Cert failure: 404 and 526 errors

Hello, my mail server I am trying to setup fails to issue certs with the following errors listed below.

My domain is: exposedfoundation.org

I ran this command: certbot certonly --webroot -w /var/www/html - d exposedfoundation.org -d mail.exposedfoundation.org

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for exposedfoundation.org and mail.exposedfoundation.org

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

My web server is (include version): Nginx 1.18.0

The operating system my web server runs on is (include version): Ubuntu 22.04 LTS

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 1.28.0

We are using Cloudflare with a subscription

Welcome @MRDOE
Each of your domains fails for a different reason. Your apex (exposedfoundation.org) fails with a 404. This is often due to the webroot path not matching the value of the root folder in your nginx config. If you need help with this please post the output from a sudo nginx -T command.

Your mail domain is failing with an http 526. This is a Cloudflare error saying its Edge cannot reach your domain. A debug guideline can be found here:

2 Likes

Hi, Mike. Thanks for the speedy and clear response. I will check and confirm webroot path and rectify if needed. With Cloudflare, the link you sent doesn't offer any solutions from what I've read, rather it offers a means to verify is the cert is self-signed. Do you have any resources or fixes for the 526 issue?

1 Like

I'm not sure what you mean. The Cloudflare CDN Edge is not able to reach your origin server for the mail domain name. The reason is the 526 error code. If the page I showed did not help resolve the problem you might want to post on the Cloudflare forums for other ideas.

I can't see the cert you have (or if you even have one) on your origin server. That's between your origin and the CF Edge. The main tip in that page was to change from Full(strict) to Full. Did you try that? Is your origin nginx server configured to accept requests for the mail domain? These are my first couple ideas

3 Likes

I do not have a cert. It cannot be issued, so you will not see one. This is a fresh instance for a mail server. No certs have been issued.

You could consider using a Cloudflare Origin CA cert. I don't know if that is satisfactory for your mail server but it is worth a review. You would not need Let's Encrypt at all then.

Or, to get started with Cloudflare you could create a self-signed cert and use Full (but not with Strict). Or, start with Flex which uses HTTP between the Cloudflare Edge and your origin server. Although, Flex is not recommended as permanent solution by Cloudflare.

This is all documented by Cloudflare on their site. You might want to spend more time reviewing their docs.

2 Likes

Are you trying to get a cert for mail (SMTP) or for webmail (HTTPS)?
[or both?]

2 Likes

I spend quite a bit of time on the Cloudflare Community forum and can save time searching for information about mailserver use. Cloudflare origin certs are not viable for anything other than HTTPS behind the Cloudflare proxy. Cloudflare doesn't proxy other protocols. Any hosts that require protocols other than HTTP or HTTPS on a specific list of ports need to be configured as DNS Only in Clouflare or the services will be unreachable.

1 Like