[CPANEL-30266] AutoSSL did not renew the certificate

November 20, 2019 18:48

I had the same issue, but I was able to solve it by opening up port 53 on both inbound & outbound UDP ports on the Firewall. (TCP should already be open on your firewall but UDP port thing must be new) cPanel support technician told me that UDP is also required for Autossl to communicate with root nameservers. Once I opened it up, everything started working fine. Hope this helps.

0

cPanelLauren

November 20, 2019 19:33

Hello, This issue has been pushed to v84.0.14 which is currently in the EDGE and CURRENT tiers. You can view this in our change logs here: Change Logs - Change Logs - cPanel Documentation

0

alibaba4567

November 20, 2019 22:14

Hi, I have the same problem. For a week I have alerts about certificates. My ticket is 13808829. What I see is that in the DNS of each account, the specific record is not created to verify the certificate.

0

cPanelLauren

November 21, 2019 18:27

Hello, As per my last response, this issue was resolved in v84.0.14 which from looking at your ticket you updated to overnight. The ticket is currently awaiting your response for confirmation that you're no longer experiencing the issue.

0

javiersierrad

November 21, 2019 18:44

The upgrade doesn't work for me... I get the same error

0

jaxtheking

November 21, 2019 19:08

Hi @cPanelLauren, I'm just after installing v84.0.14 and have restarted the DNS server just in case - however DCV keeps failing for me. EDIT: it eventually worked, not sure why it did not straight after upgrading.Good job!

0

tracy771

November 21, 2019 19:25

Self-signed An error occurred the last time AutoSSL ran, on November 21, 2019: DNS DCV: The system failed to determine whether "domain.com" is a registered domain because of a DNS error: (XID djpuau) DNS returned "SERVFAIL" (code 2) in response to the system"s query for "domain.com""s "NS" records.; HTTP DCV: The system failed to determine whether "domain.com" is a registered domain because of a DNS error: (XID djpuau) DNS returned "SERVFAIL" (code 2) in response to the system"s query for "domain.com""s "NS" records.

0

lavinrac

November 21, 2019 21:45

Hello, the issue is still present for me on v84.0.14. I have updated my server and performed a reboot.

0

alibaba4567

November 21, 2019 21:51

Hello, As per my last response, this issue was resolved in v84.0.14 which from looking at your ticket you updated to overnight. The ticket is currently awaiting your response for confirmation that you're no longer experiencing the issue.

