Subdomain is getting 404 and time out

mbrando · January 15, 2023, 1:48pm

Hello,

I have a cpanel server running v106.0.13. We us let's Encrypt for SSL. The client has updated the 144.217.153.162 IP to for the beta.wbietfs.com subdomain to point to our servers. However despite DNS resolution at DNS Propagation Checker - Global DNS Testing Tool, we still get DNS errors as the reason no SSL cert is issued. it is timing out with 404.

I checked here too:
Check this Site: beta.wbietfs.com

7:40:28 AM Analyzing “beta.wbietfs.com”’s DCV results …

7:40:58 AM WARN “Let’s Encrypt™” HTTP DCV error (beta.wbietfs.com): Timeout after 30 seconds!

7:41:05 AM WARN Net::ACME2::ACME: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/195378145457/PGkMVg” indicated an ACME error: 404 Not Found (404 urn:ietf:params:acme:error:malformed (The request message was malformed) (No such challenge)). ==> Net::ACME2::Generic::new('Net::ACME2::ACME', '“https://acme-v02.api.letsencrypt.org/acme/chall-v3/195378145457/PGkMVg” indicated an ACME error: 404 Not Found (404 urn:ietf:params:acme:error:malformed (The request message was malformed) (No such challenge)).', HASH(0x40bc490)) (called in /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/ACME2/X/ACME.pm at line 68) ==> Net::ACME2::ACME::new('Net::ACME2::ACME', HASH(0x40bc490)) (called in /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/X/Tiny.pm at line 169) ==> X::Tiny::create('Net::ACME2::X', 'ACME', HASH(0x40bc490)) (called in /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/ACME2/HTTP.pm at line 214) ==> Net::ACME2::HTTP::_request(Net::ACME2::HTTP=HASH(0x3a96248), 'POST', 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/195378145457/PGkMVg', HASH(0x4095728), HASH(0x4008fa0)) (called in /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/ACME2/HTTP.pm at line 236) ==> Net::ACME2::HTTP::_request_and_set_last_nonce(Net::ACME2::HTTP=HASH(0x3a96248), 'POST', 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/195378145457/PGkMVg', HASH(0x4095728), HASH(0x4008fa0)) (called in /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/ACME2/HTTP.pm at line 119) ==> (eval)(Net::ACME2::HTTP=HASH(0x3a96248), 'POST', 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/195378145457/PGkMVg', HASH(0x4095728), HASH(0x4008fa0)) (called in /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/ACME2/HTTP.pm at line 118) ==> Net::ACME2::HTTP::_post(Net::ACME2::HTTP=HASH(0x3a96248), 'create_key_id_jws', 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/195378145457/PGkMVg', HASH(0x40bc580)) (called in /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/ACME2/HTTP.pm at line 96) ==> Net::ACME2::HTTP::post_key_id(Net::ACME2::HTTP=HASH(0x3a96248), 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/195378145457/PGkMVg', HASH(0x40bc580)) (called in /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/ACME2.pm at line 605) ==> Net::ACME2::_post_url(Net::ACME2::LetsEncrypt=HASH(0x34a8970), 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/195378145457/PGkMVg', HASH(0x40bc580)) (called in /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/ACME2.pm at line 418) ==> Net::ACME2::accept_challenge(Net::ACME2::LetsEncrypt=HASH(0x34a8970), Net::ACME2::Challenge::dns_01=HASH(0x3fda238)) (called in /var/cpanel/perl/Cpanel/SSL/ACME/DCV.pm at line 164) ==> Cpanel::SSL::ACME::DCV::attempt_dns(Cpanel::SSL::ACME::DCV=HASH(0x338f720), CODE(0x33d9830), 'beta.wbietfs.com') (called in /var/cpanel/perl/Cpanel/SSL/Auto/Provider/LetsEncrypt/Backend.pm at line 111) ==> Cpanel::SSL::Auto::Provider::Backend::do_dns_dcv(Cpanel::SSL::ACME::DCV=HASH(0x338f720), Cpanel::SSL::Auto::ProviderDCV=HASH(0x33bfd38), ARRAY(0x2540700), undef) (called in /var/cpanel/perl/Cpanel/SSL/Auto/Provider/LetsEncrypt.pm at line 630) ==> Cpanel::SSL::Auto::Provider::get_vhost_dcv_errors(Cpanel::SSL::Auto::Provider::LetsEncrypt=HASH(0x24e64d0), Cpanel::SSL::Auto::ProviderDCV=HASH(0x33bfd38)) (called in /usr/local/cpanel/Cpanel/SSL/Auto/Run/HandleVhost/ProviderDCV.pm at line 101) ==> Cpanel::SSL::Auto::Run::HandleVhost::ProviderDCV::do_provider_dcv(Cpanel::SSL::Auto::Provider::LetsEncrypt=HASH(0x24e64d0), Cpanel::SSL::Auto::Run::Vhost=HASH(0x175fb68), Cpanel::SSL::Auto::Run::DCVResult=HASH(0x338f870)) (called