cPanel AutoSSL works for all domains except one

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: blueherondraft.com

I ran this command:

It produced this output:

Log for the AutoSSL run for “bluedraftcom”: Monday, October 6, 2025 3:25:16 PM GMT-0400 (Let’s Encrypt™)

3:25:16 PM AutoSSL’s configured provider is “Let’s Encrypt™”.

Analyzing “bluedraftcom”’s domains …

3:25:16 PM Analyzing “blueherondraft.com” (website) …

3:25:16 PM User-excluded domains: 7 (mail.blueherondraft.com, webmail.blueherondraft.com, cpanel.blueherondraft.com, autodiscover.blueherondraft.com, webdisk.blueherondraft.com, cpcontacts.blueherondraft.com, cpcalendars.blueherondraft.com)

ERROR TLS Status: Defective

ERROR Certificate expiry: 3/12/25, 8:46 PM UTC (207.94 days ago)

ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).

3:25:17 PM Attempting to ensure the existence of necessary CAA records …

3:25:17 PM CAA “issue” record created: “blueherondraft.com”

Waiting 6.5 seconds for the DNS changes to take effect …

3:25:23 PM Verifying 2 domains’ management status …

Verifying “Let’s Encrypt™”’s authorization on 2 domains via DNS CAA records …

WARN DNS query error (blueherondraft.com/NS): SERVFAIL (2)

WARN DNS query error (blueherondraft.com/NS): SERVFAIL (2)

3:25:23 PM ERROR “blueherondraft.com” is unmanaged. Verify this domain’s registration and authoritative nameserver configuration to correct this problem.

3:25:23 PM WARN DNS query error (www.blueherondraft.com/CAA): SERVFAIL (2)

WARN DNS query error (blueherondraft.com/CAA): SERVFAIL (2)

3:25:23 PM CA authorized: “blueherondraft.com”

CA authorized: “www.blueherondraft.com”

“Let’s Encrypt™” is authorized to issue certificates for 2 of this user’s 2 domains.

3:25:23 PM WARN DNS query error (www.blueherondraft.com/NS): SERVFAIL (2)

3:25:23 PM ERROR “www.blueherondraft.com” is unmanaged. Verify registration and authoritative nameserver configuration for this domain or “blueherondraft.com” to correct this problem.

AutoSSL cannot confirm management status for any of this user’s 2 domains. AutoSSL cannot secure any domain without confirming its management status.

3:25:23 PM AutoSSL cannot increase “bluedraftcom”’s SSL coverage.

My web server is (include version): Litespeed 6.3.4

The operating system my web server runs on is (include version): Cloudlinux
8.10
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel 130.0.14

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): not using certbot

Output of dig +trace blueherondraft.com +short:

NS a.root-servers.net. from server 1.1.1.1 in 2 ms.
NS b.root-servers.net. from server 1.1.1.1 in 2 ms.
NS c.root-servers.net. from server 1.1.1.1 in 2 ms.
NS d.root-servers.net. from server 1.1.1.1 in 2 ms.
NS e.root-servers.net. from server 1.1.1.1 in 2 ms.
NS f.root-servers.net. from server 1.1.1.1 in 2 ms.
NS g.root-servers.net. from server 1.1.1.1 in 2 ms.
NS h.root-servers.net. from server 1.1.1.1 in 2 ms.
NS i.root-servers.net. from server 1.1.1.1 in 2 ms.
NS j.root-servers.net. from server 1.1.1.1 in 2 ms.
NS k.root-servers.net. from server 1.1.1.1 in 2 ms.
NS l.root-servers.net. from server 1.1.1.1 in 2 ms.
NS m.root-servers.net. from server 1.1.1.1 in 2 ms.
RRSIG NS 8 0 518400 20251019170000 20251006160000 61809 . txAzXcbhtEPaN2zl2cfAvcQwbxOIXiFnqO/zxH9R9vroLEjyg/ieWn6y mZemLhKm26G+Z7Zf+6BfmxXQuiGXr/s6nH51VCFOsZNHY+Rjki599zYs iayWPwj5EdRrnHBe8NS0lybftlDJHsiEAKPG5+jy8CjHzj8UGfBJvmDN IqU8E32z0CEoJkoADZImjbu74/D1J+C/Roe2caORFrHll4PPkf+wvwtF 6D7vWhPh5q+ASqS7ADYXvNlt0RxeKY12RjbU+Uo6zjJvwp4by9iVb2fY muj+++1A9dNNY2/5/CLUBU4kI6v3Dc2rjJBa7uECpq6zF1Q4V72Ws6WE +6/d+w== from server 1.1.1.1 in 2 ms.
;; BAD REFERRAL

IntoDNS output:

Every other domain on this server is able to successfully generate/update SSL certs via AutoSSL.

The above errors are the key problems. Your AutoSSL system is querying the DNS for that domain and getting a SERVFAIL result from your DNS Server.

Later, AutoSSL says this ...

I assume the odd spelling of bluedraftcom is an issue with copy/paste to this forum

All of the above happen on your system. No request to Let's Encrypt has been made. AutoSSL is failing during its own validation of your system before requesting the certificate.

I don't see any problem with your DNS server and can readily reach your LiteSpeed server from the public internet. If I saw something obvious I would say.

You'll need to talk with cPanel / AutoSSL experts to understand why it issues that error. And, what, exactly, it is complaining about with your DNS

If you setup cPanel yourself try the cPanel forum. If a hosting company provides that start with them.

I deleted the dns zone file and recreated it and that resolved the problem.

bluedraftcom is the cPanel username.

If I query the nameserver externally it returns the correct result:

dig @NS1.BLUEHERONZONE.COM blueherondraft.com

; <<>> DiG 9.11.36-RedHat-9.11.36-16.el8_10.4 <<>> @NS1.BLUEHERONZONE.COM blueherondraft.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41202
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 570405f2228f7d6fb4a79b5f68e44ed42dc64f838f441a15 (good)
;; QUESTION SECTION:
;blueherondraft.com. IN A

;; ANSWER SECTION:
blueherondraft.com. 14400 IN A 66.55.80.150

;; AUTHORITY SECTION:
blueherondraft.com. 86400 IN NS ns1.blueheronzone.com.
blueherondraft.com. 86400 IN NS ns2.blueheronzone.com.

;; ADDITIONAL SECTION:
ns1.blueheronzone.com. 14400 IN A 66.55.80.150
ns2.blueheronzone.com. 14400 IN A 66.55.80.150

;; Query time: 1 msec
;; SERVER: 66.55.80.150#53(66.55.80.150)
;; WHEN: Mon Oct 06 19:20:52 EDT 2025
;; MSG SIZE rcvd: 173

If I query the nameservers directly from the server it's hosted on it fails.

We often use https://dnsviz.net to check DNS. I'd used that before I posted earlier and all was well with it. DNSViz checks a lot more than just one nameserver. Your earlier result: blueherondraft.com | DNSViz

Still? Because that's what the original problem looked like.

@MikeMcQ

I moved this part to the beginning of @vervehst's post to make the solution more evident:

I saw that. But was confused by their comments:

Is all present tense.

I wanted to be sure that recreating the zone also fixed this prior query problem. And not that there was some other aspect that was involved. Which is why I asked if those symptoms still existed. I probably should have let it go. Couldn't help my curiosity

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.