Subdomains lost SSL cert after AutoSSL expired and cannot renew


I have a cpanel wordpress site that had AutoSSL set up, before moving to Cloudflare (free).

For a while everything was working fine. According to the browsers, the site’s SSL was signed by Cloudflare.

A while ago I started getting errors when AutoSSL tried to run:
“DNS DCV: The DNS query to “_cpanel-dcv-test-record.DOMAIN.COM” for the DCV challenge returned no “TXT” record that matches the value … forbids DCV HTTP redirections.”

And for the proxy subdomains, instead of forbidden DCV HTTP redirection, the errors end with:
“The web server responded with the following error: 401 (Unauthorized). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “cpcontacts.DOMAIN.COM” resolved to an IP address “104.27.x.x” that does not exist on this server.”

Now, the site itself is still working with https signed by CF, but I cannot send email over SMTP because the mail subdomain’s SSL cert is off.

My hosting provider told me that AutoSSL can’t renew if the nameservers point to Cloudflare.

But why won’t Cloudflare’s SSL work for every subdomain? According to my dashboard, I have a Universal Certificate for *.DOMAIN.COM, DOMAIN.COM

I thought about setting the nameservers back to default so AutoSSL can run once again… but that doesn’t seem like a professional solution.

What should I do?

In your case it might be easier to replace the current certificates with a Cloudflare Origin certificate

These certificates are only valid in a proxied context but they are valid for longer and their issuance is easier.

Thank you, I read about Origin certificate, but I thought that it was only for traffic between Cloudflare and my host, and would not affect the emails because they are independent from Cloudflare…?

I’m sorry if this makes no sense and is simply wrong, this topic is beyond my comprehension!

That is correct but something I did mention. Origin certificates are only valid in a proxied context.

If you need a certificate for something else, you cant use Origin certifcates, however mail server typically do not use HTTPS certificates.

In your particular case Lets Encrypt cant verify the domain as you havent set up a CNAME and the HTTP request gets blocked by Cloudflare. We only the topic a few days ago Where do I add txt record?. As for configuring the Cloudflare firewall to let Lets Encrypt through, I would point to the search as that should return quite a few topics on that subject.

This topic was automatically closed after 30 days. New replies are no longer allowed.