in /usr/local/cpanel/Cpanel/SSL/Auto/Run/HandleVhost.pm at line 369) ==> Cpanel::SSL::Auto::Run::HandleVhost::_do_provider_dcv_for_domains(Cpanel::SSL::Auto::Run::Vhost=HASH(0x175fb68), Cpanel::SSL::Auto::Run::DCVResult=HASH(0x338f870), Cpanel::SSL::Auto::Provider::LetsEncrypt=HASH(0x24e64d0)) (called in /usr/local/cpanel/Cpanel/SSL/Auto/Run/HandleVhost.pm at line 292) ==> Cpanel::SSL::Auto::Run::HandleVhost::_do_provider_dcv_if_supported(Cpanel::SSL::Auto::Run::Vhost=HASH(0x175fb68), Cpanel::SSL::Auto::Run::DCVResult=HASH(0x338f870)) (called in /usr/local/cpanel/Cpanel/SSL/Auto/Run/HandleVhost.pm at line 88) ==> Cpanel::SSL::Auto::Run::HandleVhost::ANON() (called in /usr/local/cpanel/Cpanel/SSL/Auto/Run/HandleVhost.pm at line 250) ==> Cpanel::SSL::Auto::Run::HandleVhost::ANON() (called in /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Try/Tiny.pm at line 100) ==> (eval)() (called in /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Try/Tiny.pm at line 91) ==> Try::Tiny::try(CODE(0x338f930), Try::Tiny::Catch=REF(0x32a7a40), Try::Tiny::Finally=REF(0x1695440)) (called in /usr/local/cpanel/Cpanel/SSL/Auto/Run/HandleVhost.pm at line 269) ==> Cpanel::SSL::Auto::Run::HandleVhost::_catch_impediment(Cpanel::SSL::Auto::Run::Vhost=HASH(0x175fb68), Cpanel::SSL::Auto::Problems=HASH(0x27559f0), Cpanel::SSL::Auto::Run::DCVResult=HASH(0x338f870), CODE(0x338f7c8)) (called in /usr/local/cpanel/Cpanel/SSL/Auto/Run/HandleVhost.pm at line 99) ==> Cpanel::SSL::Auto::Run::HandleVhost::handle_defective(Cpanel::SSL::Auto::Run::Vhost=HASH(0x175fb68), Cpanel::SSL::Auto::Problems=HASH(0x27559f0), Cpanel::SSL::Auto::Run::DCVResult=HASH(0x338f870)) (called in /usr/local/cpanel/Cpanel/SSL/Auto/Run/User.pm at line 229) ==> Cpanel::SSL::Auto::Run::User::ANON() (called in /usr/local/cpanel/Cpanel/Try.pm at line 193) ==> (eval)() (called in /usr/local/cpanel/Cpanel/Try.pm at line 193) ==> Cpanel::Try::try(CODE(0x32aed60), 'Cpanel::Exception::AutoSSL::DeferFurtherWork', CODE(0x1796210), '', CODE(0x1796270)) (called in /usr/local/cpanel/Cpanel/SSL/Auto/Run/User.pm at line 315) ==> Cpanel::SSL::Auto::Run::User::determine_new_certs_to_request(Cpanel::SSL::Auto::Run::User=HASH(0x1796c18), ARRAY(0x178d8d0), Cpanel::SSL::Auto::Run::DCVResult=HASH(0x30980d0)) (called in /usr/local/cpanel/Cpanel/SSL/Auto/Run/User.pm at line 355) ==> Cpanel::SSL::Auto::Run::User::ANON() (called in /usr/local/cpanel/Cpanel/Try.pm at line 193) ==> (eval)() (called in /usr/local/cpanel/Cpanel/Try.pm at line 193) ==> Cpanel::Try::try(CODE(0x28400b8), 'Cpanel::Exception::AutoSSL::DeferFurtherWork', CODE(0x1796780), '', CODE(0x17967e0)) (called in /usr/local/cpanel/Cpanel/SSL/Auto/Run/User.pm at line 395) ==> Cpanel::SSL::Auto::Run::User::determine_certs_and_renew_ssl(Cpanel::SSL::Auto::Run::User=HASH(0x1796c18), ARRAY(0x178d8d0), Cpanel::SSL::Auto::Run::DCVResult=HASH(0x30980d0)) (called in bin/autossl_check.pl at line 291) ==> bin::autossl_check::ANON() (called in bin/autossl_check.pl at line 296) ==> bin::autossl_check::ANON() (called in /usr/local/cpanel/Cpanel/Try.pm at line 193) ==> (eval)() (called in /usr/local/cpanel/Cpanel/Try.pm at line 193) ==> Cpanel::Try::try(CODE(0x283fbd8), 'Cpanel::Exception::AutoSSL::DeferFurtherWork', CODE(0x27ea210)) (called in bin/autossl_check.pl at line 317) ==> bin::autossl_check::ANON() (called in /usr/local/cpanel/Cpanel/PIDFile.pm at line 99) ==> Cpanel::PIDFile::do('Cpanel::PIDFile', '/var/cpanel/autossl_check_betawbie.pid', CODE(0x1674038)) (called in bin/autossl_check.pl at line 355) ==> bin::autossl_check::_run_maybe_captured(bin::autossl_check=HASH(0x232ed20)) (called in bin/autossl_check.pl at line 116) ==> bin::autossl_check::ANON() (called in /usr/local/cpanel/Cpanel/CaptureFH.pm at line 50) ==> Cpanel::CaptureFH::do_with_output_captured_to_path_if_non_tty('/usr/local/cpanel/logs/error_log', CODE(0x232ef18)) (called in bin/autossl_check.pl at line 117) ==> bin::autossl_check::run(bin::autossl_check=HASH(0x232ed20)) (called in bin/autossl_check.pl at line 102) ...propagated at /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/ACME2/HTTP.pm, line 162 ...propagated at /usr/local/cpanel/Cpanel/SSL/Auto/Run/HandleVhost.pm, line 258

