Letsencrypt: Potential reduced AutoSSL coverage error

I do use LetsEncrypt for my domains, and have them on Cloudflare for other services. Problem is that every time LetsEncrypt needs to auto-renew the certificate for one of my domains I keep getting this error sent to me via automatic email notification from my CPanel from my webhosting provider. The email states: “AutoSSL would normally renew this certificate now, but 1 of the website’s secured domains just failed DCV. AutoSSL did not renew the certificate for …dot.com. You must take action to keep this site secure. The DNS query to cpanel-dcv-test-record…dot.com for the DCV challenge returned no TXT record that matches the value xyz…”.

Since this automatic renewal process happens every 3 months and having multiple domains, the situation is quickly getting to be quite an annoyance due to the process described bellow that has to be performed everytime a LetsEncrypt AutoSSL renewal is due and to be completed without further errors.

My webhosting support suggested that I temporarily pause the Cloudflare service on the domain that was reporting the error above, and that was usually a workable solution, although still not ideal. Then after 24h I would just restart the Cloudflare service and not get any further renewal errors until the next AutoSSL certificate renewal is attempted in 3 months.

Problem is that just pausing the Cloudflare service no longer seems to be enough, and I actually now need to even temporarily change the DNS servers of the domain back to their defaults for 24 hours to allow the renewal to complete and get rid of the error, then switch the domain DNS back to the Cloudflare DNS servers to continue to use their service.

Has anyone experienced this problem, and found a more workable or permanent solution? Thank you for any help.

1 Like

Hi, I found something related in cPanel’s forum (it is from 2019 though) and it looks like an issue on their side. So maybe you should open another ticket with them asking for a more permanent solution or give their forum a try.

Hi, I might be wrong, but in my case CPanel just seems to be simply reporting the problem that LetsEncrypt is having to renew the certificate (AutoSSL renewal). Also this problem started earlier this year (April 2020), and not back in 2019, and I have been using Cloudflare and LetsEncrypt on my domains for at least 2 years now and never had any issues before regarding this particular AutoSSL issue.

As my hosting provider tech support explained earlier this year, it seems to happen because my domain’s DNS is not pointing to the IP of the server where the domain is currently hosted, but rather to a Cloudflare IP, and this causes the Lets Encrypt AutoSSL renewal to fail because it cannot validate a certain “Test Record” that apparently is only present at the hosting server.

By pausing the Cloudflare service apparently allowed LetsEncrypt to actually see again the correct hosting server IP, and it would complete AutoSSL renewal. But now I have to go as far as actually changing the DNS of the domain to point back to the original hosting server. And this has to be done every 3 months, and for each domain that is up for AutoSSL renewal. Quite a pain in the posterior.

So again, CPanel just seems to be reporting this error by sending me an automated email, which makes me think that the problem is not really an issue directly related to CPanel itself. I also know that my hosting providers always keeps their CPanel installation current with the latest stable release. Thanks for the input.

Hi, just to make sure: You do have the TXT record it reports as “not found” added in your DNS, right?
I looked around here in the forum and the most common cause for that error is the record actually being absent.

https://community.cloudflare.com/search?q=DCV%20challenge%20returned%20no%20TXT

It would also help if you could share the full error message.

1 Like

As I explained before, it so seems that the Lets Encrypt renewal process verification cannot find the TXT verification record while the domain is pointed at Cloudflare. But pointing the domain back to the original hosting server by either temporarily pausing the Cloudflare service or changing the DNS for at least 24 hours seems to solve the issue of the renewal, but then I need of course once again restart Cloudflare or change back the DNS to point back to Cloudflare in order to continue using their service. And there lies the problem, so I would like a permanent solution with having to manually intervene every time the issue happens.

FULL ERROR IN EMAIL MESSAGE FROM CPANEL:
(edited out domain names and TXT file value)

xyz.com: AutoSSL would normally renew this certificate now, but 1 of the website’s secured domains just failed DCV. To provide you with more time to resolve this problem, AutoSSL will defer the renewal until Jul 21, 2020 at 6:00:55 AM UTC. After that time, AutoSSL will request a replacement certificate that excludes any domains that fail DCV. At the time of this notice, the certificate will expire in 13 days, 13 hours, 57 minutes, and 36 seconds.

