If DNSSEC is enabled, but cannot be verified, AutoSSL will still attempt to get a certificate, but the certificate authority will not be able to verify the domain, resulting in the certificate issuance getting stuck in a "pending" state. This can cause the entire AutoSSL process to get stuck under certain circumstances.
This occurs when DNSSEC is not set up properly on a domain. (How do I know if DNSSEC is enabled on a domain?) Some reasons that DNNSEC might be activated, but not properly set up are:
- The domain is being moved between servers
- The user has activated DNSSEC through cPanel but not yet copied the proper items into the account at the registrar.
- The user has activated DNSSEC at the registrar, but not yet set it up on the cPanel account.
If you would like to support handing DNSSEC in AutoSSL, please upvote and comment on this feature request for tracking purposes.
Ensure that DNSSEC is working on all domains that require it and re-run AutoSSL. If this does not work, you may need to wait a few days for the pending certificate to expire, or move aside the AutoSSL pending database.