"DNS DCV: No local authority "the certificate expired"

My domain is: glwdb.org

I ran this command: (After problems started... see below for more info)
WHM > Manage Auto SSL > Recreate my current registration with “Let’s Encrypt™”.

It produced this output: Ran successfully

My web server is (include version):Server Version: Apache/2.4.57 (cPanel) OpenSSL/1.1.1t mod_bwlimited/1.4

The operating system my web server runs on is (include version): Linux - CentOS v7.9.2009 STANDARD kvm

My hosting provider, if applicable, is: Bluehost

I can login to a root shell on my machine (yes or no, or I don't know): I can setup shell access and I am technically oriented but I have limited shell experience so I'll need detailed instruction.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): WHM/Cpanel 110.0.2

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): unknown... not a shell person but I'll try to get this figured out

Background info / Problem:

• This certificate and all others related were working fine for a few years until February 23
• This domain is a forwarding domain only to another domain
• The site it forwards to is valid, in operation, and that certificate(s) is working fine
• This is a VPS server that we have full access to if needed
• I am unaware of any recent server configuration changes that might have caused this. However Bluehost may have updated server software outside our view.
• Our certificate appears to be valid when checked externally. It comes up as " the certificate has renewed and is Valid from March 25, 2023 to June 23, 2023"

Problem:

• We are receiving messages every three hours from CPanel with the notification below. These messages started with " The “LetsEncrypt” AutoSSL provider could not renew the SSL certificate". As we passed April 23, they added the "certificate has expired" pre-text. Full message below.

• The certificate DID actually renew on April 23, as it did on March 23. It's now good through June 23. But WHM/Cpanel still says April 23.

Latest message:

.glwdb.org: The AutoSSL certificate expires on Apr 23, 2023 at 11:49:07 PM UTC. At the time of this notice, the certificate expired -1 day, 11 hours, 17 minutes, and 59 seconds ago.
AutoSSL did not renew the certificate for “.glwdb.org”. You must take action to keep this site secure.

The “LetsEncrypt” AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problem:

* .glwdb.org (checked on Apr 25, 2023 at 12:31:03 PM UTC)

DNS DCV: No local authority: “*.glwdb.org”

..
The following domain lost SSL coverage when the certificate expired:

• *.glwdb.org

The certificate that is installed on this website contains the following properties:

Expiration: Sunday, April 23, 2023 at 11:49:07 PM UTC
Domain Names: glwdb.org
www.glwdb.org
Subject: commonName www.glwdb.org
Issuer: countryName US

organizationName Let's Encrypt
commonName R3
The system generated this notice on Tuesday, April 25, 2023 at 12:31:07 PM UTC.

Hello @BobCert, welcome to the Let's Encrypt community.

This would need a certificates containing wildcard domain name; thus requiring the DNS-01 challenge of the Challenge Types - Let's Encrypt

Also here is a list of issued certificates crt.sh | glwdb.org. I see the The SANs matches only glwdb.org and www.glwdb.org, I do not see any wildcard domain name certificates have been issued. Now it is still possible that a wildcard domain name certificate was issued and https://crt.sh hasn't caught up, but I am not hold my breath for that.

Do you know which of the Challenge Types - Let's Encrypt was used to obtain the previously issued certificates?

If your system is working for all the names you care about, and you don't actually need the *.glwdb.org name, then you probably just need to change your configuration in your control panel to not try to get that name.

I don't have any cPanel experience myself, though, so I don't think I can give you more specific instructions than that.

I don't see any wildcard certs having been issued for that domain.

I do see that the common name changed with this last renewal:

Folks: Trying to follow this... I'm light in SSL.

As I am Looking in CPanel SSL status, I see there's a valid certificate for glwdb.org and for www.glwdb.org. It's the one for *.glwdb.org that's failing. That aligns with your responses above.

I don't know that we do need the wildcard at the point. But, if I want to fix that, what's the path forward? Do I need to use the "purchase a certificate" option in Cpanel to get a new Let's Encrypt certificate for the wildcard?

This seems odd as it was all working previously and we made no SSL related changes. Also, I see *.glwdb.org listed in Cpanel in the SSL Status area, and clearly it's trying to fetch it, and it must have been working previously as we didn't get messages (for years)... so doesn't that suggest something has fallen off on the Let's Encrypt side in the registration? Is that possible?

Are you 100% certain that a wildcard cert has even been issued?