Hi Lauren. I have waited until now for the automatic SSL process to run. I am sorry to inform you that the problem persists. I leave you a capture of one of the domains, in this state I have enough. In the email he tells me: DNS DCV: The system failed to determine whether "***. Com" is a registered domain because of a DNS error: (XID 353bfs) DNS returned "SERVFAIL" (code 2) in response to the system's query for "**. Com" 's "NS" records .; HTTP DCV: The system failed to determine whether "*. Com" is a registered domain because of a DNS error: (XID 353bfs) DNS returned "SERVFAIL" (code 2) in response to the system's query for "* ****. com "'s" NS "records. If I wanted to ask you, as I see differences between a domain with a current certificate and another with an error when renewing a certificate, I see that in the DNS zone of the certificate that is ok there is a type register: _cpanel-dcv-test-record. But in the DNS zone of accounts that cannot renew certificate, this record does not exist. The AutoSLL log shows: 23:04:14 Analyzing "*""s domains " 23:04:14 Analyzing "**.co*" " 23:04:14 ERROR TLS Status: Defective ERROR Certificate expiry: 24/11/19 0:00 UTC (2,08 days from now) ERROR Defect: ALMOST_EXPIRED: The certificate will expire very soon. 23:04:14 Attempting to ensure the existence of necessary CAA records " 23:04:14 No CAA records were created. 23:04:14 Verifying "cPanel (powered by Sectigo)""s authorization on domains via DNS CAA records " 23:04:14 AVISAR DNS query error: (XID sy8k4c) DNS returned "SERVFAIL" (code 2) in response to the system"s query for "**.co*""s "CAA" records. at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. AVISAR DNS query error: (XID p4wrw3) DNS returned "SERVFAIL" (code 2) in response to the system"s query for "www.******.co*""s "CAA" records. at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. AVISAR DNS query error: (XID sy8k4c) DNS returned "SERVFAIL" (code 2) in response to the system"s query for "**.co*""s "CAA" records. at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. AVISAR DNS query error: (XID vq2teh) DNS returned "SERVFAIL" (code 2) in response to the system"s query for "mail.**.co*""s "CAA" records. at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. AVISAR DNS query error: (XID sy8k4c) DNS returned "SERVFAIL" (code 2) in response to the system"s query for "**.co*""s "CAA" records. at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. AVISAR DNS query error: (XID 9nrnhd) DNS returned "SERVFAIL" (code 2) in response to the system"s query for "cpanel.**.co*""s "CAA" records. at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. AVISAR DNS query error: (XID sy8k4c) DNS returned "SERVFAIL" (code 2) in response to the system"s query for "**.co*""s "CAA" records. at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. AVISAR DNS query error: (XID gu3ydj) DNS returned "SERVFAIL" (code 2) in response to the system"s query for "webdisk.**.co*""s "CAA" records. at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. AVISAR DNS query error: (XID sy8k4c) DNS returned "SERVFAIL" (code 2) in response to the system"s query for "**.co*""s "CAA" records. at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. AVISAR DNS query error: (XID cep5sd) DNS returned "SERVFAIL" (code 2) in response to the system"s query for "webmail.**.co*""s "CAA" records. at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. AVISAR DNS query error: (XID sy8k4c) DNS returned "SERVFAIL" (code 2) in response to the system"s query for "**.co*""s "CAA" records. at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. AVISAR DNS query error: (XID tbxfb3) DNS returned "SERVFAIL" (code 2) in response to the system"s query for "autodiscover.**.co*""s "CAA" records. at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. AVISAR DNS query error: (XID sy8k4c) DNS returned "SERVFAIL" (code 2) in response to the system"s query for "**.co*""s "CAA" records. at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. "cPanel (powered by Sectigo)" is authorized to issue certificates for all domains. 23:04:14 Performing HTTP DCV (Domain Control Validation) on 7 domains " 23:04:14 ERROR The system failed to determine whether "**.co*" is a registered domain because of a DNS error: (XID 353bfs) DNS returned "SERVFAIL" (code 2) in response to the system"s query for "**.co*""s "NS" records. ERROR The system failed to determine whether "**.co*" is a registered domain because of a DNS error: (XID 353bfs) DNS returned "SERVFAIL" (code 2) in response to the system"s query for "**.co*""s "NS" records. ERROR The system failed to determine whether "**.co*" is a registered domain because of a DNS error: (XID 353bfs) DNS returned "SERVFAIL" (code 2) in response to the system"s query for "**.co*""s "NS" records. ERROR The system failed to determine whether "**.co*" is a registered domain because of a DNS error: (XID 353bfs) DNS returned "SERVFAIL" (code 2) in response to the system"s query for "**.co*""s "NS" records. ERROR The system failed to determine whether "**.co*" is a registered domain because of a DNS error: (XID 353bfs) DNS returned "SERVFAIL" (code 2) in response to the system"s query for "**.co*""s "NS" records. ERROR The system failed to determine whether "**.co*" is a registered domain because of a DNS error: (XID 353bfs) DNS returned "SERVFAIL" (code 2) in response to the system"s query for "**.co*""s "NS" records. ERROR The system failed to determine whether "**.co*" is a registered domain because of a DNS error: (XID 353bfs) DNS returned "SERVFAIL" (code 2) in response to the system"s query for "**.co*""s "NS" records. 23:04:14 No local DNS DCV is necessary.

0

marekkn

November 22, 2019 01:58

0

ipdroid

November 22, 2019 08:21

Hi! Already on v84.0.14 and still some issue on all servers... :(

0

cPanelLauren

November 22, 2019 17:04

So I do want to clarify that this issue can occur when there is a misconfiguration on the system as well as due to the case. At this point (and based on the testing I've seen) I'd wager that those of you still experiencing an issue are suffering from some form of configuration issue. We have an API call that forces some of the DNS workarounds to get past these issues available. Can you please do the following: whmapi1 set_up_dns_resolver_workarounds
Then if the output is "OK" re-run AutoSSL and let me know the result. IF that doesn't work can you guys that are still experiencing issues, please run the following for me? Using one of the domains on the server that is failing DCV: /scripts/cpdig $domain.com A --verbose

for i in {a..m}; do echo -n "$i.root-servers.net: "; dig -4 "$i".root-servers.net @"$i".root-servers.net +short;done

for gtld in {a..m}; do echo Trying $gtld.gtld-servers.net ; dig +trace +short $domain.com @$gtld.gtld-servers.net; done

/usr/local/cpanel/3rdparty/bin/perl -mCpanel::DnsRoots -e 'use Data::Dumper; print Dumper(Cpanel::DnsRoots->new()->get_ipv4_addresses_for_domain(@ARGV[0]));' $domain.com

Any domain name that needs to be updated to your domain starts with a $domain.com when you paste the results please remove any actual identifying information including IP addresses and domain names. Thanks!

