AutoSSL failing for domains with external DNS but hosted and resolving to cpanel server

[cpanzy]

AutoSSL failing for domains with external DNS but hosted and resolving to cpanel server.

Domains using the local server DNS are working with AutoSSL, but not domains that are using an external 3rd party DNS server.

The domain in question does resolve to the server IP.

Running the following command on the server does return the correct server IP:
/scripts/cpdig exampledomain.com A


AutoSSL log shows:

12:05:54 AM AutoSSL’s configured provider is “cPanel (powered by Sectigo)”.
This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
Analyzing “username”’s domains …
12:05:54 AM Analyzing “exampledomain.com” (website) …
12:05:54 AM ERROR TLS Status: Defective
ERROR Certificate expiry: 5/2/22, 12:00 AM UTC (3.59 days ago)
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
12:05:54 AM Attempting to ensure the existence of necessary CAA records …
12:05:54 AM No CAA records were created.
12:05:54 AM Verifying 3 domains’ management status …
Verifying “cPanel (powered by Sectigo)”’s authorization on 3 domains via DNS CAA records …
12:05:54 AM “www.exampledomain.com” is managed.
“mail.exampledomain.com” is managed.
“exampledomain.com” is managed.
All of this user’s 3 domains are managed.
12:05:55 AM CA authorized: “exampledomain.com”
CA authorized: “mail.exampledomain.com”
12:06:12 AM WARN DNS query error (www.exampledomain.com/CAA): SERVFAIL (2)
12:06:12 AM CA authorized: “www.exampledomain.com”
“cPanel (powered by Sectigo)” is authorized to issue certificates for 3 of this user’s 3 domains.
12:06:12 AM Performing HTTP DCV (Domain Control Validation) on 3 domains …
12:06:42 AM WARN Local HTTP DCV error (exampledomain.com): “exampledomain.com” does not resolve to any IP addresses on the internet.
WARN Local HTTP DCV error (www.exampledomain.com): “www.exampledomain.com” does not resolve to any IP addresses on the internet.
WARN Local HTTP DCV error (mail.exampledomain.com): “mail.exampledomain.com” does not resolve to any IP addresses on the internet.
12:06:42 AM Verifying local authority for 3 domains …
12:06:42 AM ERROR Failed to determine local authority for “exampledomain.com”: (XID zg6cuq) DNS returned “SERVFAIL” (code 2) in response to the system’s query for “exampledomain.com”’s “SOA” records.
ERROR Failed to determine local authority for “www.exampledomain.com”: (XID zg6cuq) DNS returned “SERVFAIL” (code 2) in response to the system’s query for “exampledomain.com”’s “SOA” records.
ERROR Failed to determine local authority for “mail.exampledomain.com”: (XID zg6cuq) DNS returned “SERVFAIL” (code 2) in response to the system’s query for “exampledomain.com”’s “SOA” records.
12:06:42 AM No local DNS DCV is necessary.
12:06:42 AM Processing “username”’s local DCV results …
12:06:42 AM Analyzing “exampledomain.com”’s DCV results …
12:06:42 AM ERROR Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV.
12:06:42 AM The system has completed “username”’s AutoSSL check.

 

[cPRex]

Hey there! Can you try running this command on the webserver to see if that pulls the correct nameservers?

/usr/local/cpanel/3rdparty/bin/perl -MCpanel::DnsRoots -MData::Dumper -e 'print Dumper(Cpanel::DnsRoots->new()->get_nameservers_for_domain("domain.com"));'

Just change "domain.com" at the end to your domain, leaving the quotes, and then run that command. It should return the nameservers and IP addresses of those nameservers where it is checking for the DNS information.

 

[cpanzy]

thanks,

results of command:

]# /usr/local/cpanel/3rdparty/bin/perl -MCpanel::DnsRoots -MData::Dumper -e 'print Dumper(Cpanel::DnsRoots->new()->get_nameservers_for_domain("exampledomain.com"));'
$VAR1 = {
'server-sbs.futuretek.net.au' => '110.173.226.29',
'server-rmm.futuretek.net.au' => undef,
'server-vhd-01.futuretek.net.au' => undef,
'websrv.futuretek.net.au' => undef,
'server-vhd-02.futuretek.net.au' => undef,
'server-vhd.futuretek.net.au' => undef,
'server-vhd-03.futuretek.net.au' => undef
};

these results are not our IP or or domain name, also these results returned are not the DNS servers of that domain when doing a domain whois via domaindossier for example. But they are the NS records in the zone when doing a dig of the domains DNS zone records.

results of whois:

Name Server: NS5.DNSUNLIMITED.COM
Name Server: NS4.DNSUNLIMITED.COM
Name Server: NS3.DNSUNLIMITED.COM
Name Server: NS1.DNSUNLIMITED.COM
Name Server: NS2.DNSUNLIMITED.COM


results of DNS dig:

exampledomain.com	IN	NS	server-vhd-03.futuretek.net.au	3600s​	(01:00:00)
exampledomain.com	IN	NS	websrv.futuretek.net.au	3600s​	(01:00:00)
exampledomain.com	IN	NS	server-vhd-02.futuretek.net.au	3600s​	(01:00:00)
exampledomain.com	IN	NS	server-sbs.futuretek.net.au	3600s​	(01:00:00)
exampledomain.com	IN	NS	server-rmm.futuretek.net.au	3600s​	(01:00:00)
exampledomain.com	IN	NS	server-vhd.futuretek.net.au	3600s​	(01:00:00)
exampledomain.com	IN	NS	server-vhd-01.futuretek.net.au	3600s​	(01:00:00)

One thing I can add that may be causing the issue, when running the domain through Domain Dossier on centralops.net, for the DNS records section, before it shows the zone, it shows:

DNS query for exampledomain.com failed: TimedOut

then it continues to show the zone. Other domains I test do not show this timeout.

 

[cPRex]

I'm glad that helped - once the namserver issues are resolved and that command doesn't have the "undef" output I would expect things to work well. I also like using intoDNS: checks DNS and mail servers health to ensure things are working well and there are no odd DNS issues, as AutoSSL ensures that every DNS entry from the root nameservers down to your local machine is correct before it will issue a certificate.

 

[cpanzy]

Thank you for your prompt help.

 

[cPRex]

You're very welcome!