Renew the certificate with AutoSSL got,Local HTTP DCV error and Local DNS DCV error

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
below are only renew success for Subdomain like cn.asiansaex.com and en.asiansaex.com
asiansaex.com
pornbus.com
roseporn.com

All renew success are
rosyhub.com
sureporn.com

I ran this command:
I using the Cpanel AutoSSL

It produced this output:
Local HTTP DCV error, Local DNS DCV error

My web server is (include version):
dedicated servers -soyoustart

The operating system my web server runs on is (include version):
Cpanel 11.68 autoinstaller (CentOS 6 64bit)

My hosting provider, if applicable, is:
soyoustart

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Cpanel 11.68

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): not using the Certbot

Hello everyone

When the AutoSSL try to renew the certificate of Let’s Encrypt, the log show below:

Local HTTP DCV error (.com): The system queried for a temporary file at “http://.com/.well-known/acme-challenge/45TN8M74-I6JJBE1N44933TDY4DPCSIY”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.

Local DNS DCV error (.com): The DNS query to “_cpanel-dcv-test-record..com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=IzNNbScLxSm6lJMCEra4rPc9XrC2iFMgS1BZ0bEgcmh_LKvVwlkl1ahR2IJfM_Oa”.

so some domain are failure for renew the certificate, BUT not all of them, some domain are success like rosyhub.com and sureporn.com and show:
Analyzing “****.com”’s DCV results …
[2019-09-06T05:31:33Z] No CAA record added because there is no CAA record from another provider in the DNS for ****.com.
[2019-09-06T05:31:37Z] “Let’s Encrypt™” HTTP DCV OK: ****.com

I using the cloudflare DNS (only for DNS), All the DNS are same setting, and only using Ipv4 point to the domain

Thanks advance here

Jun

Hi @June

checking that domain that looks wrong - https://check-your-website.server-daten.de/?q=roseporn.com

Host T IP-Address is auth. ∑ Queries ∑ Timeout
roseporn.com A 158.69.242.90 Montreal/Quebec/Canada (CA) - OVH SAS Hostname: ns527072.ip-158-69-242.net yes 1 0
AAAA 2607:5300:120:25a:: Montreal/Quebec/Canada (CA) - OVH SAS yes
www.roseporn.com A 158.69.242.90 Montreal/Quebec/Canada (CA) - OVH SAS Hostname: ns527072.ip-158-69-242.net yes 1 0
AAAA yes

Your main domain has an ipv4- and ipv6 - address.

But your ipv6 looks wrong. That’s 2607:5300:120:25a:: a standard ipv6 prefix, so it’s your network.

Expanded:

2607:5300:120:25a:0000:0000:0000:0000

So there is no real local part.

The check is already running (checking your html content is very slow). But all checks of your ipv6 have timeouts.

That’s critical, because Letsencrypt prefers ipv6.

So

  • remove the ipv6
  • then try to create a certificate
  • then ask your hoster how to find a correct complete ipv6 address in your network 2607:5300:120:25a::/64 and create a new AAAA record.

Check

Unicast and anycast addresses are typically composed of two logical parts: a 64-bit network prefix used for routing, and a 64-bit interface identifier used to identify a host’s network interface

0:0:0:0 isn’t a network interface.

Your www subdomain doesn’t have an ipv6 address -> looks like your other subdomains don’t have ipv6 -> so it works.

1 Like

Hello JuergenAuer

Thanks for your help, sorry for I’m new in these area.
I just deleted the ipv6 at cloudflare DNS, I know the ipv6 is not correct,I using soyoustart Dedicated server and this company didn’t answer any questions about technology. I just using ifconfig to find the server ip as below:
eth0 Link encap:Ethernet HWaddr 00:25:90:D3:7C:40
inet addr:158.69.242.90 Bcast:158.69.242.255 Mask:255.255.255.0
inet6 addr: 2007:db8:1a34:56cf::/64 Scope:Global
inet6 addr: fe80::225:90ff:fed3:7c40/64 Scope:Link
inet6 addr: 2004:db8:1a34:56cf::/64 Scope:Global
inet6 addr: 2607:5300:120:25a::/64 Scope:Global
but I don’t know witch is the correct ipv6 address that I should use for the DNS.
For the site pornbus.com , sureporn.com and the rosyhub.com they are all not seting the ipv6 adress in DNS, but the pornbus.com can’t auto renew, and the anothers are no problem.

Thanks again for your help and I will update if any news
June

Hi June,

You’re best off contacting cPanel about the AutoSSL DCV errors. These errors don’t come from Let’s Encrypt, but rather from AutoSSL’s preflight checks.

cPanel Support should be able to look at the errors, your account and zone setup to see what’s going wrong.

cPanel 68 has been an unsupported version of cPanel for quite some time. The current version is 82, and the cPanel LTS version is 78. You are missing a lot of bug fixes and security updates. You may wish to upgrade before contacting cPanel. Assuming you can get your licence sorted, which would entitle you to updates and support.

For what it’s worth, it can work. For example, https://www.sprint.net/ (an American ISP and mobile phone operator).

www.sprint.net.  2213  A     208.24.22.50
www.sprint.net.  3436  AAAA  2600::

And there are hosts where you can configure the 0:0:0:0 IP in a /64 without it failing. And also ones where you probably can’t.