0

Arshad Hussain

November 23, 2019 03:37

So I do want to clarify that this issue can occur when there is a misconfiguration on the system as well as due to the case. At this point (and based on the testing I've seen) I'd wager that those of you still experiencing an issue are suffering from some form of configuration issue. We have an API call that forces some of the DNS workarounds to get past these issues available. Can you please do the following: whmapi1 set_up_dns_resolver_workarounds
Then if the output is "OK" re-run AutoSSL and let me know the result. IF that doesn't work can you guys that are still experiencing issues, please run the following for me? Using one of the domains on the server that is failing DCV: /scripts/cpdig $domain.com A --verbose
for i in {a..m}; do echo -n "$i.root-servers.net: "; dig -4 "$i".root-servers.net @"$i".root-servers.net +short;done
for gtld in {a..m}; do echo Trying $gtld.gtld-servers.net ; dig +trace +short $domain.com @$gtld.gtld-servers.net; done
/usr/local/cpanel/3rdparty/bin/perl -mCpanel::DnsRoots -e 'use Data::Dumper; print Dumper(Cpanel::DnsRoots->new()->get_ipv4_addresses_for_domain(@ARGV[0]));' $domain.com
Any domain name that needs to be updated to your domain starts with a $domain.com when you paste the results please remove any actual identifying information including IP addresses and domain names. Thanks!

I ran the command and got following error:- [root@server1 ~]# whmapi1 set_up_dns_resolver_workarounds perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LC_CTYPE = "UTF-8", LANG = "en_IN.UTF-8" are supported and installed on your system. perl: warning: Falling back to a fallback locale ("en_IN.UTF-8"). perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LC_CTYPE = "UTF-8", LANG = "en_IN.UTF-8" are supported and installed on your system. perl: warning: Falling back to a fallback locale ("en_IN.UTF-8"). --- data: flags: {} metadata: command: set_up_dns_resolver_workarounds reason: OK result: 1 version: 1 Please see the result is OK but didn't fix the issue. Regards, Arshad

0

meetsos

November 24, 2019 18:19

Version v84.0.14 but still having the same problem...

0

alibaba4567

November 24, 2019 23:11

So I do want to clarify that this issue can occur when there is a misconfiguration on the system as well as due to the case. At this point (and based on the testing I've seen) I'd wager that those of you still experiencing an issue are suffering from some form of configuration issue. We have an API call that forces some of the DNS workarounds to get past these issues available. Can you please do the following: whmapi1 set_up_dns_resolver_workarounds
Then if the output is "OK" re-run AutoSSL and let me know the result. IF that doesn't work can you guys that are still experiencing issues, please run the following for me? Using one of the domains on the server that is failing DCV: /scripts/cpdig $domain.com A --verbose
for i in {a..m}; do echo -n "$i.root-servers.net: "; dig -4 "$i".root-servers.net @"$i".root-servers.net +short;done
for gtld in {a..m}; do echo Trying $gtld.gtld-servers.net ; dig +trace +short $domain.com @$gtld.gtld-servers.net; done
/usr/local/cpanel/3rdparty/bin/perl -mCpanel::DnsRoots -e 'use Data::Dumper; print Dumper(Cpanel::DnsRoots->new()->get_ipv4_addresses_for_domain(@ARGV[0]));' $domain.com
Any domain name that needs to be updated to your domain starts with a $domain.com when you paste the results please remove any actual identifying information including IP addresses and domain names. Thanks!

here are my results:

[root@** ~]# whmapi1 set_up_dns_resolver_workarounds

---

data:

  flags: {}



metadata:

  command: set_up_dns_resolver_workarounds

  reason: OK

  result: 1

  version: 1

[root@***** ~]#

[root@***** ~]# for i in {a..m}; do echo -n "$i.root-servers.net: "; dig -4 "$i".root-servers.net @"$i".root-servers.net +short;done

a.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 a.root-servers.net @a.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

b.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 b.root-servers.net @b.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

c.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 c.root-servers.net @c.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

d.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 d.root-servers.net @d.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

e.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 e.root-servers.net @e.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

f.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 f.root-servers.net @f.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

g.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 g.root-servers.net @g.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

h.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 h.root-servers.net @h.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

i.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 i.root-servers.net @i.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

j.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 j.root-servers.net @j.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

k.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 k.root-servers.net @k.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

l.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 l.root-servers.net @l.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

m.root-servers.net:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 m.root-servers.net @m.root-servers.net +short

;; global options: +cmd

;; connection timed out; no servers could be reached

[root@**** ~]#

[root@*** ~]# for gtld in {a..m}; do echo Trying $gtld.gtld-servers.net ; dig +trace +short **.com @$gtld.gtld-servers.net; done

Trying a.gtld-servers.net

A ... from server ... in 0 ms.

