AutoSSL not issuing certificates for a DNS error (letsencrypt/sectigo)
Hi,
i'm having a strange problem on a server with whm/cpanel.
Autossl can't renew ssl certificates for any domain (letsencrypt or sectigo).
(replaced all right data with DOMAIN.TLD, OURDOMAINDNS.TLD, A.B.C.D, E.F.G.H, etc...)
This is the autossl output for a domain:
/usr/local/cpanel/bin/autossl_check --user USER
AutoSSL"s configured provider is "cPanel (powered by Sectigo)".
This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
Analyzing "editalia""s domains "
Analyzing "DOMAIN.TLD" "
TLS Status: Defective
Certificate expiry: 10/30/20, 12:00 PM UTC (255.93 days from now)
Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL"s verification (0:18:DEPTH_ZERO_SELF_SIGNED_CERT).
Attempting to ensure the existence of necessary CAA records "
No CAA records were created.
Verifying "cPanel (powered by Sectigo)""s authorization on domains via DNS CAA records "
DNS query error: (XID 27n8hj) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID 39sv69) DNS query (www.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID 27n8hj) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID 2dbf4j) DNS query (mail.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID 27n8hj) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID 7wgbxa) DNS query (cpanel.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID 27n8hj) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID dg7j7r) DNS query (webdisk.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID 27n8hj) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID rt5s3a) DNS query (webmail.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID 27n8hj) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID gutuj8) DNS query (autodiscover.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
DNS query error: (XID 27n8hj) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114.
"cPanel (powered by Sectigo)" is authorized to issue certificates for all domains.
Performing HTTP DCV (Domain Control Validation) on 7 domains "
The system failed to determine whether "DOMAIN.TLD" is a registered domain because of a DNS error: (XID wx23pz) DNS query (DOMAIN.TLD/NS) timeout!
The system failed to determine whether "DOMAIN.TLD" is a registered domain because of a DNS error: (XID wx23pz) DNS query (DOMAIN.TLD/NS) timeout!
The system failed to determine whether "DOMAIN.TLD" is a registered domain because of a DNS error: (XID wx23pz) DNS query (DOMAIN.TLD/NS) timeout!
The system failed to determine whether "DOMAIN.TLD" is a registered domain because of a DNS error: (XID wx23pz) DNS query (DOMAIN.TLD/NS) timeout!
The system failed to determine whether "DOMAIN.TLD" is a registered domain because of a DNS error: (XID wx23pz) DNS query (DOMAIN.TLD/NS) timeout!
The system failed to determine whether "DOMAIN.TLD" is a registered domain because of a DNS error: (XID wx23pz) DNS query (DOMAIN.TLD/NS) timeout!
The system failed to determine whether "DOMAIN.TLD" is a registered domain because of a DNS error: (XID wx23pz) DNS query (DOMAIN.TLD/NS) timeout!
No local DNS DCV is necessary.
Processing "editalia""s local DCV results "
Analyzing "DOMAIN.TLD""s DCV results "
Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV.
The system has completed "editalia""s AutoSSL check.
