Skip to main content
We are aware of an issue after updating to cPanel versions 11.110.0.65, 11.126.0.21, or 11.128.0.11, some cPanel plugins or features are no longer functioning properly including WP Toolkit. Please see the following article for more information and updates:
Update to latest cPanel 110, 126, or 128 versions removes "addonfeatures" directory.

Expired certificates and errors

jeffschips

I use Let's Encrypt for certificates but it seems that cpanel/WHM is now trying to force users to purchase certificates.  Here's what's happening:

Tech support is overwhelmed with requests so responses are delayed.

I keep getting this error on only 2 of the sites I manage.  

Your connection is not private
Attackers might be trying to steal your information from evelyntoynton.com (for example, passwords, messages, or credit cards). Learn more about this warning
net::ERR_CERT_DATE_INVALID

The respone from tech support is:

Before the AAAA records were removed, the DNS DCV check would encounter a timeout.
 
Analyzing “XXXXXX.com”’s DCV results …
 Trying 1 wildcard domain (*.XXXXXX.com) to maximize coverage …
 “Let’s Encrypt™” HTTP DCV error (XXXXXX.com): Timeout after 30 seconds!
 “Let’s Encrypt™” DNS DCV error (XXXXXX.com): No “dns-01” challenge given!
 “Let’s Encrypt™” DNS DCV error (*.XXXXXX.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (During secondary validation: DNS problem: query timed out looking up TXT for _acme-challenge.XXXXXX.com)
 
Technician: After the AAAA records were removed, the DNS DCV check saw incorrect TXT record values. I reinstalled the cpanel-letsencrypt-v2 package, which appears to have corrected the DNS DCV check issue. 
 
Analyzing “XXXXXX.com”’s DCV results …
 Trying 1 wildcard domain (*.XXXXXX.com) to maximize coverage …
 “Let’s Encrypt™” HTTP DCV error (XXXXXX.com): Timeout after 30 seconds!
 “Let’s Encrypt™” DNS DCV error (*.XXXXXX.com): 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (Incorrect TXT record "xxf4AKV8b-WqVxxxxKNxxxxxxxxxxZRDw3DxxxIYZgs" found at _acme-challenge.XXXXXX.com)
 Can't call method "error" on an undefined value at /var/cpanel/perl/Cpanel/SSL/ACME/DCV.pm line 353.
 ...propagated at /usr/local/cpanel/Cpanel/SSL/Auto/Run/HandleVhost.pm line 258.
 ...caught at /usr/local/cpanel/Cpanel/SSL/Auto/Run/User.pm line 314.
 
Technician: Currently, the HTTP DCV check is timing out. Typically, this is caused by rewrite rules redirecting the request to an unexpected location. Please ensure that your .htaccess rules have an exception for content in the .well-known/acme-challenge/ folder.
 
Analyzing “XXXXXX.com”’s DCV results …
 Trying 1 wildcard domain (*.XXXXXX.com) to maximize coverage …
 “Let’s Encrypt™” HTTP DCV error (XXXXXX.com): Timeout after 30 seconds!
 Can't call method "error" on an undefined value at /var/cpanel/perl/Cpanel/SSL/ACME/DCV.pm line 353.
 ...propagated at /usr/local/cpanel/Cpanel/SSL/Auto/Run/HandleVhost.pm line 258.
 ...caught at /usr/local/cpanel/Cpanel/SSL/Auto/Run/User.pm line 314.

I've noticed that the site in question has an expired ssl certificate which I've pointed out to the tech but they don't seem to think this is an issue, or have suggested or taken steps to renew it - this seems odd.

I've checked the site and the .htaccess rules are standard rules that work in my other sites.

Nevertheless, when I try to renew the certificate it seems the only option is to purchase one.

Thoughts?

 

 

Comments

12 comments

Date Votes
  • jeffschips

    Yes I believe that was my over zealous csf firewall. . . 

    1
  • cPRex Jurassic Moderator

    Hey there!  Just be to clear, we are not encouraging or forcing users to purchase any certificates.

    Was that tech support interaction with us?  Do you have a ticket number? 

    0
  • jeffschips

    Anyone know what to do with this type of error message?  My ticket in official channels has been languising and this is my last resort before I just pull the plug on WHM/cPanel forever:

    /usr/local/cpanel/bin/checkallsslcerts


    The system will check for the certificate for the “cpanel” service.
    The system will attempt to verify that the certificate for the “cpanel” service is still valid using OCSP (Online Certificate Status Protocol).

