Symptoms
After running the /usr/local/cpanel/bin/checkallsslcerts script via SSH, you may see errors similar to the following:
FAILED: Cpanel::Exception/(XID bj6m2k) The system queried for a temporary file at “http://hostname.domain.tld/.well-known/pki-validation/B65E7F11E8FBB1F598817B68746BCDDC.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
[WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: Neither HTTP nor DNS DCV preflight checks succeeded!
Description
This issue happens when the shared IP address does not match the main IP address. The main IP address is determined by the default routed IP of the server. Therefore it is generally easier to change the shared IP to match the main IP. You can check to see what the main IP address is with the following command:
cat /var/cpanel/mainip
You can check to see what the shared IP is with the following command:
grep ADDR /etc/wwwacct.conf
If the IPs in those two commands do not match, you will not be able to obtain a free hostname certificate.
This has been determined to be the intended behavior, but we currently have an internal improvement request opened with our development team to change this behavior: CPANEL-39643
Workaround
In order to resolve this issue, you must ensure that the following things are true:
- The main IP and shared IP are the same
- The A record for the server's hostname is pointed to the main/shared IP.
If you need to change the shared IP address of the server, you can do so with the following steps:
- Login to WHM as the 'root' user
- Navigate to "Home » Server Configuration » Basic WebHost Manager® Setup"
- Update the value of "The IPv4 address (only one address) to use to set up shared IPv4 virtual hosts" to match the main IP address.
- 5. Click "Save Changes" at the bottom of the page
- Access the server with a root terminal via ssh or using Terminal in WHM and execute the following:
/scripts/rebuildhttpdconf
/scripts/restartsrv_httpd --hard