I've searched around for same problems and executed the following:
whmapi1 set_up_dns_resolver_workarounds
/scripts/cpdig DOMAIN.TLD A --verbose
[1581947097] libunbound[5388:0] notice: init module 0: validator
[1581947097] libunbound[5388:0] notice: init module 1: iterator
[1581947097] libunbound[5388:0] info: resolving DOMAIN.TLD. A IN
[1581947097] libunbound[5388:0] info: priming . IN NS
[1581947097] libunbound[5388:0] info: response for . NS IN
[1581947097] libunbound[5388:0] info: reply from <.> 2001:500:200::b#53
[1581947097] libunbound[5388:0] info: query response was ANSWER
[1581947097] libunbound[5388:0] info: priming successful for . NS IN
[1581947097] libunbound[5388:0] info: response for DOMAIN.TLD. A IN
[1581947097] libunbound[5388:0] info: reply from <.> 199.7.91.13#53
[1581947097] libunbound[5388:0] info: query response was REFERRAL
[1581947097] libunbound[5388:0] info: response for DOMAIN.TLD. A IN
[1581947097] libunbound[5388:0] info: reply from 2001:67c:1010:7::53#53
[1581947097] libunbound[5388:0] info: query response was REFERRAL
[1581947097] libunbound[5388:0] info: resolving ns1.OURDOMAINDNS.TLD AAAA IN
[1581947097] libunbound[5388:0] info: resolving ns2.OURDOMAINDNS.TLD AAAA IN
[1581947097] libunbound[5388:0] info: resolving ns2.OURDOMAINDNS.TLD A IN
[1581947097] libunbound[5388:0] info: resolving ns3.OURDOMAINDNS.TLD A IN
[1581947097] libunbound[5388:0] info: resolving ns3.OURDOMAINDNS.TLD AAAA IN
[1581947097] libunbound[5388:0] info: resolving ns1.OURDOMAINDNS.TLD A IN
[1581947097] libunbound[5388:0] info: response for ns2.OURDOMAINDNS.TLD AAAA IN
[1581947097] libunbound[5388:0] info: reply from <.> 2001:500:2::c#53
[1581947097] libunbound[5388:0] info: query response was REFERRAL
[1581947097] libunbound[5388:0] info: response for ns1.OURDOMAINDNS.TLD A IN
[1581947097] libunbound[5388:0] info: reply from <.> 2001:500:1::53#53
[1581947097] libunbound[5388:0] info: query response was REFERRAL
[1581947097] libunbound[5388:0] info: response for ns3.OURDOMAINDNS.TLD AAAA IN
[1581947097] libunbound[5388:0] info: reply from <.> 2001:503:ba3e::2:30#53
[1581947097] libunbound[5388:0] info: query response was REFERRAL
[1581947097] libunbound[5388:0] info: response for ns3.OURDOMAINDNS.TLD A IN
[1581947097] libunbound[5388:0] info: reply from <.> 2001:500:9f::42#53
[1581947097] libunbound[5388:0] info: query response was REFERRAL
[1581947097] libunbound[5388:0] info: response for ns3.OURDOMAINDNS.TLD AAAA IN
[1581947097] libunbound[5388:0] info: reply from 2001:503:83eb::30#53
[1581947097] libunbound[5388:0] info: query response was REFERRAL
[1581947097] libunbound[5388:0] info: resolving ns4.OURDOMAINDNS.TLD AAAA IN
[1581947097] libunbound[5388:0] info: response for ns2.OURDOMAINDNS.TLD AAAA IN
[1581947097] libunbound[5388:0] info: reply from 2001:503:83eb::30#53
[1581947097] libunbound[5388:0] info: query response was REFERRAL
[1581947097] libunbound[5388:0] info: response for ns1.OURDOMAINDNS.TLD A IN
[1581947097] libunbound[5388:0] info: reply from 2001:502:1ca1::30#53
[1581947097] libunbound[5388:0] info: query response was REFERRAL
[1581947097] libunbound[5388:0] info: response for ns3.OURDOMAINDNS.TLD A IN
[1581947097] libunbound[5388:0] info: reply from 192.12.94.30#53
[1581947097] libunbound[5388:0] info: query response was REFERRAL
[1581947097] libunbound[5388:0] info: response for ns1.OURDOMAINDNS.TLD AAAA IN
[1581947097] libunbound[5388:0] info: reply from <.> 199.9.14.201#53
[1581947097] libunbound[5388:0] info: query response was REFERRAL
[1581947098] libunbound[5388:0] info: response for ns2.OURDOMAINDNS.TLD A IN
[1581947098] libunbound[5388:0] info: reply from <.> 2001:dc3::35#53
[1581947098] libunbound[5388:0] info: query response was REFERRAL
[1581947098] libunbound[5388:0] info: response for ns1.OURDOMAINDNS.TLD AAAA IN
[1581947098] libunbound[5388:0] info: reply from 2001:503:a83e::2:30#53
[1581947098] libunbound[5388:0] info: query response was REFERRAL
[1581947098] libunbound[5388:0] info: response for ns2.OURDOMAINDNS.TLD A IN
[1581947098] libunbound[5388:0] info: reply from 192.42.93.30#53
[1581947098] libunbound[5388:0] info: query response was REFERRAL
for i in {a..m}; do echo -n "$i.root-servers.net: "; dig -4 "$i".root-servers.net @"$i".root-servers.net +short;done
a.root-servers.net: 198.41.0.4
b.root-servers.net: 199.9.14.201
c.root-servers.net: 192.33.4.12
d.root-servers.net: 199.7.91.13
e.root-servers.net: 192.203.230.10
f.root-servers.net: 192.5.5.241
g.root-servers.net: 192.112.36.4
h.root-servers.net: 198.97.190.53
i.root-servers.net: 192.36.148.17
j.root-servers.net: 192.58.128.30
k.root-servers.net: 193.0.14.129
l.root-servers.net: 199.7.83.42
m.root-servers.net: 202.12.27.33
for gtld in {a..m}; do echo Trying $gtld.gtld-servers.net ; dig +trace +short DOMAIN.TLD @$gtld.gtld-servers.net; done
Trying a.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.
