Skip to main content

How will DNS based DCV for autoSSL work in v74?

chuckcintron
I tried to research and find detailed information about how upcoming DNS based DCV will work for autoSSL, in upcoming cPanel v74. I couldn't find anything. Can someone describe how this will work? I'm hoping it means I will simply get a TXT entry to add to DNS (or if DNS is on the local server, cPanel will insert the record directly). All my DNS are over at AWS Route53 or under my customer's external control -- so I would need to be able to get the TXT record and either manually put it into Route53 or write code to do it via API calls. If the above is true - then is it a 'set and forget' record, or will the TXT entry have to be modified when renewals happen? I'm really hoping it is 'set once and never worry about touching it again'.

Comments

6 comments

Date Votes
  • cPanelMichael
    Hello @chuckcintron, In cPanel & WHM version 74, if the HTTP-based DCV method fails, then AutoSSL will automatically run a DNS-based DCV method. As part of the DNS-based DCV method, a DNS record (CNAME record for Comodo, TXT record for Let's Encrypt) is automatically added to domain name's DNS zone on the cPanel & WHM server. The DNS record in the DNS zone for the domain name is added/removed/modified automatically as needed (Comodo and Let's Encrypt have different requirements for the DNS records). As far as domains that use a remote server for DNS (e.g. a domain registrar, CloudFlare), I'm checking with a Development team member responsible for the feature to see if there's a path to DNS-based DCV succeeding under such a scenario. I'll update this thread once I receive more information. We'll publish documentation with more information on this new feature works near the time cPanel & WHM version 74 is released to the EDGE release tier. Thank you.
    0
  • cPanelMichael
    Hello @chuckcintron, To update, while it might be possible to get DNS-based DCV to succeed when a domain's DNS is hosted on a remote server, it would require that you make use of AutoSSL hooks and setup a custom script that automatically pushes the DNS record changes to the remote DNS server immediately after the AutoSSL process starts. Manually adding the records at the remote DNS provider isn't really a viable option at this point because the DCV request will timeout if the record isn't propagated within a short window of time after AutoSSL is initiated. You can review the AutoSSL hooks that were included as part of cPanel & WHM version 72 at:
    0
  • chuckcintron
    ok, thanks - understood. So this won't be a viable option for me and I'll have to stick with HTTP validation. Not to sound snarky...but cPanel realizes that many customers run DNS from their registrar or elsewhere, right? It would have been nice if there was a simple "here's your TXT record, go add it to DNS", like other services provide.
    0
  • sparek-3
    DNS validation really just wouldn't be recommended for non-wildcard certificates. If you require wildcard certificates (with Let's Encrypt) you have to use DNS validation. But it is much, much, much slower than HTTP validation even if you control the DNS for the domain. This is because you have to reload the DNS zone and allow for at least a few seconds for the changes to propagate to each DNS server. This is why I don't really understand the fascination with DNS validation and why I don't see the fascination in wildcard certificates. Maybe 1 out of every 100 domain names will have a need for a wildcard certificate, but I can't see it being much more than that. If you are wanting to use DNS for a non-wildcard certificate, my question would be why? If the domain name's web service isn't pointing to a server you control, why do you need a certificate? Generate the certificate from the server handling the web service for that domain name. If there are any outliers to this, I can't imagine they'd be plentiful and for those few, few cases, best to handle those on a case by case basis instead of trying to create a cookie cutter that's used once and then forgotten about.
    0
  • chuckcintron
    Running Wordpress multisite, with mapped domain names and DNS services from a mix of client-managed via domain registrar and my white-label nameservers sitting on top of AWS (via combination of route 53 and S3 buckets).
    0
  • cPanelMichael
    Not to sound snarky...but cPanel realizes that many customers run DNS from their registrar or elsewhere, right? It would have been nice if there was a simple "here's your TXT record, go add it to DNS", like other services provide.

    Hello @chuckcintron, I encourage you to submit a feature request for that added functionality:
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post