Trying b.gtld-servers.net

A ... from server ... in 0 ms.

Trying c.gtld-servers.net

A ... from server ... in 0 ms.

Trying d.gtld-servers.net

A ... from server ... in 0 ms.

Trying e.gtld-servers.net

A ... from server ... in 0 ms.

Trying f.gtld-servers.net

A ... from server ... in 0 ms.

Trying g.gtld-servers.net

A ... from server ... in 0 ms.

Trying h.gtld-servers.net

A ... from server ... in 0 ms.

Trying i.gtld-servers.net

A ... from server ... in 0 ms.

Trying j.gtld-servers.net

A ... from server ... in 0 ms.

Trying k.gtld-servers.net

A ... from server ... in 0 ms.

Trying l.gtld-servers.net

A ... from server ... in 0 ms.

Trying m.gtld-servers.net

A ... from server ... in 0 ms.

[root@***** ~]#

[root@*** ~]# /usr/local/cpanel/3rdparty/bin/perl -mCpanel::DnsRoots -e 'use Data::Dumper; print Dumper(Cpanel::DnsRoots->new()->get_ipv4_addresses_for_domain(@ARGV[0]));' $**.com

warn [-e] DNS query failure (.com/A): DNS::Unbound::X::ResolveError: DNS query resolution failure

        ==> X::Tiny::create('DNS::Unbound::X', 'ResolveError', 'number', '-3', 'string', 'syntax error') (called in /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/DNS/Unbound.pm at line 181)

        ==> DNS::Unbound::_create_resolve_error('-3') (called in /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/DNS/Unbound.pm at line 467)

        ==> DNS::Unbound::_check_promises(DNS::Unbound=HASH(0x1e64430)) (called in /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/DNS/Unbound.pm at line 442)

        ==> DNS::Unbound::process(DNS::Unbound=HASH(0x1e64430)) (called in /usr/local/cpanel/Cpanel/DNS/Unbound.pm at line 515)

        ==> Cpanel::DNS::Unbound::_poll_for_queries(Cpanel::DNS::Unbound=HASH(0x1e77f88), ARRAY(0x1fc0600)) (called in /usr/local/cpanel/Cpanel/DNS/Unbound.pm at line 502)

        ==> Cpanel::DNS::Unbound::recursive_queries(Cpanel::DNS::Unbound=HASH(0x1e77f88), ARRAY(0x20055a0)) (called in /usr/local/cpanel/Cpanel/DNS/Unbound.pm at line 359)

        ==> Cpanel::DNS::Unbound::recursive_query_or_die(Cpanel::DNS::Unbound=HASH(0x1e77f88), '.com', 'A') (called in /usr/local/cpanel/Cpanel/DNS/Unbound.pm at line 427)

        ==> (eval)(Cpanel::DNS::Unbound=HASH(0x1e77f88), '.com', 'A') (called in /usr/local/cpanel/Cpanel/DNS/Unbound.pm at line 427)

        ==> Cpanel::DNS::Unbound::recursive_query(Cpanel::DNS::Unbound=HASH(0x1e77f88), '.com', 'A') (called in /usr/local/cpanel/Cpanel/DnsRoots.pm at line 82)

        ==> Cpanel::DnsRoots::get_ipv4_addresses_for_domain(Cpanel::DnsRoots=HASH(0x1fd4b20), '.com') (called in -e at line 1)

        ...propagated at /usr/local/cpanel/Cpanel/DNS/Unbound.pm, line 378



[root@** ~]# /usr/local/cpanel/3rdparty/bin/perl -mCpanel::DnsRoots -e 'use Data::Dumper; print Dumper(Cpanel::DnsRoots->new()->get_ipv4_addresses_for_domain(@ARGV[0]));' ****.com

warn [-e] DNS query failure (.com/A): Cpanel::Exception::Timeout/(XID jg2hpm) DNS query (.com/A) timeout!

at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 374.