Trying b.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.
Trying c.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.
Trying d.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.
Trying e.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.
Trying f.gtld-servers.net
A A.B.C.D from server E.F.G.H in 11 ms.
Trying g.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.
Trying h.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.
Trying i.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.
Trying j.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.
Trying k.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.
Trying l.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.
Trying m.gtld-servers.net
A A.B.C.D from server E.F.G.H in 0 ms.
/usr/local/cpanel/3rdparty/bin/perl -mCpanel::DnsRoots -e 'use Data::Dumper; print Dumper(Cpanel::DnsRoots->new()->get_ipv4_addresses_for_domain(@ARGV[0]));' DOMAIN.TLD
warn [-e] DNS query failure (DOMAIN.TLD/A): Cpanel::Exception::Timeout/(XID 594jqp) DNS query (DOMAIN.TLD/A) timeout!
at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 379.
Cpanel::DNS::Unbound::_die_if_query_failed(HASH(0x1cbe280)) called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 368
Cpanel::DNS::Unbound::recursive_query_or_die(Cpanel::DNS::Unbound=HASH(0x18e6008), "DOMAIN.TLD", "A") called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 432
eval {...} called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 432
Cpanel::DNS::Unbound::recursive_query(Cpanel::DNS::Unbound=HASH(0x18e6008), "DOMAIN.TLD", "A") called at /usr/local/cpanel/Cpanel/DnsRoots.pm line 83
Cpanel::DnsRoots::get_ipv4_addresses_for_domain(Cpanel::DnsRoots=HASH(0x1cbe040), "DOMAIN.TLD") called at -e line 1
The problem seems to be in this last command.
I've tried to install BIND and POWERDNS on this machine (we've separated dns).
I've tried to modify resolv.conf using global dns, self, provider's.
Can you help me?
-
I'm getting the same errors for all my sites: # /usr/local/cpanel/bin/autossl_check --user DOMAIN AutoSSL"s configured provider is "cPanel (powered by Sectigo)". This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log. Analyzing "DOMAIN""s domains " Analyzing "DOMAIN.tld" " TLS Status: Incomplete Certificate expiry: 4/3/20, 12:00 AM UTC (44.11 days from now) Analyzing "researchmethods.DOMAIN.tld" " TLS Status: Defective Certificate expiry: 2/13/20, 12:00 AM UTC (5.89 days ago) Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL"s verification (0:10:CERT_HAS_EXPIRED). Attempting to ensure the existence of necessary CAA records " No CAA records were created. Verifying 10 domains" DNS management " Verifying "cPanel (powered by Sectigo)""s authorization on 10 domains via DNS CAA records " DNS query error (DOMAIN.tld/NS): (XID pqyyr8) DNS request timeout: DOMAIN.tld/NS DNS does not manage "DOMAIN.tld". DNS query error (www.DOMAIN.tld/NS): (XID zvkqkd) DNS request timeout: www.DOMAIN.tld/NS DNS does not manage "www.DOMAIN.tld". DNS query error (mail.DOMAIN.tld/NS): (XID hc34hv) DNS request timeout: mail.DOMAIN.tld/NS DNS does not manage "mail.DOMAIN.tld". DNS query error (cpanel.DOMAIN.tld/NS): (XID q58y5r) DNS request timeout: cpanel.DOMAIN.tld/NS DNS does not manage "cpanel.DOMAIN.tld". DNS query error (webdisk.DOMAIN.tld/NS): (XID bd6qdg) DNS request timeout: webdisk.DOMAIN.tld/NS DNS does not manage "webdisk.DOMAIN.tld". DNS query error (webmail.DOMAIN.tld/NS): (XID webmr6) DNS request timeout: webmail.DOMAIN.tld/NS DNS does not manage "webmail.DOMAIN.tld". DNS query error (cpcontacts.DOMAIN.tld/NS): (XID b72m5p) DNS request timeout: cpcontacts.DOMAIN.tld/NS DNS does not manage "cpcontacts.DOMAIN.tld". DNS query error (cpcalendars.DOMAIN.tld/NS): (XID h79xvx) DNS request timeout: cpcalendars.DOMAIN.tld/NS DNS does not manage "cpcalendars.DOMAIN.tld". DNS query error (researchmethods.DOMAIN.tld/NS): (XID kskwcv) DNS request timeout: researchmethods.DOMAIN.tld/NS DNS does not manage "researchmethods.DOMAIN.tld". DNS query error (www.researchmethods.DOMAIN.tld/NS): (XID yhz726) DNS request timeout: www.researchmethods.DOMAIN.tld/NS DNS does not manage "www.researchmethods.DOMAIN.tld". DNS does not manage any of this user"s 10 domains. DNS query error (researchmethods.DOMAIN.tld/CAA): SERVFAIL (2) DNS query error (cpcontacts.DOMAIN.tld/CAA): SERVFAIL (2) DNS query error (webdisk.DOMAIN.tld/CAA): SERVFAIL (2) DNS query error (cpanel.DOMAIN.tld/CAA): SERVFAIL (2) DNS query error (www.researchmethods.DOMAIN.tld/CAA): SERVFAIL (2) DNS query error (webmail.DOMAIN.tld/CAA): SERVFAIL (2) DNS query error (DOMAIN.tld/CAA): SERVFAIL (2) CA authorized: "DOMAIN.tld" CA authorized: "researchmethods.DOMAIN.tld" CA authorized: "cpcontacts.DOMAIN.tld" CA authorized: "webdisk.DOMAIN.tld" CA authorized: "cpanel.DOMAIN.tld" CA authorized: "www.researchmethods.DOMAIN.tld" CA authorized: "webmail.DOMAIN.tld" DNS query error (www.DOMAIN.tld/CAA): SERVFAIL (2) CA authorized: "www.DOMAIN.tld" DNS query error (mail.DOMAIN.tld/CAA): SERVFAIL (2) CA authorized: "mail.DOMAIN.tld" DNS query error (cpcalendars.DOMAIN.tld/CAA): SERVFAIL (2) CA authorized: "cpcalendars.DOMAIN.tld" "cPanel (powered by Sectigo)" is authorized to issue certificates for 10 of this user"s 10 domains. AutoSSL cannot increase "DOMAIN""s SSL coverage.
I'm interested to hear if there is a fix.0 -
What is the output of the following? nmap -sU -sT -p 53,80,443
What is present in the resolv.conf file at /etc/resolv.conf? Are your servers using a firewall? Are your servers NAT routed?0 -
Our structure has 4 servers that do only dns. Then there is dns clustering write only from hosting servers towards dns's. We've csf installed with these rules on hosting server: TCP_IN=20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096,3128 TCP_OUT=20,21,22,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703,3306,56522 No firewall on dns. - resolv.conf on hosting server & dns (same output for each dns): search invalid nameserver 213.136.95.11 nameserver 213.136.95.10 nameserver 2a02:c207::1:53 Nmap from hosting server to itself: PORT STATE SERVICE 53/tcp closed domain 80/tcp open http 443/tcp open https 53/udp closed domain 80/udp closed http 443/udp closed https Nmap from hosting server to dns (same output for each dns): PORT STATE SERVICE 53/tcp open domain 80/tcp open http 443/tcp open https 53/udp open|filtered domain 80/udp open|filtered http 443/udp open|filtered https Nmap from dns to itself (same output for each dns): PORT STATE SERVICE 53/tcp open domain 80/tcp closed http 443/tcp closed https 53/udp open|filtered domain 80/udp closed http 443/udp closed https Nmap from dns to hosting server: PORT STATE SERVICE 53/tcp closed domain 80/tcp open http 443/tcp open https 53/udp closed domain 80/udp open|filtered http 443/udp open|filtered https The same problem will also occur by using let's encrypt as autossl provider from cpanel. I've downloaded certbot-auto from let's encrypt and tried wildcard cert with dns check (with a manual script to add dns txt records through cpanel api) and everything goes well... so it's a cpanel internal problem. 0 -
