Skip to main content

Resolving cPanel AutoSSL "DNS DCV" Failures with Cloudflare

 Few notifications generate as much immediate anxiety for a site maintainer as the automated email from cPanel: "AutoSSL failed to renew the certificate for example.com."

The error logs almost always point to a failure in Domain Control Validation (DCV). You will likely see error strings referencing DNS DCV: No local authority or an HTTP DCV failure resulting in a 403 Forbidden or a redirection loop.

If your domain utilizes Cloudflare as its DNS provider and proxy, this is not a random glitch. It is a structural conflict between cPanel’s validation logic and Cloudflare’s traffic handling. This article provides a technical breakdown of why this conflict occurs and details the rigorous configuration changes required to resolve it permanently without sacrificing Cloudflare’s security features.

The Architecture of the Failure

To fix the problem, you must first understand the validation vector. When cPanel’s AutoSSL (typically powered by Sectigo or Let’s Encrypt) attempts to issue a certificate, it requires proof of ownership. It attempts this via two methods, in order of preference:

1. DNS DCV (The Primary Method)

The Certificate Authority (CA) asks cPanel to add a specific TXT record to your DNS zone.

  • The Conflict: cPanel modifies the DNS zone file locally on your web server. However, because you are using Cloudflare, your domain's Nameservers point to Cloudflare, not your web host.
  • The Result: The CA queries the public DNS (Cloudflare), does not see the local record created by cPanel, and the validation fails.

2. HTTP DCV (The Fallback Method)

When DNS validation fails, cPanel falls back to HTTP validation. It creates a token file in the path .well-known/acme-challenge/ and asks the CA to fetch it via http://example.com/.well-known/acme-challenge/<token>.

  • The Conflict: Cloudflare’s "Always Use HTTPS," specific Page Rules, or your server's .htaccess file often force a 301 redirect to HTTPS. If the SSL is already expired, the CA cannot negotiate the secure connection to retrieve the token, causing a chicken-and-egg failure. Furthermore, Cloudflare's Web Application Firewall (WAF) or "Bot Fight Mode" often flags the validation bot as a threat and blocks the request.

Since most site maintainers on shared hosting cannot automate Cloudflare DNS updates via the cPanel API, the most reliable solution is to engineer a bypass for the HTTP DCV fallback.

Step 1: Configuring Cloudflare Page Rules

Before modifying server files, we must ensure Cloudflare allows traffic to the validation directory without interference. We need to create a "hole" in your security posture specifically for the ACME protocol.

  1. Log in to the Cloudflare Dashboard and select your domain.
  2. Navigate to Rules > Page Rules.
  3. Click Create Page Rule.
  4. URL: Enter the following pattern exactly: *example.com/.well-known/acme-challenge/*
  5. Settings: Add the following settings:
    • SSL: Off (or Flexible)
    • Cache Level: Bypass
    • Security Level: Essentially Off
    • Browser Integrity Check: Off
  6. Order: Ensure this rule is at the very top of your list (Order 1).

Why this works: This forces Cloudflare to treat the validation directory as plain HTTP, bypasses the cache (ensuring the CA gets the live file), and prevents the "Browser Integrity Check" from blocking the headless bot used by the CA.

Step 2: Implementing the .htaccess Exclusion

Even with Cloudflare configured, your local Apache server is likely configured to force HTTPS redirects. We must modify the .htaccess file to exclude the .well-known directory from these redirects.

Locate your .htaccess file in the public_html root. You need to modify your rewrite rules to conditionally ignore the ACME challenge path.

The Standard Fix

If you are using a standard rewrite rule to force HTTPS, it usually looks like this:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

You must inject a RewriteCond (condition) before the RewriteRule triggers.

The Corrected Code

Replace your HTTPS forcing block with the following logic:

<IfModule mod_rewrite.c>
    RewriteEngine On

    # EXCLUSION: Do not redirect .well-known/acme-challenge requests to HTTPS
    # This allows cPanel AutoSSL to fetch the token over plain HTTP
    RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/ [NC]
    
    # STANDARD REDIRECT: Force HTTPS for everything else
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

Technical Breakdown:

  • %{REQUEST_URI}: The path component of the request (e.g., /.well-known/...).
  • !: Logical NOT.
  • ^/\.well-known/acme-challenge/: Regex matching the start of the validation path.
  • [NC]: No Case (case-insensitive).

This logic tells Apache: "If the request is NOT for the ACME challenge folder, AND the request is currently HTTP, THEN redirect to HTTPS."

Step 3: Handling "Bot Fight Mode" False Positives

Recently, a surge in AutoSSL failures has been traced to Cloudflare’s "Super Bot Fight Mode" (Pro plans) or standard "Bot Fight Mode" (Free plans).

The validation servers used by Sectigo and Let's Encrypt are automated scripts. Cloudflare's heuristics often classify these as "Definite Bots" and issue a JavaScript challenge. The validation server cannot execute JavaScript, so it fails.

The Diagnosis

Check your Cloudflare Security > Events log. Filter by the User Agent or IP. If you see "Managed Challenge" or "Block" actions coinciding with your AutoSSL run times, this is the root cause.

The Solution

You cannot whitelist IPs for Let's Encrypt or Sectigo reliably, as they change frequently and publish no official list.

  1. Temporary: Disable "Bot Fight Mode" in the Security > Bots tab, run the AutoSSL check in cPanel, then re-enable it.
  2. Permanent (WAF Rule): Create a Custom WAF rule skipping challenges for the ACME path.
    • Field: URI Path
    • Operator: contains
    • Value: /.well-known/acme-challenge/
    • Action: Skip (select "All remaining custom rules" and "Super Bot Fight Mode").

Edge Case: The 403 Forbidden on Physical Directories

Sometimes, even with the redirects fixed, the server returns a 403 Forbidden. This happens because cPanel creates the .well-known folder with strict permissions, or other security plugins (like Wordfence or iThemes) block access to "dot" folders.

Verify permissions manually via terminal or File Manager:

  • Directories (.well-knownacme-challenge) should be 0755.
  • Files inside should be 0644.

If you have a security plugin, ensure it is not configured to "Disable execution of PHP in uploads/cache" in a way that inadvertently blocks text files in the root, or specifically whitelist the .well-known path in the plugin settings.

Summary

The "DNS DCV" error is often a red herring for Cloudflare users; it is the inevitable failure of the primary validation method. The solution lies in clearing the path for the secondary method: HTTP DCV.

By explicitly telling Cloudflare to stop protecting the validation path (Page Rules) and configuring Apache to stop redirecting it (RewriteCond), you create a pass-through tunnel. This allows the Certificate Authority to handshake with your origin server over HTTP, verify the token, and issue the certificate, which Cloudflare will then serve securely to your users.

Labels: