cPanel & WHM Version 98 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Trigger AutoSSL for domains that still don't resolve

Marcelo Pedra shared this idea 4 years ago
Open Discussion

I, as a sysadmin, wish to extend the feature request named "AutoSSL triggered at account creation time" with this idea:


You may have created an account for a domain that still don't resolve to your DNS, but it will, soon. And given that users are increasingly asking for SSL, if cPanel could check if it resolves every 1-2 hours would be a good catch to enable AutoSSL as soon as the DNS start resolving correctly. It shouldn't impact in server performance, am I right?

Obviously, if you implement this, check only the DNS of those recently created domains where AutoSSL was still unsuccessful. Also, I would advice that if a domain don't start resolving within the first 72 hs, then fallback to the current nightly checks.

Best Answer
photo

In CPANEL-25901 (version 80) we implemented an additional check. The new schedule is:

First Check - 3m20s after account creation

Second Check - 2h after account creation

Nightly Check (as per usual)

Replies (2)

photo
1

This should have been a part of the original feature request. In nearly ZERO situations will the domain name resolve to our server IMMEDIATELY after account creation. But, usually, within minutes it will be properly resolving. There is no harm in attempting an AutoSSL install at account creation... but we really need this feature to check every hour or two, for the first day... then it can fallback to the normal once per day check.

photo
1

but a domain can take upto 72 hrs to propagate fully

photo
1

Terry "up to" is the important part...more often than not it is within minutes

photo
1

@Terry Robertson: All in all, Let's Encrypt has its own DNS cache, outside cPanel. Hence, any DNS change you perform in a domain registrar to create a new account in cPanel will be detected instantly because if it's a new account, there's a 99.99% of probabilities that Let's Encrypt cache haven't visited that domain in the past 24 hours :-)

photo
1

In our use case, we use to work a lot with dot com domains and CloudFlare proxied hosts, and also set TTL our servers DNS to 600 seconds by default, so propagation is performed instantly. I know, not everyone may be working the same, but it's a good practice so users don't have to wait the standard 4 hours of TTL.

photo
1

Scott, with respect you are wrong. I have that situation now with a domain who was pointing to another server because resolvers. I've fixed that but now I have to wait or something..


[root@10580emp ~]# dig flood.cl a

;; ANSWER SECTION:

flood.cl. 3600 IN A 200.24.13.70


[root@10580emp ~]# nano /etc/resolv.conf

[root@10580emp ~]# dig flood.cl a

;; ANSWER SECTION:

flood.cl. 14400 IN A 201.148.105.80

photo
photo
3

In CPANEL-25901 (version 80) we implemented an additional check. The new schedule is:

First Check - 3m20s after account creation

Second Check - 2h after account creation

Nightly Check (as per usual)

photo
2

Thanks, Nick! It's working much better these days. I just have to know... where did you come up with 3 minutes and 20 seconds? :-)

photo
1

The 3m20s was the top end of the time (excluding outliers) it generally takes to ensure that everything is setup, dns is reloaded, apache is restarted, and HTTP DCV is able to pass. We likely will be able to reduce this over time as we get data from the efficiency improvements in 82 and 84. The results are promising for these versions as autossl run times went from over an hour to about 10 minutes on highly loaded machines in v84 with the limited data we have.

photo
Leave a Comment
 
Attach a file