Reset HTTP DCV
We've recently come across an issue with WHM and AutoSSL whereby our SSL certificates are not being renewed if the DNS is hosted externally AND http is redirected to https (via a Wordpress plugin). So we've implemented changes to .htaccess to allow the HTTP DCV to occur without redirecting to HTTPS and have confirmed the redirect no longer happens. Unfortunately, it looks like AutoSSL isn't even making an HTTP DCV attempt and is jumping straight to DNS. Is there a way to reset this behaviour so that HTTP is attempted again?
-
Is the DNS zone correctly pointed to the server IP? If you are using a CDN(like CloudFlare), then AutoSSL will not be able to request a SSL. Also, what does the AutoSSL log say? 0 -
Is the DNS zone correctly pointed to the server IP? If you are using a CDN(like CloudFlare), then AutoSSL will not be able to request a SSL. Also, what does the AutoSSL log say?
No .DNS is externally hosted by DNSMadeEasy. The main domain points to the IP assigned by the server, but there is no local DNS zone. The logs show DNS DCV being attempted and failing. HTTP DCV isn't even attempted and I don't know why.0 -
Please post the contents of your .htaccess file and the AutoSSL logfile. 0 -
The main domain points to the IP assigned by the server, but there is no local DNS zone
This could be the cause of the issue because of the way DCV is performed - if the dns zone file is created locally and the query is run again does the issue persist? Thanks!0 -
This could be the cause of the issue because of the way DCV is performed - if the dns zone file is created locally and the query is run again does the issue persist? Thanks!
I doubt that could be causing the problem. Saying this because I have a server on which AutoSSL runs as it is supposed to, even though BIND DNS is not configured on it, and DNS zones for all 3 sites on this server are located elsewhere(Google Cloud DNS & GoDaddy). DNS was always remotely located, i.e. first the server instance created, then DNS was pointed to it, and then afterwards things like CMS, SSL were put on it. Which is why a look at the logs might be helpful.0 -
Domains that use remote DNS shouldn't have an issue with DCV, the https redirect may have but if this is no longer in place shouldn't be affecting the DCV checks. . Saying this because I have a server on which AutoSSL runs as it is supposed to, even though BIND DNS is not configured on it, and DNS zones for all 3 sites on this server are located elsewhere(Google Cloud DNS & GoDaddy).
I'd wager though that the DNS zone files are still created in /var/named/Which is why a look at the logs might be helpful.
This is always the best route and hopefully, this user responds with some further information :)0 -
Hello, I accidentally deleted the DCV record for one of my domains from cPanel DNS Editor which is on a local DNS. - I pressed the "run AutoSSL" button thinking that it would generate a new DCV record, but it did not, although there were no error messages.
- Then I copied and pasted the DCV record from an old spreadsheet from 1 month ago when the domain was first added to cPanel. I ran AutoSSL again but there was also no new DCV record and no error message.
- Then I remembered that Jetbackup has a copy of the DNS zone from yesterday, which had a different DCV record, and I copied and pasted this one into DNS Editor, replacing the previous edit. I ran AutoSSL again but nothing different happened.
0 -
1) So can I concluded that the DCV record only changes upon renewal of the SSL certificate, and is not actually used for any checks unless HTTP based validation isn't available, and the accidental delete and restore has no effect?
That's correct - the records are one-time use, with a new one generated for each AutoSSL request. There is no reason you need to keep these DNS records in place.2) I assume that the domains that have identical DCV records had run AutoSSL and resolved at the same time?
I'm not sure I've seen identical DCV records before.3) But as mentioned in this thread, the DCV record changes upon renewal of the SSL certificate, so will that domain with the remote DNS have problems at the next renewal, since the htaccess rewrites http to https?
The DCV wouldn't be an issue, but the https redirection could be a problem if it is using an HTTP request. If using a DNS DCV check, that would not matter.0 -
I'm not sure I've seen identical DCV records before.
All of the domains with identical DCV records seem to have the same SSL certificate. I added the domains to cpanel before the external DNS was pointing to the host server. After I updated the A record or the name server, I pressed run AutoSSL and I guess all of the new domains were included in the single certificate.The DCV wouldn't be an issue, but the https redirection could be a problem if it is using an HTTP request. If using a DNS DCV check, that would not matter.
Will I receive an error notice upon renewal attempt several days before expiry if the https rewrite causes problems? So that I will have enough time to deal with it before the certificate actually expires?0 -
Ah, yes, if the domains are all on the same certificate that would make sense. The AutoSSL tools start running 15 days in advance of the expiring certificate, so you'll have plenty of time to take action. 0
Please sign in to leave a comment.
Comments
10 comments