        Cpanel::DNS::Unbound::_die_if_query_failed(HASH(0xa9ba40)) called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 363

        Cpanel::DNS::Unbound::recursive_query_or_die(Cpanel::DNS::Unbound=HASH(0x93ef78), "****.com", "A") called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 427

        eval {...} called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 427

        Cpanel::DNS::Unbound::recursive_query(Cpanel::DNS::Unbound=HASH(0x93ef78), "****.com", "A") called at /usr/local/cpanel/Cpanel/DnsRoots.pm line 82

        Cpanel::DnsRoots::get_ipv4_addresses_for_domain(Cpanel::DnsRoots=HASH(0x9fe8b8), "****.com") called at -e line 1



[root@***** ~]#

0

cPanelLauren

November 24, 2019 23:58

I ran the command and got following error:- [root@server1 ~]# whmapi1 set_up_dns_resolver_workarounds perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LC_CTYPE = "UTF-8", LANG = "en_IN.UTF-8" are supported and installed on your system. perl: warning: Falling back to a fallback locale ("en_IN.UTF-8"). perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LC_CTYPE = "UTF-8", LANG = "en_IN.UTF-8" are supported and installed on your system. perl: warning: Falling back to a fallback locale ("en_IN.UTF-8"). --- found data: flags: {} metadata: command: set_up_dns_resolver_workarounds reason: OK result: 1 version: 1 Please see the result is OK but didn't fix the issue. Regards, Arshad

I believe your issue has been investigated in Ticket ID 13774021 - the findings from one of our L3 analysts was identified as [QUOTE]When someone on the public internet makes a DNS query to port 53 on , it reaches your cPanel server (server1.yourhostname.com). Your server responds authoritatively to DNS queries for the domains on it. However, when this server makes a DNS query to port 53 on , it hits a recursive resolving nameserver on the same local network, running dnsmasq. Whether or not this responds authoritatively seems to depend on what queries have been made to it.
This is a pretty unique issue and not one that is commonly occurring. They provided some steps to resolve the issue as well. [QUOTE]The best fix for this would be to ensure that any outgoing requests from this server (192.168.1.206) to port 53 on get redirected back to port 53 on This is often called "hairpin" or "loopback" or "reflection" NAT.

