Certbot: unable to renew cert w/ nginx + cloudflare dns

Hi! I could really use some help! :slight_smile: Thank you in advance.

My domain’s DNS is hosted and protected by Cloudflare.

I have Cloudflare credentials/ API Key stored in /root/.secrets/cloudflare.ini

If I specify just the webroot I get an authentication failure probably because the physical IP of the box doesn’t match the A/AAAA records at Cloudflare.

If I try to specify the cloudflare-dns options then certbot bombs.

I also have this in my sites-enabled config for the domain:

server {
server_name nsfw.social;

listen         80;
listen         [::]:80;

location ~ /\.well-known/acme-challenge {
    root /var/lib/letsencrypt/;
}

location / {
  return         301 https://$server_name$request_uri;
}

}

My domain is:
nsfw.social

I ran this command:
certbot certonly --cert-name nsfw.social -a webroot -w /var/lib/letsencrypt -d nsfw.social

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nsfw.social
Using the webroot path /var/lib/letsencrypt for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. nsfw.social (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://nsfw.social/.well-known/acme-challenge/CxOkSwkBg9d7T7bCjM8_wvFc1ig-2ifESIcR1NDSnAA [2606:4700:30::681b:bdd4]: "<meta name=viewport content=“width=device-width,initial-scale=1,user-scal”

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: nsfw.social
    Type: unauthorized
    Detail: Invalid response from
    https://nsfw.social/.well-known/acme-challenge/CxOkSwkBg9d7T7bCjM8_wvFc1ig-2ifESIcR1NDSnAA
    [2606:4700:30::681b:bdd4]: "<meta name=viewport
    content=“width=device-width,initial-scale=1,user-scal”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

Then I ran this command:
certbot certonly --cert-name nsfw.social -a webroot -w /var/lib/letsencrypt --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d nsfw.social

That produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not choose appropriate plugin: Too many flags setting configurators/installers/authenticators ‘webroot’ -> ‘dns-cloudflare’
Too many flags setting configurators/installers/authenticators ‘webroot’ -> ‘dns-cloudflare’

My web server is (include version):
ii nginx 1.14.2-2+deb10u1 all small, powerful, scalable web/proxy server
ii nginx-common 1.14.2-2+deb10u1 all small, powerful, scalable web/proxy server - common files
ii nginx-full 1.14.2-2+deb10u1 amd64 nginx web/proxy server (standard version)
ii certbot 0.31.0-1 all automatically configure HTTPS using Let’s Encrypt
ii python3-certbot 0.31.0-1 all main library for certbot
ii python3-certbot-dns-cloudflare 0.23.0-2 all Cloudflare DNS plugin for Certbot
ii python3-certbot-nginx 0.31.0-1 all Nginx plugin for Certbot

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

1 Like

I should add I’m venturing down this path because when the cert originally tried to renew it couldn’t bind to port 80 and trying to solve that led me to this post: https://stackoverflow.com/questions/44855359/letencrypt-renewal-fails-could-not-bind-to-ipv4-or-ipv6-skipping/46415630

Which then mentioned something about forcing the webroot option to get a new cert. And that’s where I ran into problems.

Thanks!

1 Like

Hi @mjc

there you see the problem.

If you use Cloudflare, there is a redirect http -> https. And Letsencrypt prefers ipv6, so you must have a working ipv6 configuration with a working certificate.

So your port 80 isn’t checked.

–> add your location definition to your https port and use that. Or remove the location and use the root of your https directly.

Checking your domain you have an older Letsencrypt certificate - https://check-your-website.server-daten.de/?q=nsfw.social

Or use the (not public trusted) certificate from Cloudflare. That’s enough to secure the connection between Cloudflare and your server.

If you don’t use Cloudflare, you can use a self signed certificate (and a redirect http -> https) to create a Letsencrypt certificate. But with Cloudflare that’s not possible.

2 Likes

Thank you so much! That did it! I simply copied the “location ~ /.well-known/acme-challenge” block into the Port 443 section, did an nginx reload, and re-ran the first command and it worked!

Hopefully somebody else will find this saga useful. :slightly_smiling_face:

Thank you again! Much appreciated. Happy New Year!

root@localhost:/etc/letsencrypt/renewal# certbot certonly --cert-name nsfw.social -a webroot -w /var/lib/letsencrypt -d nsfw.social
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nsfw.social
Using the webroot path /var/lib/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/nsfw.social/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/nsfw.social/privkey.pem
   Your cert will expire on 2020-03-30. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@localhost:/etc/letsencrypt/renewal#
3 Likes

Happy to read that you have found a solution :+1:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.