Secondary IP Address for Mail server kills the process on WHM

Help
1

Hi there,

Running Manage AutoSSL on WHM
Multiple hosted websites.

The mail server uses a different IP address to the Web Server.

Issuing or Renewing the certs causes an error as
domain.com (11.11.11.11)
mail.domain.com (22.22.22.22) is not local in the eyes of LetsEncrypt.

I have to edit the DNS ZONE back to 11.11.11.11 while I renew or Issue.
Then edit it back to 22.22.22.22

An example response is here:

3:20:49 PM Performing DCV (Domain Control Validation) …

3:20:49 PM Local HTTP DCV OK: domain.ie

Local HTTP DCV OK: www.domain.ie

WARN Local HTTP DCV error (mail.domain.ie): The system queried for a temporary file at “http://mail.domain.ie/.well-known/acme-challenge/AIWJG5WVYCKX9ON8TFVVFYA2OVBZMZGC”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.

3:20:56 PM ERROR Local DNS DCV error (mail.domain.ie): The DNS query to “_cpanel-dcv-test-record.domain.ie” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=QyjHfqtgvQmOe7hqePmfEA31uoFYRwiHFzFseLO3Kv0iJZVZQRdKE34yqrDqdw26”.

3:20:56 PM Analyzing “domain.ie”’s DCV results …

3:20:56 PM ERROR Impediment: NO_UNSECURED_DOMAIN_PASSED_DCV: Every unsecured domain failed DCV.

3:20:56 PM The system has completed the AutoSSL check for “domain”.

Then when I point the dns for
mail.domain.ie. 14400 IN A 11.11.11.11
and run it…

we get success

3:22:06 PM Analyzing “domain.ie”’s DCV results …

3:22:06 PM local DCV has gained domains

No CAA record added because there is no CAA record from another provider in the DNS for domain.ie.

3:22:10 PM “Let’s Encrypt™” HTTP DCV OK: mail.domain.ie

“Let’s Encrypt™” HTTP DCV OK: www.domain.ie

“Let’s Encrypt™” HTTP DCV OK: domain.ie

AutoSSL will request a new certificate.

Any ideas of previous info I can use please…?

2

Hi @thenetie,

I'm not sure why you need mail.domain.com to be listed on the same certificate if it's hosted on a separate server. But if you do, the easiest way would be to make the HTTP server on mail.domain.com send an HTTP 301 redirect so that http://mail.domain.com/.well-known/acme-challenge/ requests are redirected to the corresponding location in http://domain.com/.well-known/acme-challenge/. In this case, the Let's Encrypt CA validator will follow this redirect and allow the AutoSSL tool to pass the challenge as if the DNS name were pointed to that machine.

3

Hi Schoen,

thanks for the reply.
Perhaps I didnt make myself clear.

The server has 2 IP’s LOCALLY
One for Web and one for Mail.

LetsEncrypt cannot see that the second IP is a local IP so we get errors.

When I change to the first IP (The same IP that Apache runs on) it works fine.

The 404 error is because the second IP doesnt resolve web pages.
mail.domain.com - 22.22.22.22 wont return web pages = 404

4

As far as AutoSSL goes, you are preventing HTTP DCV from succeeding, by pointing the mail. subdomain somewhere that is not an accessible local virtualhost. From my reading of your post, it may even be a publicly unroutable address.

So your other option is to facilitate the use of DNS DCV instead, by hosting domain.ie's DNS using the cPanel DNS Cluster, so that AutoSSL can create public TXT records for the certificate issuance process.

If you can’t do that, you’re pretty much out of options. And that makes sense, because AutoSSL is unable to demonstrate control over the mail. subdomain.

AutoSSL’s Let’s Encrypt implementation is built by cPanel. You might get more helpful advice by sending them a ticket instead.

Edit: You could also try add an WHM Apache include for a VirtualHost that listens on 22.22.22.22 and responds to mail.domain.ie (if that address is publicly routable), to be served from the same document root as the main domain.ie virtualhost.

5

Ok, I think the last option is least painful.
I will ask the guys who handle that stuff to consider it.
Thanks _az
I appreciate the pointer

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.