Subdomain is getting 404 and time out


I have a cpanel server running v106.0.13. We us let's Encrypt for SSL. The client has updated the IP to for the subdomain to point to our servers. However despite DNS resolution at DNS Propagation Checker - Global DNS Testing Tool, we still get DNS errors as the reason no SSL cert is issued. it is timing out with 404.

I checked here too:
Check this Site:

7:40:28 AM Analyzing “”’s DCV results …

7:40:58 AM WARN “Let’s Encrypt™” HTTP DCV error ( Timeout after 30 seconds!

7:41:05 AM WARN Net::ACME2::x::ACME: “” indicated an ACME error: 404 Not Found (404 urn:ietf:params:acme:error:malformed (The request message was malformed) (No such challenge)). ==> Net::ACME2::x::Generic::new('Net::ACME2::x::ACME', '“” indicated an ACME error: 404 Not Found (404 urn:ietf:params:acme:error:malformed (The request message was malformed) (No such challenge)).', HASH(0x40bc490)) (called in /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/ACME2/X/ at line 68) ==> Net::ACME2::x::ACME::new('Net::ACME2::x::ACME', HASH(0x40bc490)) (called in /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/X/ at line 169) ==> X::Tiny::create('Net::ACME2::X', 'ACME', HASH(0x40bc490)) (called in /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/ACME2/ at line 214) ==> Net::ACME2::HTTP::_request(Net::ACME2::HTTP=HASH(0x3a96248), 'POST', '', HASH(0x4095728), HASH(0x4008fa0)) (called in /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/ACME2/ at line 236) ==> Net::ACME2::HTTP::_request_and_set_last_nonce(Net::ACME2::HTTP=HASH(0x3a96248), 'POST', '', HASH(0x4095728), HASH(0x4008fa0)) (called in /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/ACME2/ at line 119) ==> (eval)(Net::ACME2::HTTP=HASH(0x3a96248), 'POST', '', HASH(0x4095728), HASH(0x4008fa0)) (called in /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/ACME2/ at line 118) ==> Net::ACME2::HTTP::_post(Net::ACME2::HTTP=HASH(0x3a96248), 'create_key_id_jws', '', HASH(0x40bc580)) (called in /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/ACME2/ at line 96) ==> Net::ACME2::HTTP::post_key_id(Net::ACME2::HTTP=HASH(0x3a96248), '', HASH(0x40bc580)) (called in /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/ at line 605) ==> Net::ACME2::_post_url(Net::ACME2::LetsEncrypt=HASH(0x34a8970), '', HASH(0x40bc580)) (called in /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/ at line 418) ==> Net::ACME2::accept_challenge(Net::ACME2::LetsEncrypt=HASH(0x34a8970), Net::ACME2::Challenge::dns_01=HASH(0x3fda238)) (called in /var/cpanel/perl/Cpanel/SSL/ACME/ at line 164) ==> Cpanel::SSL::ACME::DCV::attempt_dns(Cpanel::SSL::ACME::DCV=HASH(0x338f720), CODE(0x33d9830), '') (called in /var/cpanel/perl/Cpanel/SSL/Auto/Provider/LetsEncrypt/ at line 111) ==> Cpanel::SSL::Auto::Provider::letsencrypt::Backend::do_dns_dcv(Cpanel::SSL::ACME::DCV=HASH(0x338f720), Cpanel::SSL::Auto::ProviderDCV=HASH(0x33bfd38), ARRAY(0x2540700), undef) (called in /var/cpanel/perl/Cpanel/SSL/Auto/Provider/ at line 630) ==> Cpanel::SSL::Auto::Provider::letsencrypt::get_vhost_dcv_errors(Cpanel::SSL::Auto::Provider::LetsEncrypt=HASH(0x24e64d0), Cpanel::SSL::Auto::ProviderDCV=HASH(0x33bfd38)) (called in /usr/local/cpanel/Cpanel/SSL/Auto/Run/HandleVhost/ at line 101) ==> Cpanel::SSL::Auto::Run::HandleVhost::ProviderDCV::do_provider_dcv(Cpanel::SSL::Auto::Provider::LetsEncrypt=HASH(0x24e64d0), Cpanel::SSL::Auto::Run::Vhost=HASH(0x175fb68), Cpanel::SSL::Auto::Run::DCVResult=HASH(0x338f870)) (called in /usr/local/cpanel/Cpanel/SSL/Auto/Run/ at line 369) ==> Cpanel::SSL::Auto::Run::HandleVhost::_do_provider_dcv_for_domains(Cpanel::SSL::Auto::Run::Vhost=HASH(0x175fb68), Cpanel::SSL::Auto::Run::DCVResult=HASH(0x338f870), Cpanel::SSL::Auto::Provider::LetsEncrypt=HASH(0x24e64d0)) (called in /usr/local/cpanel/Cpanel/SSL/Auto/Run/ at line 292) ==> Cpanel::SSL::Auto::Run::HandleVhost::_do_provider_dcv_if_supported(Cpanel::SSL::Auto::Run::Vhost=HASH(0x175fb68), Cpanel::SSL::Auto::Run::DCVResult=HASH(0x338f870)) (called in /usr/local/cpanel/Cpanel/SSL/Auto/Run/ at line 88) ==> Cpanel::SSL::Auto::Run::HandleVhost::ANON() (called in /usr/local/cpanel/Cpanel/SSL/Auto/Run/ at line 250) ==> Cpanel::SSL::Auto::Run::HandleVhost::ANON() (called in /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Try/ at line 100) ==> (eval)() (called in /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Try/ at line 91) ==> Try::Tiny::try(CODE(0x338f930), Try::Tiny::Catch=REF(0x32a7a40), Try::Tiny::Finally=REF(0x1695440)) (called in /usr/local/cpanel/Cpanel/SSL/Auto/Run/ at line 269) ==> Cpanel::SSL::Auto::Run::HandleVhost::_catch_impediment(Cpanel::SSL::Auto::Run::Vhost=HASH(0x175fb68), Cpanel::SSL::Auto::Problems=HASH(0x27559f0), Cpanel::SSL::Auto::Run::DCVResult=HASH(0x338f870), CODE(0x338f7c8)) (called in /usr/local/cpanel/Cpanel/SSL/Auto/Run/ at line 99) ==> Cpanel::SSL::Auto::Run::HandleVhost::handle_defective(Cpanel::SSL::Auto::Run::Vhost=HASH(0x175fb68), Cpanel::SSL::Auto::Problems=HASH(0x27559f0), Cpanel::SSL::Auto::Run::DCVResult=HASH(0x338f870)) (called in /usr/local/cpanel/Cpanel/SSL/Auto/Run/ at line 229) ==> Cpanel::SSL::Auto::Run::User::ANON() (called in /usr/local/cpanel/Cpanel/ at line 193) ==> (eval)() (called in /usr/local/cpanel/Cpanel/ at line 193) ==> Cpanel::Try::try(CODE(0x32aed60), 'Cpanel::Exception::AutoSSL::DeferFurtherWork', CODE(0x1796210), '', CODE(0x1796270)) (called in /usr/local/cpanel/Cpanel/SSL/Auto/Run/ at line 315) ==> Cpanel::SSL::Auto::Run::User::determine_new_certs_to_request(Cpanel::SSL::Auto::Run::User=HASH(0x1796c18), ARRAY(0x178d8d0), Cpanel::SSL::Auto::Run::DCVResult=HASH(0x30980d0)) (called in /usr/local/cpanel/Cpanel/SSL/Auto/Run/ at line 355) ==> Cpanel::SSL::Auto::Run::User::ANON() (called in /usr/local/cpanel/Cpanel/ at line 193) ==> (eval)() (called in /usr/local/cpanel/Cpanel/ at line 193) ==> Cpanel::Try::try(CODE(0x28400b8), 'Cpanel::Exception::AutoSSL::DeferFurtherWork', CODE(0x1796780), '', CODE(0x17967e0)) (called in /usr/local/cpanel/Cpanel/SSL/Auto/Run/ at line 395) ==> Cpanel::SSL::Auto::Run::User::determine_certs_and_renew_ssl(Cpanel::SSL::Auto::Run::User=HASH(0x1796c18), ARRAY(0x178d8d0), Cpanel::SSL::Auto::Run::DCVResult=HASH(0x30980d0)) (called in bin/ at line 291) ==> bin::autossl_check::ANON() (called in bin/ at line 296) ==> bin::autossl_check::ANON() (called in /usr/local/cpanel/Cpanel/ at line 193) ==> (eval)() (called in /usr/local/cpanel/Cpanel/ at line 193) ==> Cpanel::Try::try(CODE(0x283fbd8), 'Cpanel::Exception::AutoSSL::DeferFurtherWork', CODE(0x27ea210)) (called in bin/ at line 317) ==> bin::autossl_check::ANON() (called in /usr/local/cpanel/Cpanel/ at line 99) ==> Cpanel::PIDFile::do('Cpanel::PIDFile', '/var/cpanel/', CODE(0x1674038)) (called in bin/ at line 355) ==> bin::autossl_check::_run_maybe_captured(bin::autossl_check=HASH(0x232ed20)) (called in bin/ at line 116) ==> bin::autossl_check::ANON() (called in /usr/local/cpanel/Cpanel/ at line 50) ==> Cpanel::CaptureFH::do_with_output_captured_to_path_if_non_tty('/usr/local/cpanel/logs/error_log', CODE(0x232ef18)) (called in bin/ at line 117) ==> bin::autossl_check::run(bin::autossl_check=HASH(0x232ed20)) (called in bin/ at line 102) ...propagated at /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/ACME2/, line 162 ...propagated at /usr/local/cpanel/Cpanel/SSL/Auto/Run/, line 258

