Today I received an AutoSSL error message from cPanel saying that the auto-renew failed for some reason. Can you please check and fix?
This was a recent query that we received in our Server Management Services Helpdesk.
Often, this error happens when the domain resolves to a different IP than the original IP address.
At Bobcares, we often get requests from our customers to fix AutoSSL DCV failure errors as part of our Server Management Services
Today, in this write-up we’ll see more on AutoSSL DCV failure and how our Support Engineers fixed it.
Why do we need DCV for AutoSSL?
Before proceeding further, let’s take a quick look at the importance of Domain Control Validation (DCV) in AutoSSL.
A domain control validation, or DCV, is used by the Certificate Authority before issuing an SSL certificate to verify whether the person making the request is in fact authorized to use the domain. Also, Domain Control Validation (DCV) by DNS CNAME requires the creation of a unique CNAME record for the domain.
In WHM cPanel, the Manage AutoSSL feature allows managing the SSL certificate for the domains. Therefore, it helps to secure the sensitive data on the websites.
In order to manage AutoSSL, our Support Engineers login to WHM panel and go to WHM >> Home >> SSL/TLS >> Manage AutoSSL.
However, domains and subdomains that don’t pass a Domain Control Validation test end up with an HTTPS certificate installation error.
So, a domain should pass the DCV test before SSL certificates are issued. If DCV fails then it indicates that the domain or subdomain fails to prove the ownership or control of a registered domain name.
As a result, the certificates will not be issued by cPanel while trying installing a new certificate or renew the certificate.
The available methods for AutoSSL DCV checks can be viewed from WHM.
The topmost reason for AutoSSL DCV failure
From our experience in managing servers, we’ve seen customers facing different kinds of problems while installing AutoSSL certificate. The top reason is when a domain fails to prove the ownership. That means DCV failure.
Now, let’s see the topmost reason for AutoSSL DCV failure and how our Support Team solved these common errors.
1. Conflict with a third party DNS software
Recently, one of our customers had a problem while renewing the SSL certificate. He received an error message from cPanel. It simply said that the auto-renew for the domain failed.
By investigating, our Support Engineers found the following error from the error log.
Error: Could not connect to 'www.xxxx.com:80': Network is unreachable. The domain “www.xxxx.com resolved to an IP address “2a02:6xx0:c40c:0:0:0:0:3” that does not exist on this server.
On further checking, the customer had set up a third-party DNS software, Cloudflare on the server. Therefore, the CloudDNS setup was interfering with the cPanel Auto SSL. Since AutoSSL checks site regularly and when it finds the site not resolving to a server IP, it causes problems with SSL.
Therefore, we updated the domain’s DNS back to server IP and enabled the SSL. The site started loading fine once the DNS propagation was completed.
Or, if customers prefer to use third-party DNS providers, it’s better to set up SSL at the DNS provider side itself.
2. Missing IPV6 support
By default, AutoSSL first checks IPV6 records before the IPv4 records. When the server doesn’t listen to IPV6, the SSL checks fail. Therefore, it is necessary to enable IPV6 on the server.
In addition, if you are not planning to set up IPV6 on the server, the IPV6 address should be removed from the server.
Similarly, another customer had an error while installing an SSL certificate on the domain. The error said,
DNS DCV: The DNS query to “_cpanel-dcv-test-record.example.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=zjArUofGfUm_CL48mrPNlqKUox_jqKktDzHc81LJJIKy2lvGIWlav3DlW1E7Jg9V”.; HTTP DCV: The system queried for a temporary file at “http://example.com/.well-known/pki-validation/C717482B82DE99BB6AA6FF82541D80C6.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
First, we checked the contents of the file
cat /proc/net/if_inet6Here, our Support Engineers found that the IPV6 shared was disabled on the server. Therefore, we had to enable the IPV6 connectivity on the server by modifying the settings in the file /etc/sysctl.conf.
Finally, we verified the IPv6 support using
ifconfig -a | grep inet6This is how we fixed the error and then the customer could install the AutoSSL on the server.
[Need assistance to fix AutoSSL DCV failure errors? We’ll help you.]
Conclusion
In short, AutoSSL DCV failure occurs when the domain is resolving to a different IP than the server IP or due to missing IPV6 support on the server. Today, we saw how our Support Engineers fixed related errors.
But you don’t say how did you found the IPv6 disabled.
What command do you issued?
What menu do you consulted?
What file do you inspected?
And what steps do you follow to enable the IPv6 protocol.
Hello Chris,
Updated the blog content with commands to check and enable IPv6 support. If you need further assistance, we’ll be happy to talk to you on chat (click on the icon at right-bottom).
Stopped by to say thanks for the tip about IPV6 support. CPanel has a post on the forums about it, but BobCares explanation was clearer and made the fix easy to do.
Hi,
Thanks for the feedback.We are glad to know that our article helps you solves the issue ?
DNS DCV: No local authority: “moony.ma”; HTTP DCV: The system failed to fetch the DCV (Domain Control Validation) file at “http://moony.ma/.well-known/pki-validation/607007B3F9F61BB5295A66EFB05922E3.txt” because of an error: The system failed to send an HTTP (Hypertext Transfer Protocol) “GET” request to “http://moony.ma/.well-known/pki-validation/607007B3F9F61BB5295A66EFB05922E3.txt” because of an error: Could not connect to ‘moony.ma:80’: Connection timed out. The domain “moony.ma” resolved to an IP address “0064:ff9b:0000:0000:0000:0000:bca5:f773” that does not exist on this server.
Could you please help me to resolve this issue ?
Thank you in advance for your support !
Hi,
Our experts can help you with the issue.we will be happy to talk to you through our live chat(click on the icon at right-bottom).
hi i have similiar problem to MAD how is it solve?
Hi,
Please contact our support team via live chat(click on the icon at right-bottom).