I think it worked because the names were all covered by other cert(s) [not a wildcard cert].
Things broke and now, when you look into it, you see what you see - but your eyes [or cPanel] deceive you.

You might need to get assistance from

Well, I admit that I have no snapshots from before the problem. But we got no error messages. I guess that leaves us with three possibilities:

1. The wildcard "request" was not there previously on the web server and somehow has been added
2. The entry at Let's Encrypt itself was mysteriously deleted
3. CPanel wasn't issuing the error messages and now is

I will try Bluehost again (sigh). Their support is terrible these days. I have spoken with them previously about this and they were no help. But, perhaps I can get someone with more clue this time.

Is it normal to have a wildcard for the domain vis-a-vis the SSL Certificate if you don't have a wildcard in your DNS entries? I'm thinking it's not needed... but the entry was apparently added as part of the Bluehost initial certificate registration.

You can vote with where you spend the money.

No.

You can probably just uncheck the box or whatever's needed to tell your control panel to stop trying to issue for it. (Especially as it's not working, and yet not causing problems for you.)

It is not possible to delete a cert from the public logs. We don't see one there now.

It sometimes takes up to 24H to show up in those logs but beyond that it is clear there wasn't one

@MikeMcQ OK, thanks. That means there never was one then since this account setup is a few years old.

@Bruce5051 I just realized I didn't answer your question: No, I don't know what was used to the setup. I have a some other domains and a separate VPS server at the same host - all set up in the same time frame. I will see what they have for defaults / setup.

Thank you @BobCert

Spent some time studying and poking around.

1. I see some inklings that certain methods (e.g. using Cpanel) might not support creating a wildcard certificate through Let's Encrypt. Anyone know if CPanel supports wildcard certificates? Should using Let's Encrypt have an impact on that?

2. Back at the actual error message I am getting emailed to me: "DNS DCV: No local authority: “*.glwdb.org”"

Do I need to go through a process to do the DCV ahead of time? It appears that Bluehost pushes me to a paid process to get a wildcard certificate. But when I head there (long before the payment part), the preliminary check in Cpanel tells me I have a DCV authentication error that must be corrected before going further.

3. In Cpanel, it lets me exclude "DNS defined" entries that I don't want AutoSSL to try to renew. for. Theoretically, that would allow me to stop this request that I don't need from running and stop generating an error.

But, it will not allow me to exclude the wildcard entries. I could exclude glwdb.org (no wildcard). I could exclude www.glwdb.org. But it will not allow me to exclude *.glwdb.org. There's no checkbox for "exclude" the wildcard. Note that this is consistent with another VPA account I have there - the wildcard entry cannot be excluded. Cpanel 'feature'? Bluehost issue?

Seems it does per below. Also, those are pretty specific questions about cPanel and your hosting service. Some volunteer might be familiar with that exact setup but you'd probably be better off asking your hosting provider. Or even on the cPanel forum.

https://features.cpanel.net/topic/lets-encrypt-wildcard-certificates

Thanks. The Cpanel forum was the next stop on my list. I will fly by the hosting firm but their support tends to be useless unless you get very lucky. I like to assemble all the info I can before spending time talking to them.

I am starting to believe that this "no wildcards" option might be an intentional limitation by the hosting firm... perhaps as a push to pay them for a certificate.

What about the DCV issue? Do I have a verification problem and need to take steps to fix that first before any certificate issuance will work? Or is the fact that we already have certificates for the domain a bypass for that.

I don't recognize that as coming from Let's Encrypt. More like a cPanel error message. Without knowing what that means it's hard to say. There are many search results in the cPanel forums for "DNS DCV"

A wildcard cert requires a DNS Challenge and interaction with your DNS records. It's possible to use a DNS Challenge for non-wildcard, but is required for wildcard.

The error is odd. There is a leading period for the domain name which often means the same as *.glwdb.org which also appears in your post.

But, the only cert in the public logs expiring on Apr23 is not a wildcard cert (link here)

@MikeMcQ - Would that sort of challenge typically require me to manually set up a DNS record for the Challenge process to find? I read a bit about that but it wasn't clear to me when it was required.

Yes. But, some DNS providers support an API to update them automatically. And, then you need your ACME Client to support that particular DNS provider. These are usually more difficult to setup.

Frankly, I'm not sure why you're still pursuing. You have what appears to be a working system apart from some odd message from cPanel.