    The system will attempt to replace the certificate for the “cpanel” service with a signed certificate from the “Let’s Encrypt™” provider because the current certificate expires in less than 30 days.
    The system will attempt to install a certificate for the “cpanel” service from the system SSL storage.
    None of the certificates in the system SSL storage were acceptable to use for the “cpanel” service.
    The system will attempt to get a new certificate for the domains: xxxxxx.xxxxxxxxx.com, autoconfig.xxxxxx.xxxxxxxxx.com, autodiscover.xxxxxx.xxxxxxxxx.com, cpanel.xxxxxx.xxxxxxxxx.com, cpcalendars.xxxxxx.xxxxxxxxx.com, cpcontacts.xxxxxx.xxxxxxxxx.com, ipv6.xxxxxx.xxxxxxxxx.com, mail.xxxxxx.xxxxxxxxx.com, webdisk.xxxxxx.xxxxxxxxx.com, webmail.xxxxxx.xxxxxxxxx.com, whm.xxxxxx.xxxxxxxxx.com, www.xxxxxx.xxxxxxxxx.com

    The system failed to validate domain control for the domain “autoconfig.xxxxxx.xxxxxxxxx.com” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (no valid A records found for autoconfig.xxxxxx.xxxxxxxxx.com; no valid AAAA records found for autoconfig.xxxxxx.xxxxxxxxx.com)

    The system failed to validate domain control for the domain “mail.xxxxxx.xxxxxxxxx.com” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (no valid A records found for mail.xxxxxx.xxxxxxxxx.com; no valid AAAA records found for mail.xxxxxx.xxxxxxxxx.com)

    The system failed to validate domain control for the domain “ipv6.xxxxxx.xxxxxxxxx.com” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (no valid A records found for ipv6.xxxxxx.xxxxxxxxx.com; no valid AAAA records found for ipv6.xxxxxx.xxxxxxxxx.com)

    The system failed to validate domain control for the domain “cpcalendars.xxxxxx.xxxxxxxxx.com” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (no valid A records found for cpcalendars.xxxxxx.xxxxxxxxx.com; no valid AAAA records found for cpcalendars.xxxxxx.xxxxxxxxx.com)

    The system failed to validate domain control for the domain “webmail.xxxxxx.xxxxxxxxx.com” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (no valid A records found for webmail.xxxxxx.xxxxxxxxx.com; no valid AAAA records found for webmail.xxxxxx.xxxxxxxxx.com)

    The system failed to validate domain control for the domain “autodiscover.xxxxxx.xxxxxxxxx.com” using the “HTTP” DCV method: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (no valid A records found for autodiscover.xxxxxx.xxxxxxxxx.com; no valid AAAA records found for autodiscover.xxxxxx.xxxxxxxxx.com)

    ......and on and on and on and on......

    “xxxxxx.xxxxxxxxx.com” failed DCV. Cannot proceed.

    0
  • cPRex Jurassic Moderator

    It would still be good to know if this was a cPanel ticket or not :D

    This seems more like a DNS server than an issue with AutoSSL.  Is IPv6 disabled on your machine, assuming you aren't using it?  If not, you should get that turned off with the details here:

    https://support.cpanel.net/hc/en-us/articles/360053362374-How-To-Disable-IPv6

    or else it's going to try and check those non-existent addresses.

    I'd do that, and then see if the errors persist. For what it's worth, you can get this same error from Let's Encrypt even without cPanel existing on the machine: https://community.letsencrypt.org/t/no-valid-aaaa-records-found-for-salesessentials-com/221519

    0
  • jeffschips

    Yes it is a cpanel ticket. Do you want the number?   I've already closesd them since no one is answering and I've got to get this resolved.

    I've turned off IPv6.

    I don't dispute that you will also get them without cPanel what's happening here is all roads and choices that I'm able to make in cpanel or whm to correct this leads to a solution that involves purchasing a certificate.

     

     

    0
  • cPRex Jurassic Moderator

    Yes, I'd still like that ticket number.

    0
  • jeffschips

    Where do I find the ticket number.  I thought I already sent it to you.

     

     

    0
  • cPRex Jurassic Moderator

    cPanel ticket numbers are 8-digit numbers, and they currently start with 95xxxxxx

    0
  • jeffschips

    Finally tracked it down: 95369366

    It's closed now.  They escalated it and put some very knowledgeable techs on it.  

    0
  • cPRex Jurassic Moderator

    Thanks for that - it looks like there was a firewall issue on the machine that was blocking Let's Encrypt from connecting to your server properly, and once our team identified that things started working!

    0
  • jeffschips

    actually I'm looking for an alternative to csf - any suggestions?

    0
  • cPRex Jurassic Moderator

    Although we don't support it, CSF is pretty great, but I can't make any official recommendations for third-party tools.

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post