FIX: Previously, the option to include proxy subdomains was only available when an existing certificate already existed. Now it is always available.
However, cPanel may not always choose to use every proxy subdomain (such as when they are on a subdomain virtual host).
FEATURE PREVIEW: The dns-01 challenge is now available, but disabled by default
This means that SSL validation can be performed automatically via TXT DNS records rather than relying on the http-01/webroot challenge
This is only available if cPanel is controlling the DNS for the zone. Domains with external DNS cannot take advantage of the dns-01 challenge.
Admins may enable either or both of the challenges (http-01, dns-01). If more than one is enabled, then the user is prompted to choose one on a per-certificate basis. Existing certificates will be assumed to use the http-01 challenge.
To enable the dns-01 challenge, visit WHM->Let’s Encrypt SSL->Configuration and set “Challenge Methods” to http-01,dns-01 as required.
We are introducing this feature at this time in order to prepare for wildcard certificates, which will be coming in January or February 2018.
This is a BETA-quality feature and we will appreciate any testing/feedback/bugs.
IPv6 in cPanel 68: Due to a regression in cPanel 68, IPv6 is broken for the service certificate and proxy subdomain renewals. Please refer to this published article for a workaround
The dns-01 challenge incurs a 5 second sleep after every DNS record change, this is to allow BIND to reload the zone before Let’s Encrypt tries to validate it. This will be fixed before the feature is out of beta.
The reason for this is that we have found that the churn of features and bugs in cPanel makes it too difficult for us to reasonably produce a single plugin that works well on both LTS and current versions.