Symptoms
You will receive a notification like the following.
domain.tld: AutoSSL would normally renew this certificate now, but X of the website’s secured domains just failed DCV. To provide you with more time to resolve these problems, AutoSSL will defer the renewal until Dec 20, 2021 at 12:00:00 AM UTC. After that time, AutoSSL will request a replacement certificate that excludes any domains that fail DCV. At the time of this notice, the certificate will expire in 6 days, 21 hours, 13 minutes, and 51 seconds.
You will also see errors like the following in the AutoSSL log.
2:44:27 AM Analyzing “domain.tld”’s DCV results …
2:44:27 AM ERROR Impediment: SECURED_DOMAIN_DCV_FAILURE: One or more currently-secured domains failed DCV.
Description
This notification is sent because one or more secured domains no longer pass DCV checks. This failure to pass DCV checks can occur due to changes in where the domain's DNS is hosted or changes in where the secured domains resolve.
There was also a change in how HTTP DCV checks are handled at Sectigo. Previously subdomains could be validated via the main domain. Now all subdomains must validate individually. Due to this, some currently secured domains may never have been validated on their own previously.
Workaround
To resolve this immediately, you can ensure that all domains you wish to secure resolve to the server or have their DNS managed by the server. Any domains you do not wish to secure can be excluded as described below.
If the domains failing DCV are not corrected or excluded, a new SSL certificate will be automatically issued that excludes all DCV failing domains.