0

cPanelLauren

November 25, 2019 00:03

here are my results: [root@** ~]# whmapi1 set_up_dns_resolver_workarounds --- data: flags: {} metadata: command: set_up_dns_resolver_workarounds reason: OK result: 1 version: 1 [root@***** ~]#
[root@***** ~]# for i in {a..m}; do echo -n "$i.root-servers.net: "; dig -4 "$i".root-servers.net @"$i".root-servers.net +short;done a.root-servers.net: ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 a.root-servers.net @a.root-servers.net +short ;; global options: +cmd ;; connection timed out; no servers could be reached b.root-servers.net: ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 b.root-servers.net @b.root-servers.net +short ;; global options: +cmd ;; connection timed out; no servers could be reached c.root-servers.net: ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 c.root-servers.net @c.root-servers.net +short ;; global options: +cmd ;; connection timed out; no servers could be reached d.root-servers.net: ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 d.root-servers.net @d.root-servers.net +short ;; global options: +cmd ;; connection timed out; no servers could be reached e.root-servers.net: ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 e.root-servers.net @e.root-servers.net +short ;; global options: +cmd ;; connection timed out; no servers could be reached f.root-servers.net: ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 f.root-servers.net @f.root-servers.net +short ;; global options: +cmd ;; connection timed out; no servers could be reached g.root-servers.net: ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 g.root-servers.net @g.root-servers.net +short ;; global options: +cmd ;; connection timed out; no servers could be reached h.root-servers.net: ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 h.root-servers.net @h.root-servers.net +short ;; global options: +cmd ;; connection timed out; no servers could be reached i.root-servers.net: ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 i.root-servers.net @i.root-servers.net +short ;; global options: +cmd ;; connection timed out; no servers could be reached j.root-servers.net: ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 j.root-servers.net @j.root-servers.net +short ;; global options: +cmd ;; connection timed out; no servers could be reached k.root-servers.net: ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 k.root-servers.net @k.root-servers.net +short ;; global options: +cmd ;; connection timed out; no servers could be reached l.root-servers.net: ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 l.root-servers.net @l.root-servers.net +short ;; global options: +cmd ;; connection timed out; no servers could be reached m.root-servers.net: ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -4 m.root-servers.net @m.root-servers.net +short ;; global options: +cmd ;; connection timed out; no servers could be reached [root@**** ~]#
[root@*** ~]# for gtld in {a..m}; do echo Trying $gtld.gtld-servers.net ; dig +trace +short **.com @$gtld.gtld-servers.net; done Trying a.gtld-servers.net A ... from server ... in 0 ms. Trying b.gtld-servers.net A ... from server ... in 0 ms. Trying c.gtld-servers.net A ... from server ... in 0 ms. Trying d.gtld-servers.net A ... from server ... in 0 ms. Trying e.gtld-servers.net A ... from server ... in 0 ms. Trying f.gtld-servers.net A ... from server ... in 0 ms. Trying g.gtld-servers.net A ... from server ... in 0 ms. Trying h.gtld-servers.net A ... from server ... in 0 ms. Trying i.gtld-servers.net A ... from server ... in 0 ms. Trying j.gtld-servers.net A ... from server ... in 0 ms. Trying k.gtld-servers.net A ... from server ... in 0 ms. Trying l.gtld-servers.net A ... from server ... in 0 ms. Trying m.gtld-servers.net A ... from server ... in 0 ms. [root@***** ~]#
[root@*** ~]# /usr/local/cpanel/3rdparty/bin/perl -mCpanel::DnsRoots -e 'use Data::Dumper; print Dumper(Cpanel::DnsRoots->new()->get_ipv4_addresses_for_domain(@ARGV[0]));' $**.com warn [-e] DNS query failure (.com/A): DNS::Unbound::X::ResolveError: DNS query resolution failure ==> X::Tiny::create('DNS::Unbound::X', 'ResolveError', 'number', '-3', 'string', 'syntax error') (called in /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/DNS/Unbound.pm at line 181) ==> DNS::Unbound::_create_resolve_error('-3') (called in /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/DNS/Unbound.pm at line 467) ==> DNS::Unbound::_check_promises(DNS::Unbound=HASH(0x1e64430)) (called in /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/DNS/Unbound.pm at line 442) ==> DNS::Unbound::process(DNS::Unbound=HASH(0x1e64430)) (called in /usr/local/cpanel/Cpanel/DNS/Unbound.pm at line 515) ==> Cpanel::DNS::Unbound::_poll_for_queries(Cpanel::DNS::Unbound=HASH(0x1e77f88), ARRAY(0x1fc0600)) (called in /usr/local/cpanel/Cpanel/DNS/Unbound.pm at line 502) ==> Cpanel::DNS::Unbound::recursive_queries(Cpanel::DNS::Unbound=HASH(0x1e77f88), ARRAY(0x20055a0)) (called in /usr/local/cpanel/Cpanel/DNS/Unbound.pm at line 359) ==> Cpanel::DNS::Unbound::recursive_query_or_die(Cpanel::DNS::Unbound=HASH(0x1e77f88), '.com', 'A') (called in /usr/local/cpanel/Cpanel/DNS/Unbound.pm at line 427) ==> (eval)(Cpanel::DNS::Unbound=HASH(0x1e77f88), '.com', 'A') (called in /usr/local/cpanel/Cpanel/DNS/Unbound.pm at line 427) ==> Cpanel::DNS::Unbound::recursive_query(Cpanel::DNS::Unbound=HASH(0x1e77f88), '.com', 'A') (called in /usr/local/cpanel/Cpanel/DnsRoots.pm at line 82) ==> Cpanel::DnsRoots::get_ipv4_addresses_for_domain(Cpanel::DnsRoots=HASH(0x1fd4b20), '.com') (called in -e at line 1) ...propagated at /usr/local/cpanel/Cpanel/DNS/Unbound.pm, line 378 [root@** ~]# /usr/local/cpanel/3rdparty/bin/perl -mCpanel::DnsRoots -e 'use Data::Dumper; print Dumper(Cpanel::DnsRoots->new()->get_ipv4_addresses_for_domain(@ARGV[0]));' ****.com warn [-e] DNS query failure (.com/A): Cpanel::Exception::Timeout/(XID jg2hpm) DNS query (.com/A) timeout! at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 374. Cpanel::DNS::Unbound::_die_if_query_failed(HASH(0xa9ba40)) called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 363 Cpanel::DNS::Unbound::recursive_query_or_die(Cpanel::DNS::Unbound=HASH(0x93ef78), "****.com", "A") called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 427 eval {...} called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 427 Cpanel::DNS::Unbound::recursive_query(Cpanel::DNS::Unbound=HASH(0x93ef78), "****.com", "A") called at /usr/local/cpanel/Cpanel/DnsRoots.pm line 82 Cpanel::DnsRoots::get_ipv4_addresses_for_domain(Cpanel::DnsRoots=HASH(0x9fe8b8), "****.com") called at -e line 1 [root@***** ~]#

Can you tell me about your IP routing configuration on the server? Are you NAT Routed or no? What's present in /etc/resolv.conf
? It's also pretty interesting you can reach the gtld servers but not the root servers.

