Certbot nginx cloudflare failed to get cert, but success to renew existing cert


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: prod.kuimba.info

I ran this command:

It produced this output:

My web server is (include version): nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hello all,

I am using certbot to get certificate for my site. My site is using Cloudflare with SSL setting is Full (strict) and I am using universal certificate. I have this option on Cloudflare “Always use HTTPS” turn ON (which basically means it will redirect all HTTP traffic to HTTPS). I’ve use this command "sudo certbot certonly --rsa-key-size 2048 --nginx -d <domain_name> --agree-tos --email " to obtain let’s encrypt cert. However, this only works with “Always use HTTPS” turn OFF. Furthermore, if I have managed to obtain a certificate (by turning “Always use HTTPS” OFF), I can use the same command to renew the certificate and this work perfectly with “Always use HTTPS” turn on.
So here are my questions:

  1. Obtaining a certificate fails when “Always use HTTPS” turn ON. I think this is because nginx plugin using http-01, and let’s encrypt server communicate with my site using HTTP, but all traffic are being redirect to HTTPS by Cloudflare and let’s encrypt server cannot handler that. Am I correct? And can you guys elaborate?

  2. I am not really understand why renewing a certificate works fine with “Always use HTTPS” turn on. Can you help me to explain it? And can I renew an expired certificate with this setting?

Thanks in advance.

Edit: Here is my output when “Always use HTTPS” turn ON:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator nginx, Installer nginx

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for prod.kuimba.info

Waiting for verification…

Cleaning up challenges
Failed authorization procedure. prod.kuimba.info (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://prod.kuimba.info/.well-known/acme-challenge/tBCMXgjCVgZSjDI17w_pYP2z5Ogvx0s_zHbaZCtluYY: "<!DOCTYPE html>

<!–[if lt IE 7]> <html class=“no-js ie6 oldie” lang=“en-US”> <![endif]–>

<!–[if IE 7]> <html class="no-js "

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: prod.kuimba.info

Type: unauthorized

Detail: Invalid response from

http://prod.kuimba.info/.well-known/acme-challenge/tBCMXgjCVgZSjDI17w_pYP2z5Ogvx0s_zHbaZCtluYY:

"<!DOCTYPE html>

<!–[if lt IE 7]> <html class=“no-js ie6 oldie” lang=“en-US”>

<![endif]–>

<!–[if IE 7]> <html class="no-js "

To fix these errors, please make sure that your domain name was

entered correctly and the DNS A/AAAA record(s) for that domain

contain(s) the right IP address.

  • Your account credentials have been saved in your Certbot

configuration directory at /etc/letsencrypt. You should make a

secure backup of this folder now. This configuration directory will

also contain certificates and private keys obtained by Certbot so

making regular backups of this folder is ideal.

Here is my output when “Always use HTTPS” turn OFF:

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/prod.kuimba.info/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/prod.kuimba.info/privkey.pem
    Your cert will expire on 2018-11-11. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

#2

Hi,

What’s your domain name?

Issue new certificate & renew will always have some kind of issue with CloudFlare turned on (and http challenges) because CloudFlare is in front of your server & might sent the validation server a cached response (this case, 404 error)

I’m not sure how this works… Maybe it’s related to how Cloudflare redirects? (I’ll try to dig into some CF posts & see what’s going on)

Thank you


#3

My domain is prod.kuimba.info as I updated the post.
Also, I’ve try to purge Cloudflare cache but this still happen.


#4

The Let’s Encrypt server is fine with redirections to HTTPS during the validation process.

I think what you might be seeing is that if your origin server doesn’t have a certificate yet, CloudFlare itself refuses to proxy connections to it with the settings that you refer to. That is, in CloudFlare’s system design, these settings are only intended to be used after your origin server already has a certificate in place.

I haven’t consulted CloudFlare’s documentation to confirm this, so this is only a guess.


#5

I suspect this behavior too, but I haven’t found any supporting document yet.


#6

Hi,

Do you have any other valid certificate in use before request an let’s encrypt certificate on those domains? (That reported unauthorized?)

(Cause Cloudflare “SSL (strict)” is defined as

You will need to have your server configured to answer HTTPS connections, with a valid SSL certificate. This certificate must be signed by a certificate authority that is trusted by Cloudflare, have an expiration date in the future, and respond for the request domain name (hostname).

… cloudflare will refuse to connect to your site via https… (I guess they also try to redirect let’s encrypt validation server to the https version of challenges file…)

Thank you


#7

I think @stevenzhu’s explanation makes sense and probably explains what’s happening.

Maybe CloudFlare should have a “SSL (strict, once a certificate exists)” that distinguishes between pre-issuance and post-issuance automatically. :slight_smile: Otherwise, I guess CloudFlare users will often have to toggle this setting manually.

However, @vietthang207, you can also get a certificate from Let’s Encrypt using the DNS-01 ACME validation method, where you create DNS records rather than files on your web server in order to prove your control over the domain name. Several Let’s Encrypt client applications have good support for CloudFlare’s DNS API, and so if you also have your DNS managed by CloudFlare, you could use this method to obtain certificates for your origin server without requiring an inbound HTTP or HTTPS connection. Therefore, this method can be used whether or not your web server is initially reachable from the Internet. And so you could use it to obtain certificates for an origin server even with the Strict setting.


#8

I actually believe that ‘SSL (full)’ is turned on by default… User need to manually choose to turn on strict …


#9

If you configure all of your origin servers to redirect to HTTPS, you could turn off “Always Use HTTPS”, permanently or only briefly when issuing certificates.

If you use Workers you could have one redirect HTTP to HTTPS but excluding /.well-known/acme-challenge/.