I've made this scripts to keep the certificates updated 'cause our customers are losing patience. I'll hope this will help other in the same situation while we wait for the problem to be resolved. This is not a perfect solution... but it will keep your customers quiet for a while. This will put letencrypt's certificate without checking if there is a certificate from another issuer or no certificate at all. Will only try to issue certificates on domains with this error in autossl logs "The system failed to determine whether "DOMAINTLD" is a registered domain because of a DNS error". Keep in mind that this will work only if you have: - autossl logs in /var/cpanel/logs/autossl/ - userdata in /var/cpanel/userdata/ - userdomains in /etc/userdomains - dig utility (will do a dns check with google's dns (8.8.8.8) and add only resolved fqdn's to current server) - whmapi1 (needed to install ssl certs) For example create a folder "fixssl" somewhere. Go in that folder and launch (you need git installed for this to work): git clone https://github.com/certbot/certbot
then create these three files (fixsslfromlogs.sh, installssl.sh, installssl.pl): fixsslfromlogs.sh#!/bin/bash pushd `dirname $0` > /dev/null PROGDIR=`pwd` CURRENTDATE=`date +"%Y%m%d%H%M"` popd > /dev/null foldername=`ls -1 /var/cpanel/logs/autossl|tail -n 1` if [ "${foldername}" == "" ]; then echo "no autossl logs!"; exit; fi; path="/var/cpanel/logs/autossl/${foldername}" if [ -d ${path} ]; then for domain in `cat ${path}/txt|grep "system failed to determine"|awk -F '(' '{print $3}'|awk -F '/' '{print $1}'|awk '{print $1}'|sort|uniq`; do count=`cat /etc/userdomains|grep -c "^${domain}:"`; if [ $count -eq 1 ]; then ${PROGDIR}/installssl.sh ${domain} fi; done; fi;
installssl.sh#!/bin/bash pushd `dirname $0` > /dev/null PROGDIR=`pwd` CURRENTDATE=`date +"%Y%m%d%H%M"` popd > /dev/null if [ "$1" == "" ]; then echo "$0 domain" exit; fi; webroot=1; if [ "$2" == "dns" ]; then webroot=0; fi; if [ ! -f ${PROGDIR}/certbot/certbot-auto ]; then echo "certbot missing!" exit; fi; dnscommand="dig +noall +answer A @8.8.8.8" domain=${1} count=`cat /etc/userdomains |grep -c "${domain}:"` if [ $count -eq 0 ]; then echo "$domain does not exists!" exit; fi; user=`cat /etc/userdomains|grep "^${domain}:"|awk -F ':' '{print $2}'|tr -d '[:space:]'` cd /var/cpanel/userdata/${user}/ domainFile=`grep -ilr "\ ${domain}"|egrep -v -e "cache$" -e "main$" -e "json$" -e "_SSL$"`; path=`cat "${domainFile}"|grep documentroot|awk '{print $2}'`; if [ ! -d ${path} ]; then echo ${path} does not exists! exit; fi; function dnsipcheck { local domain=$1 dnsresult=`${dnscommand} ${domain}|grep IN|grep -v CNAME`; count=`echo ${dnsresult}|grep -c ""`; if [ $count -gt 0 ]; then ipaddress=`echo ${dnsresult}|awk '{print $5}'`; if [ "$ipaddress" != "" ]; then count=`ifconfig|grep inet|awk '{print $2}'|egrep -v -e "^127.0.0.1$" -e "^::1$"|grep -c ${ipaddress}`; if [ $count -gt 0 ]; then echo "$domain ok"; return 1; fi; fi; fi; echo "$domain bad"; return 0; } cd ${PROGDIR}/certbot/ if [ -f /var/cpanel/userdata/${user}/${domainFile} ]; then servername=`cat /var/cpanel/userdata/${user}/${domainFile}|grep "servername:"|awk -F ': ' '{print $2}'` serveraliases=`cat /var/cpanel/userdata/${user}/${domainFile}|grep "serveralias:"|awk -F ': ' '{print $2}'` basedomain=`cat /var/cpanel/userdata/${user}/main|grep ": ${servername}"|awk -F ': ' '{print $1}'|tr -d ' '|head -n 1` domainscommand=""; if [ "${basedomain}" == "main_domain" ]; then basedomain=${servername}; else serveraliases="${serveraliases} ${domainFile}"; fi; if [ "${basedomain}" != "main_domain" ]; then dnsipcheck ${basedomain} if [ $? -eq 1 ]; then domainscommand="${domainscommand} -d ${basedomain}"; fi; fi; for alias in `echo autodiscover cpanel webdisk webmail mail www`; do dnsipcheck ${alias}.${basedomain} if [ $? -gt 0 ]; then domainscommand="${domainscommand} -d ${alias}.${basedomain}" fi; done; for alias in `echo ${serveraliases}`; do dnsipcheck ${alias} if [ $? -gt 0 ]; then domainscommand="${domainscommand} -d ${alias}" fi; done; if [ "$domainscommand" == "" ]; then echo "no hosts resolved for $domainFile ssl!" exit; fi; firstdomain=`echo $domainscommand|awk '{print $2}'`; ./certbot-auto certonly -n ${domainscommand} --webroot -w ${path} --expand fi; cd ${PROGDIR} cpapi1 --user=${user} SSL delete ${domainFile} ./installssl.pl $firstdomain $domain
installssl.pl#!/usr/local/cpanel/3rdparty/bin/perl use strict; use LWP::UserAgent; use LWP::Protocol::https; use MIME::Base64; use IO::Socket::SSL; use URI::Escape; my $user = "root"; my $pass = "rootpass"; my $auth = "Basic " . MIME::Base64::encode( $user . ":" . $pass ); my $ua = LWP::UserAgent->new( ssl_opts => { verify_hostname => 0, SSL_verify_mode => 'SSL_VERIFY_NONE', SSL_use_cert => 0 }, ); my $folder = $ARGV[0]; my $dom = $ARGV[1]; my $certfile = "/etc/letsencrypt/live/$folder/cert.pem"; my $keyfile = "/etc/letsencrypt/live/$folder/privkey.pem"; my $cafile = "/etc/letsencrypt/live/$folder/chain.pem"; my $certdata; my $keydata; my $cadata; open(my $certfh, '<', $certfile) or die "cannot open file $certfile"; { local $/; $certdata = <$certfh>; } close($certfh); open(my $keyfh, '<', $keyfile) or die "cannot open file $keyfile"; { local $/; $keydata = <$keyfh>; } close($keyfh); open(my $cafh, '<', $cafile) or die "cannot open file $cafile"; { local $/; $cadata = <$cafh>; } close($cafh); my $cert = uri_escape($certdata); my $key = uri_escape($keydata); my $ca = uri_escape($cadata); system("whmapi1 installssl domain=${dom} crt=${cert} cabundle=${ca} key=${key}");
chmod +x fixsslfromlogs.sh chmod +x installssl.sh chmod +x installssl.pl then launch fixsslfromlogs.sh0 -
cPanel's implementation of AutoSSL won't work with the configuration you have, 53 UDP needs to be open on the web server, to determine authority. It never gets passed this: Verifying "cPanel (powered by Sectigo)""s authorization on 10 domains via DNS CAA records " DNS query error (DOMAIN.tld/NS): (XID pqyyr8) DNS request timeout: DOMAIN.tld/NS DNS does not manage "DOMAIN.tld".
I am glad that you were able to find a solution that works for you.0 -
cPanel's implementation of AutoSSL won't work with the configuration you have, 53 UDP needs to be open on the web server, to determine authority. It never gets passed this:
Verifying "cPanel (powered by Sectigo)""s authorization on 10 domains via DNS CAA records " DNS query error (DOMAIN.tld/NS): (XID pqyyr8) DNS request timeout: DOMAIN.tld/NS DNS does not manage "DOMAIN.tld".
I am glad that you were able to find a solution that works for you.
