You can’t use HTTP validation for a hostname that doesn’t exist.
To work around the Cloudflare “Always use SSL”/“Full (strict)” origin certificate issue, you could add the appropriate A/AAAA/CNAME records and temporarily disable Cloudflare’s CDN on the hostname (gray cloud, not orange cloud) so you can validate it and get a certificate.
Edit: Orange cloud + temporarily turning off Always use SSL would also work.
Always use HTTPS is set to OFF
I created an A record with name beta-yegfitness that points the the public IP of my server
On the DNS page of Cloudflare the cloud is Orange
In the crypto tab I have the following origin certificates
*.fitchek.com, fitchek.com (2 hosts)
2034-03-03
After about 20 minutes I run
sudo certbot certonly --test-cert --webroot -w /opt/marketplace/public/yegfitness -d yegfitness.fitchek.com
The result is:
Failed authorization procedure. yegfitness.fitchek.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: dns :: DNS problem: NXDOMAIN looking up A for yegfitness.fitchek.com
beta-yegfitness and yegfitness are two different names.
Edit: If you have origin certificates from Cloudflare, why create Let's Encrypt certificates too?
Edit: That command is using --test-cert, but the staging environment produces certificates that aren't trusted by clients, whether they're browsers or Cloudflare's servers.
Thanks, what a silly error on my part with the wrong names.
i am not sure why things are set p this way. I took over this legacy project from previous devs, and I am not an expert on this stuff. Just trying my best to make it work how it is setup and not cause more problems than I solve!
There is again no ip address ( https://check-your-website.server-daten.de/?q=yegfitness.fitchek.com ):
| Host | T | IP-Address | is auth. | ∑ Queries | ∑ Timeout |
|---|---|---|---|---|---|
| yegfitness.fitchek.com | Name Error | yes | 1 | 0 | |
| www.yegfitness.fitchek.com | Name Error | yes | 1 | 0 |
So that
doesn't produce the required result.
Use online tools to check such things.
OK I made the fixes as noted, and was able to create a certificate. I then update my sites-available and sites-enabled and restarted nginx.
I turned Always Use HTTPS back to on and made sure the A entry for DNS cloud was orange
After waiting 20 minutes when I navigate to
https://beta-yegfitness.fitchek.com/
I get invalid certificate, and when I try
http://beta-yegfitness.fitchek.com/
This page (https://beta-yegfitness.fitchek.com/) is currently offline. However, because the site uses Cloudflare’s Always Online™ technology you can continue to surf a snapshot of the site. We will keep checking in the background and, as soon as the site comes back, you will automatically be served the live version. Always Online™ is powered by Cloudflare | Hide this Alert
http://beta-yegfitness.fitchek.com/ mostly works for me. The page loads. Some of the images and such are 404 Not Found errors.
https://beta-yegfitness.fitchek.com/ returns a Cloudflare invalid origin certificate error.
What certificate is being used on the origin now? How is it configured?
Could you turn off Cloudflare on the subdomain temporarily so we can check it?
Or share your non-Cloudflare - ip address.
Then I can check it - ip + hostname.
174.117.43.114
Your public IP address
hostname: fitchek-server
The hostname is the domain name.
The result - https://check-your-website.server-daten.de/?q=174.117.43.114&h=beta-yegfitness.fitchek.com
You have a 90 day - certificate:
CN=beta-yegfitness.fitchek.com
18.03.2019
16.06.2019
expires in 90 days beta-yegfitness.fitchek.com - 1 entry
But it's the Fake Certificate:
Chain (complete)
1 CN=beta-yegfitness.fitchek.com
2 CN=Fake LE Intermediate X1
So create a new certificate, but don't use the test system.
If the certificate is valid, then you should have a Grade I (some content errors), but not a certificate error.
OK I did as you said and re-ran (without test):
sudo certbot certonly --webroot -w /opt/marketplace/public/yegfitness -d beta-yegfitness.fitchek.com
It asked me to keep or renew and replace, so I choose renew and replace
2: Renew & replace the cert (limit ~5 per 7 days)
and the response:
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for beta-yegfitness.fitchek.com
Using the webroot path /opt/marketplace/public/yegfitness for all unmatched domains.
Waiting for verification…
Cleaning up challenges
IMPORTANT NOTES:
/etc/letsencrypt/live/beta-yegfitness.fitchek.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/beta-yegfitness.fitchek.com/privkey.pem
Your cert will expire on 2019-06-16. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
“certbot renew”
Still doesn’t work however, still get invalid SSL certificate
If you use certonly, the certificate isn't installed.
Perhaps the file is replaced. But then you have to reload / restart your webserver.
PS: There
https://crt.sh/?q=beta-yegfitness.fitchek.com
is your new certificate.
So install it and recheck your domain.
Looks like you have fixed the error. Checking your ip + domainname as hostname lists now
CN=beta-yegfitness.fitchek.com
18.03.2019
16.06.2019
expires in 89 days beta-yegfitness.fitchek.com - 1 entry
And the domain beta-yegfitness.fitchek.com has four Cloudflare ip addresses and a big Cloudflare certificate:
CN=sni116869.cloudflaressl.com, OU=PositiveSSL Multi-Domain,
OU=Domain Control Validated
05.12.2018
14.06.2019
expires in 87 days
Some missing files ... Grade I.
Thanks for all the help, your support has been amazing, I just want to absolutely clear on the next step before i do something wrong (again):
When you say
There ends your post.
So your question is invisible.
Thanks for all the help, your support has been amazing, I just want to absolutely clear on the next step before i do something wrong (again):
When you say:
https://crt.sh/?q=beta-yegfitness.fitchek.com
is your new certificate.
So install it and recheck your domain.
Do you mean that I should run
sudo certbot --webroot -w /opt/marketplace/public/yegfitness -d beta-yegfitness.fitchek.com ?
and then restart nginx?
Note that the site is now working, but I think there might be multiple certificates, so not sure which one is in use
Thanks!
Nate
No, the problem is already solved.
See post
Check the result of https://check-your-website.server-daten.de/?q=174.117.43.114&h=beta-yegfitness.fitchek.com
There you see: Your internal ip address 174.117.43.114 checked with your domain name as hostname -> the certificate is valid.
That's like a browser connect a website: First, the browser has to find the ip address. Then the browser connects the ip address and sends the domain name as hostname.
So Cloudflare is able to connect your site via https.
And check https://check-your-website.server-daten.de/?q=beta-yegfitness.fitchek.com - then you see your Cloudflare - ip and your Cloudflare certificate.
The first is the internal view, the second is that, what visitors see.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.