AutoSSL DCV ERROR

I have AutoSSL enabled in WHM and set up to use Let’s Encrypt. At the moment things are not working and I am getting an error like this in the log:

WARN Local HTTP DCV error (example.com): An internal error occurred. Check the system log. (XID: xnek22)

Does anyone have any idea where the “system log” is? The error tells me little to nothing about what happened and “Check the system log” is equally vague.

Hi

The DCV system log is on your WHM root user panel.
Please login as a root user to WHM and check the autossl log section.

Thank you

That’s exactly where I am. Breadcrumb is:

Home » SSL/TLS » Manage AutoSSL

And I am on the Logs tab. I click the most recent log and view log and there’s something like this (domain name replaced):

12:37:08 PM Performing DCV (Domain Control Validation) …
WARN Local HTTP DCV error (example.com): An internal error occurred. Check the system log. (XID: q2k795)
WARN Local HTTP DCV error (www.example.com): An internal error occurred. Check the system log. (XID: fggrv8)
12:37:15 PM ERROR Local DNS DCV error (example.com): The DNS query to “_cpanel-dcv-test-record.example.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=5bNVtdyIJM8u954mQJuV6UlG0jJ8iJLVcNTMsvcXMzpBq4S1jSJ__0PCBegqLUdH”.
ERROR Local DNS DCV error (www.example.com): The DNS query to “_cpanel-dcv-test-record.example.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=5bNVtdyIJM8u954mQJuV6UlG0jJ8iJLVcNTMsvcXMzpBq4S1jSJ__0PCBegqLUdH”.
Analyzing “example.com”’s DCV results …
12:37:15 PM ERROR Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV.
12:37:15 PM The system has completed the AutoSSL check for “example”. 

DNS DCV is not going to work because the DNS is not hosted through WHM or cPanel. So I need to use HTTP DCV but I am not understanding where to find out more about this error or why HTTP DCV is failing.

Hi @billynoah

The DNS query to “_cpanel-dcv-test-record.example.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=5bNVtdyIJM8u954mQJuV6UlG0jJ8iJLVcNTMsvcXMzpBq4S1jSJ__0PCBegqLUdH”.

looks like cPanel creates an own dns - test record to do some checks. And this doesn't work if the DNS is hosted somewhere else.

  • Is there an update?
  • Or is it possible to skip this test? I don't use cPanel
  • If not, looks like you have to use http-01 - validation

JuergenAuer - The DNS DCV is only a fallback:

In cPanel & WHM version 74, we added DNS-based Domain Control Validation (DCV), which the server automatically runs if HTTP-based DCV fails. DNS-based DCV provides an additional method for cPanel & WHM servers to prove domain control to certificate authorities. This new method will significantly improve SSL issuance rates and reduce AutoSSL notifications.

The real issue at hand is the HTTP DCV is failing. I think I could figure this out if I knew what "Check the system log" was referring to.

What's your domain name? There may be wrong redirects or other problems so http-01 - validation fails.

1 Like

You are correct! There was a redirect in place to send all traffic to https. I’m not sure why this is an issue since I use certbot on other servers where a similar redirect is in place and causes no issues. In this case it does. Shrug.

Thank you for pointing me in the right direction!

2 Likes

Looks like this is a special limitation of using AutoSSL in WHM:

https://forums.cpanel.net/threads/autossl-errors-not-renewing-certificate.630015/

AutoSSL will not work with a forced redirection to https at CloudFlare. The DCV check needs to be able to complete over http.

from November 2017.

Letsencrypt accepts such redirects, so it's not a Letsencrypt - limitation.

For the sake of any future googlers who come here looking for answers, I added the following just before my ssl redirect (which is being handled by mod_rewrite) and this took care of the issue:

RewriteRule ^.well-known/ - [L,NC]

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.