Troubleshooting AutoSSL: TOTAL_DCV_FAILURE with External DNS and IPv6
One of the more frustrating errors we've seen with cPanel's AutoSSL is:
TOTAL_DCV_FAILURE: Every domain failed DCV
At first glance, this can seem like a general domain control validation failure, but in cases where the domain uses external DNS, the root cause is often misunderstood — and overlooked.
The Confusing Part: .well-known File Check Fails
In these scenarios, it's natural to expect that HTTP-based validation should still succeed, even if DNS-based DCV (Domain Control Validation) fails. After all, if the .well-known/acme-challenge/ path is accessible and functioning correctly, why would AutoSSL still throw a total failure?
That’s the key question.
The Hidden Culprit: IPv6 and New Accounts
Upon deeper inspection, we've found that this issue often affects newly created accounts, especially when the domain has an AAAA (IPv6) record configured in external DNS, but IPv6 is not actually enabled or configured on the cPanel server for that account.
Here’s what happens:
-
AutoSSL attempts to validate the domain using the AAAA record.
-
The IPv6 address resolves externally, so Let’s Encrypt tries to connect over IPv6.
-
The server responds with a 404 Not Found, because it has no IPv6 listener or doesn’t route IPv6 traffic correctly to the domain.
-
Since HTTP DCV fails over IPv6 and DNS DCV is unavailable (external DNS), the entire validation process fails — hence the TOTAL_DCV_FAILURE.
Why This Matters
This type of failure can lead to confusion during setup, especially when everything looks correct from a browser or IPv4-based test. You might successfully retrieve test files via HTTP, yet AutoSSL continues to fail silently in the background due to IPv6 routing mismatches.
Resolution
If you encounter this error:
-
Check for AAAA records in the external DNS zone of the domain.
-
Disable or remove the AAAA records if IPv6 is not used or supported on your cPanel server.
-
Alternatively, ensure IPv6 is properly configured and enabled for Apache/Nginx and the cPanel user account.
Once the AAAA record points to a reachable and correctly configured IPv6 interface, or is removed entirely, AutoSSL validation should proceed normally.
Conclusion:
If you're using external DNS and seeing TOTAL_DCV_FAILURE, don't just test via IPv4 — check IPv6 resolution and routing. It may be the silent blocker behind an otherwise functional setup.
Thanks to Patrick Sanders CEO of 040Hosting for giving us this solution. Need stable web hosting and the best support check out https://040hosting.eu