I’ve been using Let’s Encrypt on my WHM/cPanel server for just over a year. I recently set up a new site and in an effort to be a hyper-neat freak I removed any/all DNS listings that I didn’t feel were absolutely critical. (This was a first for me. I usually just let it fly as-is and change them if I need to.)
Anyhow, I got this email earlier today:
The “LetsEncrypt” AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems:
mail.example.com [ Last AutoSSL Run at “2017-12-14 at 08:35:35 UTC” ]
“mail.example.com ” does not resolve to any IPv4 addresses on the internet.
For the most current status, navigate to the “SSL/TLS Status” interface. You can also exclude domains from future renewal attempts, which would cease future notifications.
You can fix these problems within 3 days of the certificate expiry date (2018-03-05 at 20:24:45 UTC) or take other actions. If you do not, this certificate will automatically renew without these domains.
The next time that the “LetsEncrypt” AutoSSL provider attempts to renew the SSL certificate, the system will attempt to add the following domains to that certificate:
These are all records I had removed. I went ahead and put them back because I don’t like friction with robots and it’s just as easy to do what they tell me to do, but it got me wondering…Are these CNAME/A records required for Let’s Encrypt to work? Are there others that I might be missing?