AutoSSL renewal fails

Modified on Fri, 2 Aug at 5:11 PM

cPanel offers AutoSSL. While it generally works, you may get error messages. You can use the following as a reference model to resolve the issue. However, do note that the e-mails you get generally confirm if you need to take action. Here is an example:



While you do get an e-mail, the texts states the following:


After that time, AutoSSL will request a replacement certificate that excludes any domains that fail


In this example, the ipv6 record is missing. While we can resolve this (see table below), generally this is not an issue. Therefore, you can ignore the error and your domain will remain protected (unless other errors occur).


If your certificate is not expired, just wait 24 hours. The problem should get resolved.
If your certificate is expired, contact us and we can manually renew the certificate. Do you have a managed or your own server? You can run AutoSSL again in WHM.



ErrorReasonSolution
 1:31:19 PM ERROR “Let’s Encrypt™” DNS DCV error (*.domain.com): 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (Incorrect TXT record "4ybE3io5_U7xcl-d2sAccEzSnOxR8ht01EDy6COtOzc" found at _acme-challenge.domain.com)
It could be that previous records exists. After a successful check, cPanel normally clears records such as _acme-challenge. This may not have happened, so manual interaction is required.To resolve this, go to the DNS manager of your account and remove the following records with the type TXT:
  1. _cpanel-dcv-test-record
  2. _acme-challenge
  3. _acme-challenge.ipv6
  4. Remove any CNAME records with comodoca.com in the value. 
  5. Remove any variations.
 3:44:25 PM ERROR “Let’s Encrypt™” DNS DCV error (ipv6.domain.com=): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (During secondary validation: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.ipv6.domain.com - check that a DNS record exists for this domain)
 ERROR Impediment: SECURED_DOMAIN_DCV_FAILURE: One or more currently-secured domains failed DCV.

cPanel expects ipv6.domain.com to exists when IPv6 is activated.

In general, you do not need ipv6.domain.com. In that case, you can ignore the warning. Only execute the following steps when you really need this record available:

  1. Find the value for www.domain.com with type AAAA
  2. Create a new record with ipv6.domain.com with the type AAAA and the value of www.domain.com 




Unfortunately, cPanel has not implemented correct support for redundant DNS systems. Therefore, AutoSSL may fail from time to time.


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article