DNS Zone Cleanup & AutoSSL Errors on HotSpare Server
This is sort of a two part question. I have a "Hot Spare" server that has 5 indentical Cpanel accounts to the production WHM server. It's in case there is a catastrophic hardware or network issue that takes more than 15 minutes to resolve, I can switch my DNS to the HotSpare which is using database replication and rsync to keep the database and files synchronized.
I had this setup in the past with no issues but migrated servers a few months ago to Almalinux 8 so I could get the latest WHM version (amongst other updates.)
Since doing so I'm getting AutoSSL errors on the HotSpare that I didn't get before. Some of the errors I've seen before and they stem from the fact I don't host the DNS for any accounts locally and none of the accounts are hosting email locally, using webdisk, or anything other than Apache. So typically the error will say it can't generate an SSL cert for webdisk.{somedomain}.com because there's no entry for that hostname in my external DNS. What had typically happened is AutoSSL stops trying to request certs for hostnames not in the external DNS even though the records remain in the Cpanel local DNS.
What is strange is 2 of the 5 accounts on the Hotspare server are constantly sending me emails regarding the inability to renew the certs. But not for the other 3 accounts? There are two types of errors.
DNS DCV: No local authority: “www.{thedomain}.net”; HTTP DCV: The system queried for a temporary file at “http://www.{thedomain}.net/.well-known/acme-challenge/ ”, but the web server responded with the following error: 404 (Not Found).938ZQ0YF-4PNG9I_S6- ZQFLS24EPGDB2
The problem here is obvious as it's searching for that URL on the production server and it doesn't exist. Could I just rsync the .well-known directory over to solve this issue? What's off is in the same setup with an older version of WHM which I'm 99% sure was also using Let's Encrypt, I never had this issue and it's not happening with the other 3 accounts!?
The second issue is that for the hostnames that are not in the external DNS and only in the local DNS, instead of AutoSSL ignoring them going forward it is still trying to renew them, but interestingly, it's only for 1 of the 5 accounts.
DNS DCV: No local authority: “webdisk.{thisdomain}.net”; HTTP DCV: “webdisk.{thisdomain}.net” does not resolve to any IP addresses on the internet.
At the top of the notice it says "
|
{thisdomain{.net: The AutoSSL certificate expires on Mar 19, 2024 at 4:37:25 AM UTC. At the time of this notice, the certificate expired 3 hours, 27 minutes, and 42 seconds ago. |
Why is it still generating errors one for this one account for all these subdomains that don't exist on the external DNS when the same is the case for the other 4 accounts but they aren't generating AutoSSL errors?
My second related question is, I'm assuming there's no way to tell WHM for a given DNS zone to just replicate what's on the external DNS server and that I need to manually go into each zone and delete all the records associated with non-existent subdomains (like webmail, webdisk, etc)
-
Eh, looks like AutoSSL doesn't pull the hostnames from the DNS but from the Apache config as it's still issuing certs for things like webdisk.domain.com and webmail.domain.com after I removed them from the DNS zone. Kind of a mess but I'll just have to ignore all the warnings and errors as long as the "real" hostnames actually in use have a proper SSL cert.
0 -
Tweak Settings > Disable Service Subdomains
Cleaned most of it up. (Still retains mail subdomain if when not using local mail service for the account but I can live with that.)
0 -
If you don't plan to use those server subdomains there's nothing wrong with disabling those!
0
Please sign in to leave a comment.
Comments
3 comments