Today I received an AutoSSL error message from cPanel saying that the auto-renew failed for some reason. Can you please check and fix?

This was a recent query that we received in our Server Management Services Helpdesk.

Often, this error happens when the domain resolves to a different IP than the original IP address.

At Bobcares, we often get requests from our customers to fix AutoSSL DCV failure errors.

Today, in this write-up we’ll see more on AutoSSL DCV failure and how our Support Engineers fixed it.

Why do we need DCV for AutoSSL?

Before proceeding further, let’s take a quick look at the importance of Domain Control Validation (DCV) in AutoSSL.

A domain control validation, or DCV, is used by the Certificate Authority before issuing an SSL certificate to verify whether the person making the request is in fact authorized to use the domain. Also, Domain Control Validation (DCV) by DNS CNAME requires the creation of a unique CNAME record for the domain.

In WHM cPanel, the Manage AutoSSL feature allows managing the SSL certificate for the domains. Therefore, it helps to secure the sensitive data on the websites.

In order to manage AutoSSL, our Support Engineers login to WHM panel and go to WHM >> Home >> SSL/TLS >> Manage AutoSSL.

However, domains and subdomains that don’t pass a Domain Control Validation test end up with an HTTPS certificate installation error.

So, a domain should pass the DCV test before SSL certificates are issued. If DCV fails then it indicates that the domain or subdomain fails to prove the ownership or control of a registered domain name.

As a result, the certificates will not be issued by cPanel while trying installing a new certificate or renew the certificate.

The available methods for AutoSSL DCV checks can be viewed from WHM.

The topmost reason for AutoSSL DCV failure

From our experience in managing servers, we’ve seen customers facing different kinds of problems while installing AutoSSl certificate. The top reason is when a domain fails to prove the ownership. That means DCV failure.

Now, let’s see the topmost reason for AutoSSL DCV failure and how our Support Team solved these common errors.

1. Conflict with a third party DNS software

Recently, one of our customers had a problem while renewing the SSL certificate. He received an error message from cPanel. It simply said that the auto-renew for the domain failed.

By investigating, our Support Engineers found the following error from the error log.

Error: Could not connect to 'www.xxxx.com:80': Network is unreachable. The domain “www.xxxx.com resolved to an IP address “2a02:6xx0:c40c:0:0:0:0:3” that does not exist on this server.

On further checking, the customer had set up a third-party DNS software, Cloudflare on the server. Therefore, the CloudDNS setup was interfering with the cPanel Auto SSL. Since AutoSSL checks site regularly and when it finds the site not resolving to a server IP, it causes problems with SSL.

Therefore, we updated the domain’s DNS back to server IP and enabled the SSL. The site started loading fine once the DNS propagation was completed.

Or, if customers prefer to use third-party DNS providers, it’s better to set up SSL at the DNS provider side itself.

2. Missing IPV6 support

By default, AutoSSL first checks IPV6 records before the IPv4 records. When the server doesn’t listen to IPV6, the SSL checks fail. Therefore, it is necessary to enable IPV6 on the server.

In addition, if you are not planning to set up IPV6 on the server, the IPV6 address should be removed from the server.

Similarly, another customer had an error while installing an SSL certificate on the domain. The error said,

DNS DCV: The DNS query to “_cpanel-dcv-test-record.example.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=zjArUofGfUm_CL48mrPNlqKUox_jqKktDzHc81LJJIKy2lvGIWlav3DlW1E7Jg9V”.; HTTP DCV: The system queried for a temporary file at “http://example.com/.well-known/pki-validation/C717482B82DE99BB6AA6FF82541D80C6.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.

On checking our Support Engineers found that the IPV6 shared was disabled on the server. Therefore, we had to enable the IPV6 connectivity on the server.

This is how we fixed the error and then the customer could install the AutoSSL on the server.

[Need assistance to fix AutoSSL DCV failure errors? We’ll help you.]

Conclusion

In short, AutoSSL DCV failure occurs when the domain is resolving to a different IP than the server IP or due to missing IPV6 support on the server. Today, we saw how our Support Engineers fixed related errors.

Source link

Author

Write A Comment