AutoSSL did not renew the certificate for xyz.com. You must take action to keep this site secure.

The LetsEncrypt AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems:
mail.xyz.com (checked on Jul 10, 2020 at 4:03:13 PM UTC)

DNS DCV: The DNS query to cpanel-dcv-test-record.xyz.com for the DCV challenge returned no TXT record that matches the value cpanel-dcv-test-record=hkfcufcfcg78kjsfsbhj76rjdsh; HTTP DCV: The system failed to fetch the DCV (Domain Control Validation) file at http://mail.xyz.com/.well-known/acme-challenge/JGK3CM3F4N77IBJB0JOLHBJM because of an error (cached): Could not connect to ‘2606:4700:3032:0000:0000:0000:ac43:da6a:80’: Address family for hostname not supported.
xyz.com (checked on Jul 10, 2020 at 4:03:13 PM UTC)

DNS DCV: The DNS query to cpanel-dcv-test-record.xyz.com for the DCV challenge returned no TXT record that matches the value cpanel-dcv-test-record=hkfcufcfcg78kjsfsbhj76rjdsh.; HTTP DCV: xyz.com does not resolve to any IP addresses on the internet.
xyz.com (checked on Jul 10, 2020 at 4:03:13 PM UTC)

DNS DCV: The DNS query to cpanel-dcv-test-record.xyz.com for the DCV challenge returned no TXT record that matches the value cpanel-dcv-test-record=hkfcufcfcg78kjsfsbhj76rjdsh. HTTP DCV: www.xyz.com does not resolve to any IP addresses on the internet.

My guess is when the AutoSSL process kicks off, it creates a unique TXT record in cPanel DNS. But your domain is not using cPanel DNS because you’re using Cloudflare. So it won’t find that special TXT record. I bet it generates a new value each time.

The second hurdle is the acme-challenge file. You have it proxied, as the IPv6 address they’re reporting belongs to Cloudflare. If it’s a ‘mail’ subdomain, then it should be set to :grey: instead of :orange:. The HTTP connection will probably also fail because you’ve most likely set your domain for “Always Use HTTPS”, so Cloudflare will always return a redirect response to any HTTP requests. Avoidable if you’re not proxying the ‘mail’ subdomain.

I’m not sure why it complains that your domain and www don’t resolve to an IP address, while the mail subdomain does.

I had seem this on cPanel forum, about an ipv4 being expected but only ipv6 being found: https://forums.cpanel.net/threads/autorun-ssl-error.675081/#post-2770257

Edit: Not sure if it makes sense, but the post from 2019 also had something about a misconfigured AAAA entry messing the check (though it also states it supports ipv6).

1 Like

Sometimes the email indicates a DCV challenge error for not only the mail subdomain but also for one or more other subdomains. For example on other domains I have seen it for webmail.xyz.com, webmail.xyz.com, cpcalendars.xyz.com, cpcontacts.xyz.com.

So basically what all this means is that if your website is using a free certificate from LetsEncrypt, it will not be fully compatible with Cloudflare services, unless one is willing to manually do the necessary temporary changes so the renewal can be completed every 3 months? I wonder why nobody else here is having this same issue, can’t believe I am the only one of a very few users that are using LetsEncrypt with Cloudflare. Also was hoping Cloudflare would have already addressed this issue with some kind of a workaround. I tried to contact their support but it seems hopeless.

I also visited the link above to that other thread, and the poster there seems to be getting similar errors and responses from other members, so unfortunately still no real solution in sight.

No. There are many ways to get this to work. Your cPanel just isn’t playing nice with others.

It’s possible there other options in cPanel to get AutoSSL to work. As I recall, I was able to get one working without the DNS verification a while back using a .well-known file verification.

Cloudflare can’t create a workaround for cPanel. If cPanel wants to do the DNS thing, then you’re stuck. Let’s Encrypt has a workaround in the form of the dns_cloudflare plugin. This is what RunCloud does to make it work. cPanel should figure out a way to do the same.

In the mean time, you can use a Cloudflare Origin CA Certificate if your cPanel will let you.

1 Like

This topic was automatically closed after 14 days. New replies are no longer allowed.