[CPANEL-26207] AutoSSL - Domains not passing validation
Hi all
I have always had SSL certificates signed for domains via AutoSSL but recently I have noticed that domains using the private .nhs.uk TLD have been failing validation and therefore not being renewed causing problems for the site owners.
In the AutoSSL log it simply says domain.nhs.uk is not a registered internet domain (apparently simply because it is not in the nominet registry not known on WHOIS).
I have highlighted a few examples in the attached PNG.
My host support opened a ticket with cPanel who say that this is an ongoing issue which is being looked in to. Comodo/Sectigo support have told me that I can get these domains through validation using other methods such as http or CNAME/TXT records which is fine, but I can't generate a .txt file to upload nor generate a hash for a CNAME record via AutoSSL.
So how can I general SSL certificates that wont pass DCV using the AutoSSL method?
Thanks in advance.
-
Hi @adeyjones Did they by chance provide you with a case number for this issue? Any ongoing issue that is being looked into should have an internal case ID associated with it. 0 -
Hi Lauren I have asked my host support who spoke to them on my behalf and they have come back with ticket ID 11986627 - not sure if you can access that to see what was discussed? Adrian 0 -
Hi @cPanelLauren Just wondering if there is an update to this please. Many thanks for your help. Adrian 0 -
Hi @adeyjones Thanks for providing the ticket ID. This issue is indeed associated with an ongoing internal case we have CPANEL-26207 - this case has been resolved in v 78.0.22 of cPanel/WHM which isn't available just yet, though it should be soon. I'll update this thread when it is. Thanks! 0 -
Hi @cPanelLauren Thanks for letting me know, is there anywhere that I can see the details of 26207, or release notes etc.. and see an estimated release date for the udpate? I have about 15 sites at the mo which are without their SSL, I have been speaking with Sectigo (Comodo) who have not been very helpful with trying to get domains passed validation and my only other option is to buy an SSL for each site which would be expensive and there's no point in doing that if the update is imminent. Adrian 0 -
We don't release internal details for cases, when they are published the case ID will be added to our changelogs. You can check them here: Change Logs - Change Logs - cPanel Documentation 0 -
Hi @cPanelLauren I am just wondering if anything has changed in the last 24 hours, because I notice that v28.0.22 is not yet out and I am still on v28.0.21 but I put a new website live this morning and the .nhs.uk domain has somehow passed validation and is fully certified. That said, looking down the list of domains via "Manage SSL hosts" none of the others that I have been having problems with have changed and still have red padlocks, so I have ran AutoSSL for that account and they have still all failed validation, there is no difference in the config or DNS between the one that has passed and all the .nhs.uk domains that have failed, so I can't explain why this one has passed? Adrian 0 -
Hi @adeyjones As far as I can tell after looking through the associated cases nothing in respect to this has changed. For the domains that are continuing to fail are you receiving an error in the AutoSSL logs that they're not registered? Thanks! 0 -
@cPanelLauren Yes they're still getting the usual "not a registered internet domain" message but strangely this one passed. I may be putting another .nhs.uk site live in the morning, client permitting, so i'll see what happens with that one. Looking forward to the update though. 0 -
any update on cPanel v78.0.22 0 -
We will update this thread when 78.0.22 is released but in the meantime, this will be included in our changelogs and if you'd like to follow our changelogs you can do so here: 78 Change Log - Change Logs - cPanel Documentation 0 -
Hi @cPanelLauren As above, I put 2 new .nhs.uk domain websites live over the weekend and they have been assigned an SSL via AutoSSL which is very strange, especially because I have run AutoSSL again to see if the other .nhs.uk domains (which previously said not registered internet domains) would be assigned one, and only one out of several has been picked up (although this is one that is due to expire soon, not one that has already expired). 0 -
Hello We released 78.0.23 which included a fix for this issue, the case is also listed in the changelogs. You can check them here: Change Logs - Change Logs - cPanel Documentation Please let us know if anyone continues to experience issues related to this. Thanks! 0 -
Hello, Can you please show me the output of the error log? Was it only .nhs.uk domains that had the issue? Can you also please include the output of the following: /scripts/cpdig domain.nhs.uk A --verbose
/usr/local/cpanel/3rdparty/bin/perl -MCpanel::DnsRoots -MData::Dumper -e 'local $Cpanel::DnsRoots::Resolver::DEBUG=1; print Dumper(Cpanel::DnsRoots->new()->get_ipv4_addresses_for_domain("domain.nhs.uk"));'
