Symptoms
AutoSSL orders are stuck in a "pending" status on cPanel versions previous to v100 after recent changes to HTTP DCV.
Any version prior to 94.0.19, 98.0.13, 100.0.4, 102.0.0 may be affected.
Description
Some AutoSSL orders are stuck in pending status due to recent validation changes.
Previously if a primary domain passed DCV (Domain Control Validation) checks, then subdomains of that domain were assumed to be verified as well. This is no longer the case and all subdomains on the domain must properly resolve to the server for Sectigo to issue a certificate. Older versions of cPanel and AutoSSL assumed the old behavior and would automatically add subdomains to the certificate request such as mail and www even if they did not resolve to the system. This causes the certificate request to never complete as the subdomains do not validate. Information about these changes can be found here:
Modifications to Available File-Based Methods of Domain Control Validation
We've opened an internal case for our development team to investigate this further. For reference, the case number is COBRA-13435. Follow this article to receive an email notification when a solution is published in the product.
Workaround
COBRA-13435 has been resolved in cPanel v100, and updates are now available in cPanel versions 94.0.19, 98.0.13, 100.0.4, 102.0.0. This article will help to proceed with updating cPanel:
If the installed version of cPanel is past "end of life" it will not receive the updates for this issue. It will be necessary to update cPanel to a supported version to receive the update.
What does EOL mean regarding cPanel/WHM?
If the server is on a non-supported version the only method to ensure certificates are issued is by excluding any domain that is unable to pass DCV checks. We have instructions on how to do this here: