Issue with EasySSL when subromain (but not root domain) added

We are a web agency and are using CWP on our sandbox server. We use this server to host sites while we build them for clients.

With only a few exceptions, the domains are named to conform with this pattern:

[clientname].staging.masterdomain.com

The problem is that AutoSSL is not working when we use this naming convention. In the UI, I get a message that says "DNS of your domain doesn't point to this server or you have htaccess restrictions"

In fact, the only time I can get AutoSSL to work is on sites where the root domain is also present on this server.

I have read the forums and most issues I had seen there were either a DNS issue or a redirect issue. Neither of those are the case here. We also don't use the local server for DNS.

If we pull up the site with http:// it resolves correctly and displays fine with no redirect. It is happening on every site that follows this naming convention.

Here is the output from my browser console when I try to run AutoSSL for this site:
Request:
https://[redacted]:2031/cwp_bcc4ed576c7408661cca564dad244844/admin/loader_ajax.php?ajax=ssl_certificate&acc=validate_domaindns

Parameters:
domain=cartel.[redacted].com&user=cartel&extra_services=

Response:
{"result":"error","excludes":["maindomain"]}

Any assistance is appreciated.

Let's Encrypt goes by the "Authoritative Nameservers" for any Domain/Subdomain.  So it's actually checking domain.com's NS's for the key.

The workaround, is to redirect the NS Authoritative domains.  In your example, in domain.com's NameServers, add the following

staging 600 in NS (Your Servers Nameserver1 here)
staging 600 in NS (Your Servers Nameserver2 here)

now when LE looks up staging.domain.com, domain.com's NS say:  whoops staging's NS is ..., look there.

This will also include ALL subdomains for staging.domain.com, so client.staging client2.staging etc will all use your servers Nameservers