7:41:05 AM The system has completed “betawbie”’s AutoSSL check.

MikeMcQ · January 15, 2023, 3:09pm

The DNS is not responding correctly for subdomains of wbietfs.com. You should try disabling DNSSEC. Or, perhaps remove the wildcard DNS record and replace it with specific names for needed subdomains. We have seen several similar problems recently with wildcard DNS records.

DNSViz (link here) shows some warnings.

And, unboundtest shows failures looking up CAA and AAAA records for the beta subdomain. These records are not required but if they don't exist the DNS should give the correct Not Found indication. See (link here)

Let's Debug also shows these DNS failures (link here)

mbrando · January 15, 2023, 3:11pm

Thank you.I'll run these suggestions down with the client.

rg305 · January 15, 2023, 6:27pm

I see the "DNS" problem described.
But, I also see "404", which sounds unrelated to "DNS".
There may be multiple problems at play.

I'd like for you to also check HTTP access to the "beta" site's expected challenge location from the Internet.
And, from that system, HTTPS access to acme-v02.api.letsencrypt.org.

MikeMcQ · January 15, 2023, 8:07pm

Might be. But, it's not the typical 404 for a failed HTTP Challenge either. If you try to retrieve the /chall-v3 URL it fails with a 404. Something went wrong with the ACME client request sequence. Could just be a symptom of the DNS failure.

That log error is the same as what I see now for that URL

curl https://acme-v02.api.letsencrypt.org/acme/chall-v3/195378145457/PGkMVg
{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "No such challenge",
  "status": 404

rg305 · January 15, 2023, 11:00pm

I think they would do well to return something other than what looks like an HTML 404 error code [when it is something other than that].

mbrando · January 16, 2023, 12:48pm

Hello,

I had the client disable DNSSEC and will test the beta at acme-v02.api.letsencrypt.org

Thanks,

mbrando · January 16, 2023, 1:00pm

Hello,

After the client disabled DNSSEC the domain validated.

Thank you for your help. I'll note this for future events.

Mike

system · February 15, 2023, 1:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.