All domains on server but two will NOT validate

Have about 360 domains on my server and only two are getting this error:

ERROR Impediment: SECURED_DOMAIN_DCV_FAILURE: One or more currently-secured domains failed DCV.

I check that the domains resolve to the our IP's and tried to manually run AutoSSL on cPanel server to renew the domains. I have confirmed that IPv6 is enabled on the server.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bmwplumbing.net

I ran this command: It was autoSSL on cPanel. I forced run

It produced this output:

Log for the AutoSSL run for “bmwplumb”: Tuesday, August 16, 2022 8:20:17 AM GMT-0500 (Let’s Encrypt™)

8:20:17 AM AutoSSL’s configured provider is “Let’s Encrypt™”.

Analyzing “bmwplumb”’s domains …

8:20:17 AM Analyzing “bmwplumbing.net” (website) …

8:20:17 AM User-excluded domains: 4 (mail.bmwplumbing.net, webmail.bmwplumbing.net, cpcontacts.bmwplumbing.net, cpcalendars.bmwplumbing.net)

TLS Status: Ready for Renewal

WARN Certificate expiry: 8/23/22, 7:25 AM UTC (6.75 days from now)

8:20:17 AM Attempting to ensure the existence of necessary CAA records …

8:20:18 AM No CAA records were created.

8:20:18 AM Verifying 9 domains’ management status …

Verifying “Let’s Encrypt™”’s authorization on 9 domains via DNS CAA records …

8:20:18 AM “www.bmwplumbing.com” is managed.

“mail.bmwplumbing.com” is managed.

“bmwplumbing.com” is managed.

“*.bmwplumbing.com” is managed.

CA authorized: “bmwplumbing.com”

CA authorized: “*.bmwplumbing.com”

CA authorized: “www.bmwplumbing.com”

CA authorized: “bmwplumbing.net”

CA authorized: “*.bmwplumbing.net”

CA authorized: “www.bmwplumbing.net”

“www.bmwplumbing.net” is managed.

“*.bmwplumbing.net” is managed.

“webdisk.bmwplumbing.net” is managed.

“cpanel.bmwplumbing.net” is managed.

“bmwplumbing.net” is managed.

All of this user’s 9 domains are managed.

CA authorized: “mail.bmwplumbing.com”

CA authorized: “cpanel.bmwplumbing.net”

CA authorized: “webdisk.bmwplumbing.net”

“Let’s Encrypt™” is authorized to issue certificates for 9 of this user’s 9 domains.

8:20:18 AM Performing HTTP DCV (Domain Control Validation) on 7 domains …

8:20:18 AM Local HTTP DCV OK: bmwplumbing.com

Local HTTP DCV OK: bmwplumbing.net

Local HTTP DCV OK: www.bmwplumbing.com

Local HTTP DCV OK: www.bmwplumbing.net

Local HTTP DCV OK: mail.bmwplumbing.com

WARN Local HTTP DCV error (cpanel.bmwplumbing.net): “cpanel.bmwplumbing.net” does not resolve to any IP addresses on the internet.

WARN Local HTTP DCV error (webdisk.bmwplumbing.net): “webdisk.bmwplumbing.net” does not resolve to any IP addresses on the internet.

8:20:18 AM Verifying local authority for 4 domains …

8:20:19 AM Local authority confirmed: “*.bmwplumbing.com”

No local authority: “cpanel.bmwplumbing.net”

No local authority: “webdisk.bmwplumbing.net”

No local authority: “*.bmwplumbing.net”

8:20:19 AM Enqueueing 1 domain (1 zone) for local DNS DCV …

8:20:19 AM Publishing DNS changes for local DNS DCV (1 zone) …

8:20:20 AM Querying DNS to confirm DCV changes …

Processing “bmwplumb”’s local DCV results …

8:20:20 AM Local DNS DCV OK: *.bmwplumbing.com (via bmwplumbing.com)

Analyzing “bmwplumbing.net”’s DCV results …

8:20:20 AM ERROR Impediment: SECURED_DOMAIN_DCV_FAILURE: One or more currently-secured domains failed DCV.

8:20:20 AM The system has completed “bmwplumb”’s AutoSSL check.

My web server is (include version): cPanel & WHM v104.0.8 (STANDARD) Apache 2.4

The operating system my web server runs on is (include version):CloudLinux v8.6.0

My hosting provider, if applicable, is: Dedicated server

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel and WHM

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Neither command produces version.

These errors are pretty much self-explanatory I think. Those hostnames don't exist.

Welcome to the Let's Encrypt Community, Mike!

When trying to acquire a certificate covering subdomain names on cPanel hosting, you'll find that many of the subdomain names point back to your cPanel in various ways to ease access (e.g. cpanel itself, email (mail is certifiable though), webdisk, etc) and thus cannot be certified using HTTP-01 challenges. Though it it usually unnecessary to acquire a certificate covering those subdomain names due to their being covered by a certificate used by your hosting provider, if you wish to do so you'll need to use DNS-01 challenges.

Yes, correct cpanel.bmwplumbing.net and (webdisk.bmwplumbing.net) do no exist.

but bmwplumbing.net and www.bmwplumbing.net does exist. Those are the two important ones. They do resolve to the server. but they fail DCV.

I do not want a certificate for the ones that fail. Again, bmwplumbing.net and www.bmwplumbing.net does exist. They do resolve to the server, but they fail DCV.

I'll check out the link provided. Thank you.

Also, a wildcard certificate (containing *.) can only be issued using a DNS-01 challenge.

Why do you think these failed?

I looked and in know that bmwplumbing.net and www.bmwplumbing.net are not using our cPanel DNS servers do they will not pass DNS challenges. However, they should be able to pass the HTTP challenge.

Should I try to remove the current SSL certificates and see if I can new ones issued? I do not need a wild card cert. I do need bmwplumbing.net and www.bmwplumbing.net certificate validation.

See my post right above your last one.

I see your post. I knew the answer, I'd fix it. Both resolve to the server directly. I've tried to rename the htaccess file and run autoSSL thinking their may be a conflict in there.

Not sure. They pass "Local HTTP DCV OK" for both, then I see this:
No local authority: “*.bmwplumbing.net”

I think it is trying to get wildcard instead of just the domain and www cert. Since DNS validation is not supported, it fails.

How do I tell it to NOT get a wildcard certificate?

Ah! You didn't exclude the webdisk, cpanel, or wildcard subdomain names from certification. It isn't necessary (or possible) to exclude the wildcard subdomain names.

I'm presuming by that message that you can choose which subdomain names to exclude manually.

Yes, this is a good teaching moment.

I have now excluded the cpanel.bmwplumbing.net and webdisk.bmwplumbing.net and trying to validate again. I have not option to exclude *.bmwplumbing.net in cpanel SSL Status

I think the wildcard exclusion won't be necessary.

excluding the cpanel.bmwplumbing.net and webdisk.bmwplumbing.net fixed it. I now have SSL renewals that expire in November instead of Next week August.

Thanks for talking me through this.

You're quite welcome!

Have a great day!

You also, my friend!