:0] info: error sending query to auth server 192.0.2.0 port 53
[1590223145] libunbound[26100:0] notice: sendto failed: Operation not permitted
[1590223145] libunbound[26100:0] notice: remote address is 203.0.113.0 port 53
[1590223145] libunbound[26100:0] info: error sending query to auth server 203.0.113.0 port 53
[1590223145] libunbound[26100:0] notice: sendto failed: Operation not permitted
[1590223145] libunbound[26100:0] notice: sendto failed: Operation not permitted
Using the list of failures found, we can see that port 53 is unreachable. In this case, the test server had UDP traffic over port 53 filtered, once we remove the filtering by adjusting our firewall appropriately, we can see the output return successfully.
[root@the ~]$ /scripts/cpdig domain.tld A --verbose
[1590237931] libunbound[21246:0] info: response for google.com. A IN
[1590237931] libunbound[21246:0] info: reply from <google.com.> 203.0.113.0#53
[1590237931] libunbound[21246:0] info: query response was ANSWER
[1590237931] libunbound[21246:0] info: response for google.com. A IN
[1590237931] libunbound[21246:0] info: reply from <google.com.> 203.0.113.0#53
[1590237931] libunbound[21246:0] info: query response was ANSWER
192.0.2.0