Certbot-Auto TLS Handshake Failure


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
multicrew.co.uk
I ran this command:
./certbot-auto --apache -d test.multicrew.co.uk -d academy.test.multicrew.co.uk --preferred-challenges http

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for test.multicrew.co.uk
http-01 challenge for academy.test.multicrew.co.uk
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. academy.test.multicrew.co.uk (http-01): urn:ietf:params:acme:error:tls :: The server experienced a TLS error during domain verification :: Fetching https://academy.test.multicrew.co.uk/.well-known/acme-challenge/F1MdqviwddJwZGmwKbG7XCUpEVx91_e4QbU0mfnT4ZQ: remote error: tls: handshake failure

IMPORTANT NOTES:

My web server is (include version):
Apache 2.4.27
The operating system my web server runs on is (include version):
Ubuntu 17.10
My hosting provider, if applicable, is:
Digital Ocean
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No


#2

https://letsdebug.net/test.multicrew.co.uk/12170

So, what the problem appears it be is that you are relying on Cloudflare SSL, and you are then sending a redirect for a domain that Cloudflare is not covering for you.

Cloudflare covers these domains for you: multicrew.co.uk, *.multicrew.co.uk.

Your webserver is sending a redirect to www.test.multicrew.co.uk, which is NOT covered by either of those certificate names.

Your current redirect is an impossible configuration should you wish to use Cloudflare’s SSL certificates.

The specific way in which Cloudflare fails in this situation causes that error message from Let’s Encrypt.

So either fix the 302 redirect to not add www. to the start of test.multicrew.co.uk, or stop using Cloudflare’s CDN service.


#3

What I’m wanting to do is use cloudflare for the main section of the website, I.e. the non test subdomains and then use letsencrypt for the rest seeing as it supports sub-subdomains, could that work?


#4

Well, it’s tough to say. Could you take a screenshot of your DNS records in Cloudflare?

Do you have a wildcard A record in there with the “orange cloud” on? If so, you need to get rid of it and more use specific A records, if you want your idea to work.


#5

I would but my friend has the CloudFlare 2FA linked to his phone… I think all the test. related A records have wildcards and I guess that’s the issue


#6

Another scenario, you might have a specific A record for:

www.test.multicrew.co.uk    IN    A    <your origin IP>

(and for academy.test.multicrew.co.uk as well) but it has the “orange cloud” on. If you turn it off, I believe that what you’re trying to do should be successful (or at least, the current error will go away).

I don’t think you can work around it without getting access to your Cloudflare account, though.

But in general, I think mixing Cloudflare on/off on a single site is a dangerous and complicated game … good luck!


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.