My fault... i didn't mention udp ports in & out: TCP_IN=20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096,3128 TCP_OUT=20,21,22,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703,3306,56522 UDP_IN=20,21,53,3306 UDP_OUT=20,21,53,113,123,873,6277,3306,24441 As you can see hosting server has no problem on port 53 (tcp/udp in/out). We've 4 servers that do only dns. No dns installed on hosting servers. So it is normal for port 53 to be closed on the hosting server during an nmap scan (tcp/udp). The autossl isn't working with Sectigo or Let's encrypt. The error is the same. If i use certbot-auto from commandline everything goes well. Now... to eliminate any firewall problem I did this test with the firewall turned off and with autossl using let's encrypt:Log for the AutoSSL run for "USER": Tuesday, February 25, 2020 11:01:45 AM GMT+0100 (Let"s Encrypt") 11:01:45 AM AutoSSL"s configured provider is "Let"s Encrypt"". Analyzing "USER""s domains " 11:01:46 AM Analyzing "DOMAIN.TLD" " 11:01:46 AM TLS Status: Ready for Renewal WARN Certificate expiry: 3/24/20, 1:17 AM UTC (27.64 days from now) 11:01:46 AM Attempting to ensure the existence of necessary CAA records " 11:01:46 AM No CAA records were created. 11:01:46 AM Verifying "Let"s Encrypt"s authorization on domains via DNS CAA records " 11:02:16 AM WARN DNS query error: (XID vs6jex) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. WARN DNS query error: (XID s93jh3) DNS query (www.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. WARN DNS query error: (XID vs6jex) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. WARN DNS query error: (XID mmwe8g) DNS query (mail.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. WARN DNS query error: (XID vs6jex) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. WARN DNS query error: (XID 3cgatn) DNS query (cpanel.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. WARN DNS query error: (XID vs6jex) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. WARN DNS query error: (XID huthyh) DNS query (webdisk.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. WARN DNS query error: (XID vs6jex) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. WARN DNS query error: (XID rjrjwa) DNS query (webmail.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. WARN DNS query error: (XID vs6jex) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. WARN DNS query error: (XID jentjq) DNS query (autodiscover.DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. WARN DNS query error: (XID vs6jex) DNS query (DOMAIN.TLD/CAA) timeout! at /usr/local/cpanel/Cpanel/DnsRoots/CAA.pm line 114. "Let"s Encrypt"" is authorized to issue certificates for all domains. 11:02:16 AM Performing HTTP DCV (Domain Control Validation) on 7 domains " 11:02:46 AM ERROR The system failed to determine whether "DOMAIN.TLD" is a registered domain because of a DNS error: (XID jhpdry) DNS query (DOMAIN.TLD/NS) timeout! ERROR The system failed to determine whether "DOMAIN.TLD" is a registered domain because of a DNS error: (XID jhpdry) DNS query (DOMAIN.TLD/NS) timeout! ERROR The system failed to determine whether "DOMAIN.TLD" is a registered domain because of a DNS error: (XID jhpdry) DNS query (DOMAIN.TLD/NS) timeout! ERROR The system failed to determine whether "DOMAIN.TLD" is a registered domain because of a DNS error: (XID jhpdry) DNS query (DOMAIN.TLD/NS) timeout! ERROR The system failed to determine whether "DOMAIN.TLD" is a registered domain because of a DNS error: (XID jhpdry) DNS query (DOMAIN.TLD/NS) timeout! ERROR The system failed to determine whether "DOMAIN.TLD" is a registered domain because of a DNS error: (XID jhpdry) DNS query (DOMAIN.TLD/NS) timeout! ERROR The system failed to determine whether "DOMAIN.TLD" is a registered domain because of a DNS error: (XID jhpdry) DNS query (DOMAIN.TLD/NS) timeout! 11:02:46 AM No local DNS DCV is necessary. 11:02:46 AM Processing "USER""s local DCV results " 11:02:46 AM Analyzing "DOMAIN.TLD""s DCV results " 11:02:46 AM ERROR Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV. 11:02:46 AM The system has completed "USER""s AutoSSL check.
