This is a common issue with Cloudflare CDN and Certbot’s nginx plugin: Certbot sets up the challenge response on your server’s port 80 virtualhost only.
Cloudflare causes all traffic between Cloudflare and your server to be secured with HTTPS. This means that the challenge response rule never gets a chance to be processed by the Let’s Encrypt validation request, and instead results in a 404.
Until this is fixed in Certbot, I believe that your best workaround is to use the webroot authenticator method.
A fairly foolproof method is to do something like:
mkdir -p /var/www/letsencrypt
and then to nginx (in your port 80 and port 443 virtual hosts), add:
Thanks for your response dear. But I already tried that (I created the exactly same directory ‘/var/www/html/.well-known/acme-challenge’) and I tested it by putting a test.html file in there. https://lyft.ir/.well-known/acme-challenge/test.html
So you think that the problem might be because of the all-redirecting code that cartbot added to nginx config?
if ($host = www.lyft.ir) {
return 301 https://lyft.ir$request_uri;
}
Attempting to renew cert (lyft.ir) from /etc/letsencrypt/renewal/lyft.ir.conf produced an unexpected error: The requested weboot plugin does not appear to be installed. Skipping.
The fault is mine my friend. I should have checked it.
And thanks. It worked. But I really didn’t get the point and the root of the problem
Is it because --dry-run ?
--dry-run is just for testing. You should get rid of it and run the command without it.
What we changed was that we changed from the “nginx authenticator” to the “webroot authenticator” - it causes Certbot to perform the domain validation a little bit differently.
The root of the problem is an incompatibility between Certbot’s nginx authenticator and how Cloudflare CDN works.