We switched DNS resolvers which in this case should have resolved these issues - we were previously using our own system and have switched to unbound so it surprises me you're running into the same issue once more.0 -
Hi @cPanelLauren and thanks for the reply, nice to speak to you again. The AutoSSL error log is huge as there are so many sites on it but here is a snippet: 7:02:33 PM Performing HTTP DCV (Domain Control Validation) on 144 domains " 7:02:33 PM ERROR "Domain.nhs.uk" is not a registered domain. ERROR "www.domain.nhs.uk" is not a registered domain. ERROR "mail.domain.nhs.uk" is not a registered domain. ERROR "domain2.nhs.uk" is not a registered domain. ERROR "cpanel.doamin.nhs.uk" is not a registered domain. ERROR "webdisk.domaoin.nhs.uk" is not a registered domain. ERROR "webmail.domain.nhs.uk" is not a registered domain. ERROR "www.domain2.nhs.uk" is not a registered domain. ERROR "mail.domain2.nhs.uk" is not a registered domain. ERROR "domain3.nhs.uk" is not a registered domain. ERROR "cpanel.domain2.nhs.uk" is not a registered domain. ERROR "webdisk.domain2.nhs.uk" is not a registered domain. ERROR "webmail.domain2.nhs.uk" is not a registered domain. ERROR "www.domain3.nhs.uk" is not a registered domain. ERROR "mail.domain3.nhs.uk" is not a registered domain. ERROR "cpanel.domain3.nhs.uk" is not a registered domain. ERROR "webdisk.domain3.nhs.uk" is not a registered domain. ERROR "webmail.domain3.nhs.uk" is not a registered domain. All the .co.uk and .org.uk domains validated fine and the .nhs.uk domains with SSL not due to expire still have theirs but the above ones which expired wont get renewed. I SSH'd in to the server and the output from the first code was: [root@adeys ~]# /scripts/cpdig domain.nhs.uk A --verbose [1574933730] libunbound[20362:0] notice: init module 0: validator [1574933730] libunbound[20362:0] notice: init module 1: iterator [1574933730] libunbound[20362:0] info: resolving domain.nhs.uk. A IN [1574933730] libunbound[20362:0] info: priming . IN NS [1574933731] libunbound[20362:0] info: response for . NS IN [1574933731] libunbound[20362:0] info: reply from <.> 193.0.14.129#53 [1574933731] libunbound[20362:0] info: query response was ANSWER [1574933731] libunbound[20362:0] info: response for . NS IN [1574933731] libunbound[20362:0] info: reply from <.> 199.9.14.201#53 [1574933731] libunbound[20362:0] info: query response was ANSWER [1574933731] libunbound[20362:0] info: priming successful for . NS IN [1574933731] libunbound[20362:0] info: response for domain.nhs.uk. A IN [1574933731] libunbound[20362:0] info: reply from <.> 192.33.4.12#53 [1574933731] libunbound[20362:0] info: query response was REFERRAL [1574933731] libunbound[20362:0] info: resolving nsc.nic.uk. AAAA IN [1574933731] libunbound[20362:0] info: resolving nsd.nic.uk. AAAA IN [1574933731] libunbound[20362:0] info: resolving nsb.nic.uk. AAAA IN [1574933731] libunbound[20362:0] info: response for domain.nhs.uk. A IN [1574933731] libunbound[20362:0] info: reply from 156.154.102.3#53 [1574933731] libunbound[20362:0] info: query response was REFERRAL [1574933731] libunbound[20362:0] info: resolving nsa.nhs.uk. AAAA IN [1574933731] libunbound[20362:0] info: resolving nsb.nhs.uk. AAAA IN [1574933731] libunbound[20362:0] info: response for nsa.nhs.uk. AAAA IN [1574933731] libunbound[20362:0] info: reply from 62.7.235.38#53 [1574933731] libunbound[20362:0] info: query response was ANSWER [1574933731] libunbound[20362:0] info: response for nsb.nhs.uk. AAAA IN [1574933731] libunbound[20362:0] info: reply from 62.7.235.38#53 [1574933731] libunbound[20362:0] info: query response was ANSWER [1574933731] libunbound[20362:0] info: response for nsd.nic.uk. AAAA IN [1574933731] libunbound[20362:0] info: reply from 213.248.216.1#53 [1574933731] libunbound[20362:0] info: query response was DNSSEC LAME [1574933731] libunbound[20362:0] info: response for nsa.nhs.uk. AAAA IN [1574933731] libunbound[20362:0] info: reply from 62.7.235.38#53 [1574933731] libunbound[20362:0] info: query response was nodata ANSWER [1574933731] libunbound[20362:0] info: response for nsb.nhs.uk. AAAA IN [1574933731] libunbound[20362:0] info: reply from 62.7.235.38#53 [1574933731] libunbound[20362:0] info: query response was nodata ANSWER [1574933731] libunbound[20362:0] info: response for domain.nhs.uk. A IN [1574933731] libunbound[20362:0] info: reply from 109.159.200.38#53 [1574933731] libunbound[20362:0] info: query response was nodata ANSWER [1574933731] libunbound[20362:0] info: response for nsd.nic.uk. AAAA IN [1574933731] libunbound[20362:0] info: reply from 103.49.80.1#53 [1574933731] libunbound[20362:0] info: query response was DNSSEC LAME Your 2nd code didn't seem to output anything, what does it do? Thanks. 0 -
Your 2nd code didn't seem to output anything, what does it do?
It should use our DNS resolver to report back the IPv4 address for the domain. Since it's not doing that and because it's nearly impossible to troubleshoot this issue over the forums can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved. Thanks!0
Please sign in to leave a comment.
Comments
18 comments