Minimum "must have" DNS records?

I’ve been using Let’s Encrypt on my WHM/cPanel server for just over a year. I recently set up a new site and in an effort to be a hyper-neat freak I removed any/all DNS listings that I didn’t feel were absolutely critical. (This was a first for me. I usually just let it fly as-is and change them if I need to.)

Anyhow, I got this email earlier today:

The “LetsEncrypt” AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems:

:no_entry: mail.example.com [ Last AutoSSL Run at “2017-12-14 at 08:35:35 UTC” ]
“mail.example.com ” does not resolve to any IPv4 addresses on the internet.
For the most current status, navigate to the “SSL/TLS Status” interface. You can also exclude domains from future renewal attempts, which would cease future notifications.

You can fix these problems within 3 days of the certificate expiry date (2018-03-05 at 20:24:45 UTC) or take other actions. If you do not, this certificate will automatically renew without these domains.

The next time that the “LetsEncrypt” AutoSSL provider attempts to renew the SSL certificate, the system will attempt to add the following domains to that certificate:

cpanel.example.com
webdisk.example.com
webmail.example.com

These are all records I had removed. I went ahead and put them back because I don’t like friction with robots and it’s just as easy to do what they tell me to do, but it got me wondering…Are these CNAME/A records required for Let’s Encrypt to work? Are there others that I might be missing?

Short answer = NO.
The names must have been used in your cPanel somewhere.

To elaborate a little more, these records are not required for Let’s Encrypt to work in the strictest sense. However, you are required to have records set up such that every FQDN for which you are requesting a certificate is publicly resolvable. If you’re requesting a certificate for a.example.com and b.example.com, c.example.com doesn’t need an A/AAAA/CNAME record. But, if you want to include c.example.com on the certificate, it is required.

It looks like cPanel might be adding some extra subdomains to your request.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.