This article covers scenarios that lead to AutoSSL returning a 404 (not found) error when completing HTTP DCV.
Example error
Local HTTP DCV error (domain.tld): The system queried for a temporary
file at “http://domain.tld/.well-known/.well-known/pki-validation/C0929066B92E85D215CD309A63D21F36.txt”,
but the web server responded with the following error: 404 (Not Found). A DNS (Domain
Name System) or web server misconfiguration may exist.
Cause: 1:1 NAT with public IP added to the server
One cause of this error, assuming that the domain correctly resolves to the correct account IP address, is that the server is behind NAT and has the public IP address added as a second interface. The article "Should the public IP for my NAT be on my server?" also explains that a public IP address should not be added to a server that is behind NAT.
If you run the following command and see an internal IP address (see: How do I know if an IP address is internal or public?) mapped to a public IP address and another line where the same public IP address says "Unable to map," this applies to the server.
/usr/local/cpanel/scripts/build_cpnat
Example (in this example, 203.0.113.0 represents the public IP):
# /usr/local/cpanel/scripts/build_cpnat
info [build_cpnat] 172.16.0.0 => 203.0.113.0
warn [build_cpnat] Unable to map 203.0.113.0
Solution
1. Navigate to WHM »IP Functions »Show or Delete Current IP Addresses
2. Click Delete in the row that corresponds to the IP address that says "Not Routable."
3. Click Confirm Delete.
Cause: IPv6 AAAA record, not enabled on account
Another cause of the 404 in AutoSSL with no other apparent explanation is that the domain has an AAAA record, but IPv6 is not enabled on the account. AutoSSL defaults to IPv6 if an AAAA record exist because the AutoSSL providers do the same. If the domain resolves to and IPv6 IP address and IPv6 isn't enabled on the account, Apache won't know what to do with the domain so it serves the default virtualhost instead of the correct one.
You can check for an AAAA record easily with the host command:
# host domain.tld
domain.tld has address 192.0.2.0
domain.tld has IPv6 address fe80::200:5aee:feaa:20a2
The second address above is an example of an IPv6 address.
Solution
If your server already has the IPv6 IP address added as the shared IP addres, enable IPv6 for the account.
Cause: The domain resolves to a different IP than what it's assigned to on the server
Another cause is if the domain experiencing the AutoSSL DCV 404 error resolves to a different IP than what it's assigned to in the server's httpd.conf.
Solution
Ensure the domain is resolving to the same IP that it's assigned to in the server's httpd.conf. Either the domain's DNS will need to be adjusted so that it resolves to the IP assigned to the domain in the httpd.conf or you will want to change the account's IP address on the server to the IP that the domain resolves to.
You can view details on how to change an account's IP address on the server here:
How-To change an account's IP address
Please note - changing an account's IP address on the server will change the IP for all other domains associated with the account as well.
Cause: Custom .htaccess directives
Another cause is if you have custom directives within an .htaccess file. There are a number of different custom directives that might be responsible, so it's best to temporarily disable the .htaccess file and run AutoSSL again after doing so.
Solution
Temporarily disable the .htaccess file by renaming it:
# mv -v /path/to/.htaccess{,.BAK}
Run AutoSSL again, wait for AutoSSL to install the SSL (if it's able to order one now without issue), and then re-enable the .htaccess by renaming it back:
# mv -v /path/to/.htaccess.BAK /path/to/.htaccess