Skip to main content

Potential reduced AutoSSL coverage

PPNSteve
AutoSSL would normally renew this certificate now, but 9 of the website"s secured domains just failed DCV. To provide you with more time to resolve these problems, AutoSSL will defer the renewal until Nov 17, 2018 at 1:35:24 AM UTC. After that time, AutoSSL will request a replacement certificate that excludes any domains that fail DCV. example error messages: www.[REDACTED].org (checked on Nov 15, 2018 at 4:46:36 AM UTC) DNS DCV: The DNS query to "_cpanel-dcv-test-record.[REDACTED].org" for the DCV challenge returned no "TXT" record that matches the value "_cpanel-dcv-test-record=[REDACTED][REDACTED][REDACTED][REDACTED]".; HTTP DCV: "www.[REDACTED].org" does not resolve to any IPv4 addresses on the internet. mail.[REDACTED].net (checked on Nov 15, 2018 at 4:46:36 AM UTC) DNS DCV: The DNS query to "_cpanel-dcv-test-record.[REDACTED].net" for the DCV challenge returned no "TXT" record that matches the value "_cpanel-dcv-test-record=[REDACTED][REDACTED][REDACTED][REDACTED]".; HTTP DCV: "mail.[REDACTED].net" does not resolve to any IPv4 addresses on the internet. [REDACTED].org (checked on Nov 15, 2018 at 4:46:36 AM UTC) DNS DCV: The DNS query to "_cpanel-dcv-test-record.[REDACTED].org" for the DCV challenge returned no "TXT" record that matches the value "_cpanel-dcv-test-record=[REDACTED][REDACTED][REDACTED][REDACTED]".; HTTP DCV: "[REDACTED].org" does not resolve to any IPv4 addresses on the internet.
and so on for the .com, .net, and .org of this parked (alias) domain.. WHM v76.0.7

Comments

7 comments

Date Votes
  • cPanelLauren
    Hi @PPNSteve The issue here is that both the HTTP DCV and DNS DCV checks are failing. HTTP DCV: "www.[REDACTED].org" does not resolve to any IPv4 addresses on the internet. DNS DCV: The DNS query to "_cpanel-dcv-test-record.[REDACTED].org" for the DCV challenge returned no "TXT" record that matches the value "_cpanel-dcv-test-record=[REDACTED][REDACTED][REDACTED][REDACTED]". To allow you time to resolve this issue cPanel is deferring the renewal of the domain that DID pass the DCV until Nov 17, 2018 so potentially you can get all the domains secured. If you don't want these domains secured or attempted to be secured you can exclude them from the autossl check through cPanel. Thanks!
    0
  • PPNSteve
    Yes, I see that you understand what is happening.. now how do I fix it? Be aware these are domains that have been on the system for quite a while now and have previously been (and are currently) secured via AutoSSL
    0
  • cPanelLauren
    Well, first of all, you'll need to identify why the DNS and HTTP DCV checks are failing. HTTP DCV is the primary method the DNS DCV is just a fallback. Typically what I do, to get an idea of what is going wrong is to run a curl request against the failing domain: curl -kvv domain.tld
    The output of this typically tells me the issue right away - you can even run the request against the full path if you place a text file in the user's .well-known/pki-validation/ (comodo) or .well-known/acme-challenge (Let's Encrypt) directory
    0
  • PPNSteve
    Ok I get html or a test txt message I placed in the suggested full path folder when checking via curl. root@svr4 [~]# curl -kvv [REDACTED].com/.well-known/pki-validation/test.txt * About to connect() to [REDACTED].com port 80 (#0) * Trying 2607:[REDACTED]::2... connected * Connected to [REDACTED].com (2607:[REDACTED]::2) port 80 (#0) > GET /.well-known/pki-validation/test.txt HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: [REDACTED].com > Accept: */* > < HTTP/1.1 200 OK < Date: Fri, 16 Nov 2018 00:19:02 GMT < Server: Apache < Last-Modified: Fri, 16 Nov 2018 00:17:51 GMT < Accept-Ranges: bytes < Content-Length: 78 < Content-Type: text/plain < * Connection #0 to host [REDACTED].com left intact * Closing connection #0 NOTE: this is a test file used for curl testing.. see, it works properly here. root@svr4 [~]#
    so the dns / http request IS working correctly but the AutoSSL DCV isn't seeing / processing this one domain group.
    0
  • cPanelMichael
    Hello @PPNSteve, We'd like to take a closer look at your system to verify there's not an issue with the AutoSSL feature stemming from recent changes in cPanel & WHM version 76. Could you open a
    0
  • PPNSteve
    OK Thanks.. Your Support Request ID is: 10742907
    0
  • cPAusaf
    Issue looks to have been related to DNS and is resolved now.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post