Today I received an AutoSSL error message from cPanel saying that the auto-renew failed for some reason. Can you please check and fix?
Often, this error happens when the domain resolves to a different IP than the original IP address.
At Bobcares, we often get requests from our customers to fix AutoSSL DCV failure errors.
Today, in this write-up we’ll see more on AutoSSL DCV failure and how our Support Engineers fixed it.
Why do we need DCV for AutoSSL?
A domain control validation, or DCV, is used by the Certificate Authority before issuing an SSL certificate to verify whether the person making the request is in fact authorized to use the domain. Also, Domain Control Validation (DCV) by DNS CNAME requires the creation of a unique CNAME record for the domain.
In order to manage AutoSSL, our Support Engineers login to WHM panel and go to WHM >> Home >> SSL/TLS >> Manage AutoSSL.
So, a domain should pass the DCV test before SSL certificates are issued. If DCV fails then it indicates that the domain or subdomain fails to prove the ownership or control of a registered domain name.
The available methods for AutoSSL DCV checks can be viewed from WHM.
The topmost reason for AutoSSL DCV failure
From our experience in managing servers, we’ve seen customers facing different kinds of problems while installing AutoSSl certificate. The top reason is when a domain fails to prove the ownership. That means DCV failure.
Now, let’s see the topmost reason for AutoSSL DCV failure and how our Support Team solved these common errors.
1. Conflict with a third party DNS software
By investigating, our Support Engineers found the following error from the error log.
Error: Could not connect to 'www.xxxx.com:80': Network is unreachable. The domain “www.xxxx.com resolved to an IP address “2a02:6xx0:c40c:0:0:0:0:3” that does not exist on this server.
On further checking, the customer had set up a third-party DNS software, Cloudflare on the server. Therefore, the CloudDNS setup was interfering with the cPanel Auto SSL. Since AutoSSL checks site regularly and when it finds the site not resolving to a server IP, it causes problems with SSL.
Or, if customers prefer to use third-party DNS providers, it’s better to set up SSL at the DNS provider side itself.
2. Missing IPV6 support
In addition, if you are not planning to set up IPV6 on the server, the IPV6 address should be removed from the server.
DNS DCV: The DNS query to “_cpanel-dcv-test-record.example.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=zjArUofGfUm_CL48mrPNlqKUox_jqKktDzHc81LJJIKy2lvGIWlav3DlW1E7Jg9V”.; HTTP DCV: The system queried for a temporary file at “http://example.com/.well-known/pki-validation/C717482B82DE99BB6AA6FF82541D80C6.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
This is how we fixed the error and then the customer could install the AutoSSL on the server.
[Need assistance to fix AutoSSL DCV failure errors? We’ll help you.]
In short, AutoSSL DCV failure occurs when the domain is resolving to a different IP than the server IP or due to missing IPV6 support on the server. Today, we saw how our Support Engineers fixed related errors.