0

Arshad Hussain

November 25, 2019 13:05

I believe your issue has been investigated in Ticket ID 13774021 - the findings from one of our L3 analysts was identified as This is a pretty unique issue and not one that is commonly occurring. They provided some steps to resolve the issue as well.

Hi, Thanks for the reply. But Lauren, I just checked autosssl on subdomains/domains and surprisingly I found that autossl domain1.com got renewed on 23rdNov.2019. But, some of them are still showing the same error. I tried other accounts but it didn't happen again. It also happened once few days back that I have reported in email. My question is if there is any misconfiguration in our iptables it must not allow to autossl any of our domains/subdomains. Moreover, all the configuration of my servers are unaltered since a very long time and autossl was working fine on all. I also see many have reported the similar issue on the forum. How could the same issue be faced by many, if the problem is in of server side? Even I have checked the iptables with command, iptables -L, But couldn't figure out any issue. On running the following command, I got this today:- [root@server1 ~]# whmapi1 set_up_dns_resolver_workarounds --- data: flags: {} metadata: command: set_up_dns_resolver_workarounds reason: OK result: 1 version: 1 If you still think the issue is related to iptables, then could you please suggest me some links related to this and BAD REFERRAL. Thanks & Regards, Arshad

0

cPanelLauren

November 25, 2019 15:18

Hi, Thanks for the reply. But Lauren, I just checked autosssl on subdomains/domains and surprisingly I found that autossl domain1.com got renewed on 23rdNov.2019. But, some of them are still showing the same error. I tried other accounts but it didn't happen again. It also happened once few days back that I have reported in email. My question is if there is any misconfiguration in our iptables it must not allow to autossl any of our domains/subdomains. Moreover, all the configuration of my servers are unaltered since a very long time and autossl was working fine on all. I also see many have reported the similar issue on the forum. How could the same issue be faced by many, if the problem is in of server side? Even I have checked the iptables with command, iptables -L, But couldn't figure out any issue. If you still think the issue is related to iptables, then could you please suggest me some links related to this and BAD REFERRAL. Thanks & Regards, Arshad

For your issue, because it's being actively worked in the ticket system and they have access to the server, I'd suggest continuing to work with them to identify/resolve this. That will be the best and most efficient place to get the assistance you need.

0

alibaba4567

November 25, 2019 22:32

Can you tell me about your IP routing configuration on the server? Are you NAT Routed or no? What's present in /etc/resolv.conf
? It's also pretty interesting you can reach the gtld servers but not the root servers.

Hi Lauren, I have 3 public IPs configured. I am not on NAT routed. My result of /etc/resolv.conf is: [root @ **** ~] # cat /etc/resolv.conf search your-server.de nameserver 213.133.98.98 nameserver 213.133.99.99 nameserver 213.133.100.100

0

alibaba4567

November 26, 2019 00:14

Hello, I have completely deactivated the firewall of my two servers and they have renewed my certificates. I don't understand why, since there should be outward communication. I will check with my server provider.

0

LuisVJatar

November 26, 2019 13:09

DNS DCV: The system failed to determine whether "st" is a registered domain because of a DNS error: (XID k2wdnd) DNS query (/NS) timeout!; HTTP DCV: The system failed to determine whether "st" is a registered domain because of a DNS error: (XID k2wdnd) DNS query (/NS) timeout! i have the ticket nr 13843909 - AutoSSL did not renew the certificate for ...

0

cPanelLauren

November 26, 2019 14:04

Hello, I have completely deactivated the firewall of my two servers and they have renewed my certificates. I don't understand why, since there should be outward communication. I will check with my server provider.

Sounds like a misconfiguration, and the provider should be able to get you pointed in the right direction. I am glad to hear that your certificates were able to be renewed.

0

cPanelLauren

November 26, 2019 15:37

DNS DCV: The system failed to determine whether "st" is a registered domain because of a DNS error: (XID k2wdnd) DNS query (/NS) timeout!; HTTP DCV: The system failed to determine whether "st" is a registered domain because of a DNS error: (XID k2wdnd) DNS query (/NS) timeout! i have the ticket nr 13843909 - AutoSSL did not renew the certificate for ...

I checked in on this issue and can see that an L2 analyst is going to be addressing it shortly.

