Skip to main content

We're currently improving our systems to provide you with a new, more unified login experience.

Service subdomains show a 404 error during AutoSSL checks

Joshua Browning
  • Updated

Symptoms

When attempting to install or renew an AutoSSL, cPanel fails to validate the service subdomains because the validation file is not found. When checking for the validation file, it results in a 404 error:

DNS DCV: No local authority: "webmail.domain.tld”; HTTP DCV: The system queried for a temporary file at "http://webmail.domain.tld/.well-known/pki-validation/XXXXXXXXXXXX.txt", but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.

 

Description 

Before cPanel requests a new SSL, it performs specific validations to ensure the server controls the domain that requests the SSL. Part of this process checks for a validation file in a specific path. On an account with a dedicated IP address, the DNS must resolve to the proper IP for these checks to complete. In some other cases, having a wildcard subdomain defined (*.domain.tld) may prevent the server from finding the validation files in the proper place.

 

Workaround

Check the DNS IP

The dig command can be used to verify the domain's A record:

# dig +short A domain.tld
128.0.0.1

You can confirm this result against the IP address listed within the domain's cPanel account. If your DNS records are managed on your cPanel server, dig should always match your configured IP address. If your records are managed at your registrar or another DNS host like CloudFlare, then you will need to update the A record there to match the IP on your WHM server. We have the following articles with links to common DNS providers. You may need to consult your DNS provider directly for more detailed assistance if required:

How can I edit my Cloudflare-managed DNS?

How can I edit Azure-managed DNS records?

How do I create a DNS record at AWS?

Once the record has been updated to reflect the appropriate IP, you can manually rerun the AutoSSL process for the user. After a short propagation time for the DNS record to update globally, the order should validate:
How to manually renew AutoSSL certificates for one user

 

Check for a Wildcard Subdomain

Some websites use wildcard subdomains as part of their content management. You can temporarily remove the wildcard subdomain to allow the service subdomains to validate properly:

  1. Access the account cPanel either through direct login or WHM
  2. Navigate to "Domains / Domains"
  3. On the wildcard subdomain, under "Actions," click "Manage"
  4. Click "Remove Domain"
  5. Run the AutoSSL check manually with the instructions here:
    How to manually renew AutoSSL certificates for one user
  6. The validation should complete and confirm the AutoSSL order has been issued
  7. Re-create the wildcard subdomain if necessary:
    How to create wildcard subdomains