AutoSSL / Let’s Encrypt HTTP DCV resolves domain to old IP despite correct DNS

Hello,

I’m having an issue with Let’s Encrypt validation using cPanel AutoSSL.

The problem is that during HTTP DCV, Let’s Encrypt resolves my domain to an old IP address that no longer belongs to my server, even though DNS is currently correct everywhere I can verify.

Details:

• Hosting environment: cPanel/WHM with AutoSSL (Let’s Encrypt)
• Authoritative nameservers: ns1/ns2/ns3.contabo.net
• Correct server IP: 144.126.134.92
• Old IP reported by LE during DCV: 38.242.198.222

Verification performed:

• dig +short domain A returns the correct IP
• dig +short www.domain A returns the correct IP
• No AAAA (IPv6) records exist
• dnschecker.org shows the correct IP globally
• HTTP requests reach the correct server (curl -I http://domain/.well-known/ responds locally)

However, AutoSSL logs consistently show:

“The domain resolved to an IP address 38.242.198.222 that does not exist on this server”

This causes TOTAL_DCV_FAILURE for all SAN entries.

At this point, DNS is fully aligned and stable, but Let’s Encrypt still appears to be using external resolvers with cached data during HTTP validation.

Workaround:
Switching AutoSSL to DNS DCV instead of HTTP DCV works correctly, which confirms the issue is related to resolver caching during HTTP validation rather than DNS configuration itself.

Question:
Is there a known behavior or limitation where Let’s Encrypt HTTP DCV may rely on resolvers with stale cache even after DNS propagation is complete?
Are there recommended mitigation steps besides waiting or forcing DNS-based validation?

Any insight would be appreciated.

Thanks!

My domain is:
advocaciamedeiros.adv.br

I ran this command:
/usr/local/cpanel/bin/autossl_check --user=advmedeiros

It produced this output:

root@zion.clebersleite.com.br/h/a/m/a/rodrigo$ /usr/local/cpanel/bin/autossl_check --user=advmedeiros