7:41:05 AM The system has completed “betawbie”’s AutoSSL check.

The DNS is not responding correctly for subdomains of You should try disabling DNSSEC. Or, perhaps remove the wildcard DNS record and replace it with specific names for needed subdomains. We have seen several similar problems recently with wildcard DNS records.

DNSViz (link here) shows some warnings.

And, unboundtest shows failures looking up CAA and AAAA records for the beta subdomain. These records are not required but if they don't exist the DNS should give the correct Not Found indication. See (link here)

Let's Debug also shows these DNS failures (link here)


Thank you.I'll run these suggestions down with the client.


I see the "DNS" problem described.
But, I also see "404", which sounds unrelated to "DNS".
There may be multiple problems at play.

I'd like for you to also check HTTP access to the "beta" site's expected challenge location from the Internet.
And, from that system, HTTPS access to


Might be. But, it's not the typical 404 for a failed HTTP Challenge either. If you try to retrieve the /chall-v3 URL it fails with a 404. Something went wrong with the ACME client request sequence. Could just be a symptom of the DNS failure.

That log error is the same as what I see now for that URL

  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "No such challenge",
  "status": 404


I think they would do well to return something other than what looks like an HTML 404 error code [when it is something other than that].



I had the client disable DNSSEC and will test the beta at


1 Like


After the client disabled DNSSEC the domain validated.

Thank you for your help. I'll note this for future events.

  • Mike

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.