Symptoms
When the system tries to reissue an AutoSSL certificate and you receive a timeout error, such as the following:
CONFIG_TEXT: DNS query error (www.example.com/CAA): (XID 48mf5h) DNS request timeout: www.domain.com/CAA
CA authorized: “www.example.com”
DNS query error (mail.example.com/CAA): (XID ux6mxs) DNS request timeout: mail.domain.com/CAA
CA authorized: “mail.example.com”
DNS query error (cpanel.example.com/CAA): (XID zkfe6d) DNS request timeout: cpanel.example.com/CAA
CA authorized: “cpanel.example.com”
AutoSSL cannot increase “domain”’s SSL coverage.
Cause
There are a variety of reasons that this could occur, including:
- Outbound DNS Requests being blocked at the firewall
- Incorrect DNS settings on the domain
- Invalid Nameservers
- Network connectivity issues between server and remote nameservers
Resolution
In order to determine the cause, further review will need to be performed.
The first thing to check is the connection from your server to the root nameservers. If this connection can't be made, the AutoSSL check will fail. This can be tested with the following:
- Login as root via SSH or using the Terminal in WHM.
Run the following command:
# for i in {a..m}; do echo -n "$i: "; dig +short $i.root-servers.net @$i.root-servers.net; done
Note: If you receive any errors when making these queries to the root nameservers, further review in the server's network and firewall should be performed by the System Administrator.
AutoSSL performs a DNS lookup by querying the root nameservers up to the authoritative nameservers to get the actual data. As such, performing a trace on a DNS query may provide where the DNS request is failing.
- Login as root via SSH or using the Terminal in WHM.
Run the following command:
# dig -4 +trace domain.tld
Note: Replace
domain.tldwith the domain name you want to check.- Analyze the results of this command. It will provide each step it took to receive the domain's DNS information, and possibly where it failed.
Comments
0 comments
Article is closed for comments.