AutoSSL’s configured provider is “Let’s Encrypt™”.
Analyzing “advmedeiros”’s domains …
Analyzing “advocaciamedeiros.adv.br” (website) …
TLS Status: Defective
Defect: NO_SSL: No SSL certificate is installed.
Attempting to ensure the existence of necessary CAA records …
No CAA records were created.
Verifying 10 domains’ management status …
Verifying “Let’s Encrypt™”’s authorization on 10 domains via DNS CAA records …
“webdisk.advocaciamedeiros.adv.br” is managed.
“cpanel.advocaciamedeiros.adv.br” is managed.
“mail.advocaciamedeiros.adv.br” is managed.
“www.advocaciamedeiros.adv.br” is managed.
“advocaciamedeiros.adv.br” is managed.
“webmail.advocaciamedeiros.adv.br” is managed.
“cpcontacts.advocaciamedeiros.adv.br” is managed.
“cpcalendars.advocaciamedeiros.adv.br” is managed.
“autodiscover.advocaciamedeiros.adv.br” is managed.
“.advocaciamedeiros.adv.br” is managed.
All of this user’s 10 domains are managed.
CA authorized: “advocaciamedeiros.adv.br”
CA authorized: “.advocaciamedeiros.adv.br”
CA authorized: “mail.advocaciamedeiros.adv.br”
CA authorized: “www.advocaciamedeiros.adv.br”
CA authorized: “cpcalendars.advocaciamedeiros.adv.br”
CA authorized: “autodiscover.advocaciamedeiros.adv.br”
CA authorized: “cpanel.advocaciamedeiros.adv.br”
CA authorized: “webdisk.advocaciamedeiros.adv.br”
CA authorized: “webmail.advocaciamedeiros.adv.br”
CA authorized: “cpcontacts.advocaciamedeiros.adv.br”
“Let’s Encrypt™” is authorized to issue certificates for 10 of this user’s 10 domains.
Performing HTTP DCV (Domain Control Validation) on 9 domains …
Local HTTP DCV error (advocaciamedeiros.adv.br): The system queried for a temporary file at “http://advocaciamedeiros.adv.br/.well-known/acme-challenge/4MNHTXYDLV16PB33TSBFQHRA1A0TGB82”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “advocaciamedeiros.adv.br” resolved to an IP address “38.242.198.222” that does not exist on this server.
Local HTTP DCV error (www.advocaciamedeiros.adv.br): The system queried for a temporary file at “http://www.advocaciamedeiros.adv.br/.well-known/acme-challenge/RCHJHTDL_JUH72-P4N_58KT2H4K4227O”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “www.advocaciamedeiros.adv.br” resolved to an IP address “38.242.198.222” that does not exist on this server.
Local HTTP DCV error (mail.advocaciamedeiros.adv.br): The system queried for a temporary file at “http://mail.advocaciamedeiros.adv.br/.well-known/acme-challenge/EGX6H0ZYP-UG1MQOK9_9KXJ7I9TUSRZ1”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “mail.advocaciamedeiros.adv.br” resolved to an IP address “38.242.198.222” that does not exist on this server.
Local HTTP DCV error (cpanel.advocaciamedeiros.adv.br): The system queried for a temporary file at “http://cpanel.advocaciamedeiros.adv.br/.well-known/acme-challenge/8VXM1OSHXZL8BOZ8P6B7NBBEIIS88_MK”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “cpanel.advocaciamedeiros.adv.br” resolved to an IP address “38.242.198.222” that does not exist on this server.
Local HTTP DCV error (webdisk.advocaciamedeiros.adv.br): The system queried for a temporary file at “http://webdisk.advocaciamedeiros.adv.br/.well-known/acme-challenge/DN_AAZ8_UYC48848M8ZEPJCDOPRJCTRB”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “webdisk.advocaciamedeiros.adv.br” resolved to an IP address “38.242.198.222” that does not exist on this server.
Local HTTP DCV error (webmail.advocaciamedeiros.adv.br): The system queried for a temporary file at “http://webmail.advocaciamedeiros.adv.br/.well-known/acme-challenge/50LY31G1V2R1NVBA-9YJ7CA1ML_C00UQ”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “webmail.advocaciamedeiros.adv.br” resolved to an IP address “38.242.198.222” that does not exist on this server.
Local HTTP DCV error (cpcontacts.advocaciamedeiros.adv.br): The system queried for a temporary file at “http://cpcontacts.advocaciamedeiros.adv.br/.well-known/acme-challenge/D641CJBSZGTT44RMCRYH7CVNKOIMNN9S”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “cpcontacts.advocaciamedeiros.adv.br” resolved to an IP address “38.242.198.222” that does not exist on this server.
Local HTTP DCV error (cpcalendars.advocaciamedeiros.adv.br): The system queried for a temporary file at “http://cpcalendars.advocaciamedeiros.adv.br/.well-known/acme-challenge/-Y4X3-Q9SONOJ7SBHVPZ15BRL43ITQ3N”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “cpcalendars.advocaciamedeiros.adv.br” resolved to an IP address “38.242.198.222” that does not exist on this server.
Local HTTP DCV error (autodiscover.advocaciamedeiros.adv.br): The system queried for a temporary file at “http://autodiscover.advocaciamedeiros.adv.br/.well-known/acme-challenge/WTL_KLIR5GCX6AMY53SWS-Z__-C9OY_4”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “autodiscover.advocaciamedeiros.adv.br” resolved to an IP address “38.242.198.222” that does not exist on this server.
Verifying local authority for 10 domains …
No local authority: “advocaciamedeiros.adv.br”
No local authority: “www.advocaciamedeiros.adv.br”
No local authority: “mail.advocaciamedeiros.adv.br”
No local authority: “cpanel.advocaciamedeiros.adv.br”
No local authority: “webdisk.advocaciamedeiros.adv.br”
No local authority: “webmail.advocaciamedeiros.adv.br”
No local authority: “cpcontacts.advocaciamedeiros.adv.br”
No local authority: “cpcalendars.advocaciamedeiros.adv.br”
No local authority: “autodiscover.advocaciamedeiros.adv.br”
No local authority: “*.advocaciamedeiros.adv.br”
No local DNS DCV is necessary.
Processing “advmedeiros”’s local DCV results …
Analyzing “advocaciamedeiros.adv.br”’s DCV results …
Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV.
The system has completed “advmedeiros”’s AutoSSL check.
root@zion.clebersleite.com.br/h/a/m/a/rodrigo$

Check some more, your DNS looks to be pretty broken. Some of your DNS servers aren't responding at all, while others are giving what you say is the "wrong" IP.

DNSViz reports a bunch of errors:

This view would be where I'd start, since it shows that your delegations aren't right: https://dnsviz.net/d/advocaciamedeiros.adv.br/servers/

Which servers do you think are authoritative for your domain? Make sure that your registrar has the right list, and the NS records on those servers agree with it.

Just for reference, if you scroll to the bottom of this page, you can see which DNS servers are reporting which IP for your A record: https://dnsviz.net/d/advocaciamedeiros.adv.br/responses/
But I'm guessing that once you fix your delegations then the "wrong" servers won't be queried.

Thanks for the help — we were able to identify and resolve the issue.

The problem was not related to AutoSSL itself, but to legacy DNS zone data left from a previous provider. Several zones still had outdated SOA and NS records pointing to old nameservers, even though the domains were no longer using them at the registrar level.

This caused inconsistent DNS authority information inside WHM, which in turn led to SSL validation and renewal issues.

The fix was:

• Auditing all local DNS zone files
• Replacing outdated SOA and NS records with the correct authoritative nameservers
• Validating each zone with named-checkzone before applying changes
• Reloading DNS and re-running AutoSSL after the cleanup

After normalizing the zones, AutoSSL started working correctly again.

Thanks again for pointing us in the right direction.