The same domain with certbot-auto from commandline gives this:./certbot-auto certonly -n -d DOMAIN.TLD -d autodiscover.DOMAIN.TLD -d cpanel.DOMAIN.TLD -d webdisk.DOMAIN.TLD -d webmail.DOMAIN.TLD -d mail.DOMAIN.TLD -d www.DOMAIN.TLD -d www.DOMAIN.TLD -d mail.DOMAIN.TLD --webroot -w /home/USERHOME/public_html --expand Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for autodiscover.DOMAIN.TLD http-01 challenge for cpanel.DOMAIN.TLD http-01 challenge for mail.DOMAIN.TLD http-01 challenge for DOMAIN.TLD http-01 challenge for webdisk.DOMAIN.TLD http-01 challenge for webmail.DOMAIN.TLD http-01 challenge for www.DOMAIN.TLD Using the webroot path /home/USERHOME/public_html for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem Your cert will expire on 2020-05-25. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
I also applied for a wildcard certificate:./certbot-auto certonly -n -d '*.DOMAIN.TLD' --manual --preferred-challenges dns --manual-auth-hook /myscripts/ssl/dnstxt.sh --manual-public-ip-logging-ok Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for DOMAIN.TLD Running manual-auth-hook command: /myscripts/ssl/dnstxt.sh Output from manual-auth-hook command dnstxt.sh: DOMAIN.TLD 1ZsLqaUpYpUPgQ3ssR-ZVoLr_r0sTnqEI6xzjCFPt4c --- metadata: command: addzonerecord reason: "\n" result: 1 version: 1 whmapi1 addzonerecord domain=DOMAIN.TLD name=_acme-challenge class=IN ttl=86400 type=TXT txtdata=1ZsLqaUpYpUPgQ3ssR-ZVoLr_r0sTnqEI6xzjCFPt4c Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/DOMAIN.TLD-0001/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/DOMAIN.TLD-0001/privkey.pem Your cert will expire on 2020-05-25. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Now: - same issuer (let'sencrypt) - autossl isn't working (i think it's using webroot check because of "well-known" folders in webroots) - certbot-auto works (with webroot and dns challenge) - firewall is off logic suggests that it is a cpanel problem... what do you think?0 -
So it is normal for port 53 to be closed on the hosting server during an nmap scan (tcp/udp).
I can attest to this as well if you're not running a nameserver on the webserver - nothing is listening on 53 and it shows as closed. I also apologize as I missed that you had tested this with a nameserver installed previously. Also, keep in mind that Sectigo and Let's Encrypt are completely separate and the process for AutoSSL with Sectigo is a LOT different than CertBot's Let's Encrypt. That wouldn't be the issue then, since the port is open, which brings us back to it originating from dnsroots being unable to complete the biggest issue being it doesn't perform the HTTP DCV check from what I can see, it looks like it stops with DNS when it fails. A really interesting ticket came through in regard to dnsmasq intercepting and responding to DNS queries and I wonder if that's similar to what's going on here. I asked previously but it's pretty important to know now, are your servers NAT routed? If so I am curious if we're running into a similar issue as the ticket I found. You might be able to test this (if they are NAT routed) by doing something like the following:dig @publicIP version.bind txt chaos +short
You'd need pdns or bind on the server for this to function properly and it might be best to do this with one of them installed to rule out the cluster as an issue. Are you using cPanel's DNS Clustering or a custom configuration?0 -
Hi, i have this issue and my server is NAT routed, what can i do? 6:15:48 PM Analyzing "domain.com" " 6:15:48 PM ERROR TLS Status: Defective ERROR Defect: NO_SSL: No SSL certificate is installed. 6:15:48 PM Attempting to ensure the existence of necessary CAA records " 6:15:48 PM No CAA records were created. 6:15:48 PM Verifying 3 domains" DNS management " Verifying "cPanel (powered by Sectigo)""s authorization on 3 domains via DNS CAA records " 6:16:02 PM WARN DNS query error (www.domain.com/NS): SERVFAIL (2) 6:16:03 PM WARN DNS query error (domain.com/CAA): SERVFAIL (2) 6:16:03 PM CA authorized: "domain.com" 6:16:05 PM WARN DNS query error (mail.domain.com/NS): SERVFAIL (2) 6:16:08 PM WARN DNS query error (domain.com/NS): SERVFAIL (2) 6:16:08 PM ERROR DNS does not manage "domain.com". ERROR DNS does not manage "www.domain.com". ERROR DNS does not manage "mail.domain.com". DNS does not manage any of this user"s 3 domains. 6:16:14 PM WARN DNS query error (mail.domain.com/CAA): SERVFAIL (2) 6:16:14 PM CA authorized: "mail.domain.com" 6:16:14 PM WARN DNS query error (www.domain.com/CAA): SERVFAIL (2) 6:16:14 PM CA authorized: "www.domain.com" "cPanel (powered by Sectigo)" is authorized to issue certificates for 3 of this user"s 3 domains. 0 -
Are DNS lookups successful on the server? Like for example can you telnet to another server? Is the domain managed? i.e.,is it registered and does it resolve to the server? 0
Please sign in to leave a comment.
Comments
9 comments