2 Likes

Ah, thanks, good to know.

I know autoconfigured setups, so hosts have always addresses <> 0:0:0:0.

Thanks Sir
yes, I will do what you said.
June

Hi JuergenAuer,
I still not understand how to setup a shared IPv6 at WHM/ IP Functions / IPv6 Ranges
The server give me 2607:5300:120:25a::/64, I think I have to setup a shared Ipv6 then assigning to all the domain,
2607:5300:120:25a:0000:0000:0000:0000 what is correct go change the 0000:0000:0000:0000
Thanks
Jun

Sorry, I have no idea how WHM manages the network configuration.

And perhaps WHM is the second step. First your server must have an explicit ipv6 address.

But normally that’s the job of your hoster to configure the internal network correct.

PS: Pinging and telnet 2607:5300:120:25a:: 80 works.

There is a cPanel - sorry page:

http://[2607:5300:120:25a::]/cgi-sys/defaultwebpage.cgi

Looks like your network works, but your cPanel doesn’t know that ip address.

Yep - your “network ip” answers - https://check-your-website.server-daten.de/?q=2607%3A5300%3A120%3A25a%3A%3A

This

CN=ns527072.ip-158-69-242.net, 
OU=PositiveSSL, OU=Domain Control Validated
	09.09.2019
	09.09.2020
expires in 366 days	
ns527072.ip-158-69-242.net, www.ns527072.ip-158-69-242.net - 2 entries

is the certificate. Is this your internal server name? Or is this another device?

PS: Are you able to read the “Sorry”-page? If not, there is the content. That’s a standard cPanel page if something isn’t configured.


It is possible you have reached this page because:

The IP address has changed.

The IP address for this domain may have changed recently. Check your DNS settings to verify that the domain is set up correctly. It may take 8-24 hours for DNS changes to propagate. It may be possible to restore access to this site by following these instructions for clearing your dns cache.

There has been a server misconfiguration.

You must verify that your hosting provider has the correct IP address configured for your Apache settings and DNS records. A restart of Apache may be required for new settings to take effect.

The site may have moved to a different server.

The URL for this domain may have changed or the hosting provider may have moved the account to a different server.

Yes, JuergenAuer
my server’s hostname is: ns527072.ip-158-69-242.net
I just add the 2607:5300:120:25a::/64 at WHM/Functions /IPv6 Ranges
so the next step is to set the shared IPv6 for the server at WHM/Server Configuration/Basic WebHost Manager Setup, at the Basic Config, here now only have Ipv4 adress,
so can I using 2607:5300:120:25a:: 80 as the shared IPV6 for the server

Thanks again
Jun

80 is the port I have used.

Use

2607:5300:120:25a::

Yes, I do 2607:5300:120:25a:: as the shared Ipv6
you are super

yes, I can see the sorry page, like you say:

SORRY!
If you are the owner of this website, please contact your hosting provider: webmaster@[2607:120:25a::]

It is possible you have reached this page because:*****

JuergenAuer,

after I put the 2607:5300:120:25a:: for shared ipv6, get the answer:

Basic WebHost Manager® Setup

Invalid Shared Virtual Host IPv6 Address value: “2607:5300:120:25a::” (The range overlaps with another existing range: server). This setting will not be updated.

This system has no free IPs.

Then use

2607:5300:120:25a::1

You have a lot of free ipv6 addresses

2607:5300:120:25a:0:0:0:0 - 2607:5300:120:25a:ffff:ffff:ffff:ffff

Then your cPanel doesn’t allow to use the 0:0:0:0 address.

Dear JuergenAuer
1-before I add 2607:5300:120:25a::/64 at IPV6 adress range and set as :Available - addresses can be assigned
2-I just assign domain sexrose.com and sexhub.com to the IPV6 range, and cpanel automatic allocation sexrose.com:
IPv6 currently enabled for this user.
IPv6 Address:
2607:5300:0120:025a:0000:0000:0000:0001
Primary Domain:
sexrose.com
IPv6 Subdomain:
ipv6.sexrose.com

and for sexhub.com
IPv6 currently enabled for this user.
IPv6 Address:
2607:5300:0120:025a:0000:0000:0000:0000
Primary Domain:
sexhub.red
IPv6 Subdomain:
ipv6.sexhub.red

and I can now open the site sexrose.com via: [2607:5300:120:25a::1]
and sexhub.com via [2607:5300:120:25a::]

is it means the ipv6 working, and then I put the each ipv6 in DNS as AAAA.

Thanks again JuergenAuer
Jun

Dear JuergenAuer
so I can using the ipv6 adress like 2607:5300:120:25a:8:8:8:8 for sharded ipv6, the domain first choose is the assign ipv6, if not assign will using the sharded ipv6, is it right, sorry for my stupid

Thanks
June

1 Like

Yes, you can.

You have a complete network, 2607:5300:120:25a: is your start. So you have a lot of ipv6 addresses.

There are checks of your ipv6 - https://check-your-website.server-daten.de/?q=2607%3A5300%3A120%3A25a%3A%3A4 = [2607:5300:120:25a::4]

You can create one ipv6 per main domain or per subdomain.

And you have to tell your cPanel your definitions.

A post was split to a new topic: Certificate is expired