0

dc01

November 26, 2019 23:49

Hey there, We're also having timeout problems and unable to renew expired certs using AutoSSL. cPanel is up to date - just saw a minor update today to 11.84.0.15 which was applied, but failures are still happening. Seems to be DNS related and we've been going in circles trying to clear up every possible DNS issue including setting /etc/resolv.conf with new nameservers, disabling IPv6. /scripts/cpdig works. $i.root-servers.net dig loop works. $gtld.gtld-servers.net dig loop works. /usr/local/cpanel/3rdparty/bin/perl -mCpanel::DnsRoots -e 'use Data::Dumper; print Dumper(Cpanel::DnsRoots->new()->get_ipv4_addresses_for_domain(@ARGV[0]));' DOMAIN.TLD fails:

warn [-e] DNS query failure (DOMAIN.TLD/A): Cpanel::Exception::Timeout/(XID 4ps3c6) DNS query (DOMAIN.TLD/A) timeout!
 at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 376.
        Cpanel::DNS::Unbound::_die_if_query_failed(HASH(0xf28398)) called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 365
        Cpanel::DNS::Unbound::recursive_query_or_die(Cpanel::DNS::Unbound=HASH(0xb83048), "DOMAIN.TLD", "A") called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 429
        eval {...} called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 429
        Cpanel::DNS::Unbound::recursive_query(Cpanel::DNS::Unbound=HASH(0xb83048), "DOMAIN.TLD", "A") called at /usr/local/cpanel/Cpanel/DnsRoots.pm line 82
        Cpanel::DnsRoots::get_ipv4_addresses_for_domain(Cpanel::DnsRoots=HASH(0xf28158), "DOMAIN.TLD") called at -e line 1

        (in cleanup)    (in cleanup)  at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/DNS/Unbound.pm line 536 during global destruction.

Assistance would be appreciated. Thanks! -dc01.

0

cPanelLauren

November 27, 2019 16:08

Hello, We've confirmed internally that the behavior persisting, in this case, is almost always a misconfiguration of the firewall resulting in incorrectly configured hairpinning. For reference on what this is the wiki may be helpful: Hairpinning - Wikipedia For some reference you can try the commands I listed earlier in the thread but ultimately this will need to be resolved locally. We recently switched our DNS resolver to unbound which is less fault-tolerant than the internal method we were utilizing previously.

0

speedy200man

November 28, 2019 06:12

Same here... ticket ID #470786 (on buycpanel.com) It seems that the host ip (on vmbr0) cannot return the result from dig to the virtual machine (vmbr1), even if the connections are bridged. Is there any way I can fix this so the dig resolver would look to the virtual machine internal lan ip ? [EDIT] After adding this inside proxmox, the dig command works from proxmox to the virtual machine (that's the 10.10.... ip, where the .100 is the internal gateway):

iptables -t nat -A POSTROUTING -o vmbr1 -s 10.10.10.0/24 -d 10.10.10.10 -p udp -m udp --dport 53 -j SNAT --to-source 10.10.10.100
iptables -t nat -A POSTROUTING -o vmbr1 -s 10.10.10.0/24 -d 10.10.10.10 -p tcp -m tcp --dport 53 -j SNAT --to-source 10.10.10.100

iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 10.10.10.10:53
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to 10.10.10.10:53

Now the problem I need to solve is for the dig command to work from inside the virtual machine...

0

speedy200man

December 01, 2019 12:46

So, the only way I could make it work is by enabling promisc mode on the vm adapter: ip link set vmbr1 promisc on

0

alphatls

December 02, 2019 22:37

/scripts/cpdig $domain.com A --verbose
for i in {a..m}; do echo -n "$i.root-servers.net: "; dig -4 "$i".root-servers.net @"$i".root-servers.net +short;done
for gtld in {a..m}; do echo Trying $gtld.gtld-servers.net ; dig +trace +short $domain.com @$gtld.gtld-servers.net; done
/usr/local/cpanel/3rdparty/bin/perl -mCpanel::DnsRoots -e 'use Data::Dumper; print Dumper(Cpanel::DnsRoots->new()->get_ipv4_addresses_for_domain(@ARGV[0]));' $domain.com

Was there anything specific you were looking for with these? I ran these and there were no errors, output was (afaik) as expected. Ticket created as well 13894889

0

cPanelLauren

December 03, 2019 20:30

So, the only way I could make it work is by enabling promisc mode on the vm adapter: ip link set vmbr1 promisc on

But you were able to get this working locally with your configuration?

0

[CPANEL-30266] AutoSSL did not renew the certificate

Comments

Didn't find what you were looking for?