Certificate bypassed by CloudFlare

tomato · May 19, 2017, 10:21am

I have two different servers (different IPs) enrouted to both sub-domains for the same domain. e.g. sub1.domain.com & sub2.domain.com

My operating system is Ubuntu 16.04, I can connect to that machine via SSH with root privileges and I’m using nginx 1.10.0 and certbot 0.12.0

I’m using CloudFlare as my DNS server, so I opted using the manual option for the certbot command (maybe how to use webroot under CloudFlare is another topic).
It created a challege that I stated in my TXT records, and then created the certificate environment (placed under the default letsencrypt path).

Until here everything gone good. But now I face 2 issues:

My nginx sites-available (enabled link) points to the old certificate, but the new one is being used by the web page.
The sub2 domain is using the certificate too, but there’s no letsencrypt certificate inside it.

I suspect that CloudFlare is somehow managing my server certificates through the record, but I’m not sure this is possible.

Anyway, for SSL routing for 443 inside my nginx “sites” file I have to point to a real cert file, but it is not being used at all. Also, protocols and ciphers are not being used by the server. Looks weird for me.

I ran this command to create the certificate:
sudo certbot -d sub1.domain.com --manual --preferred-challenges dns certonly

I ran this other command to check certificates on sub1.domain.com:
sudo certbot certificates

It produced this output:
[sudo] password for administrador: Saving debug log to /var/log/letsencrypt/letsencrypt.log OCSP check failed for /etc/letsencrypt/live/sub1.domain.com/cert.pem (are we offline?) Found the following certs: Certificate Name: sub1.domain.com Domains: sub1.domain.com Expiry Date: 2017-08-16 09:55:00+00:00 (VALID: 88 days) Certificate Path: /etc/letsencrypt/live/sub1.domain.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/sub1.domain.com/privkey.pem
I ran this other command to check certificates on sub2.domain.com:
sudo certbot certificates

It produced this output:
[sudo] password for admin: Saving debug log to /var/log/letsencrypt/letsencrypt.log No certs found.

Thank you in advance,

ahaw021 · May 22, 2017, 12:48pm

Hi @tomato

Who’s certificates do users get they browse to your sites?

CloudFlare issued ones or LetsEncrypt ones

Note: certbot doesn’t replicate certifcates between servers so certificates are only probably kept on one of your two servers

Also check the following in your cloudflare:

If the cloud is lit up it means that CloudFlare proxies the requests (using their internal certs and uses LetsEncrypt in the backend connections)

You can untick it (grey cloud) and hopefully your Lets Encrypt certificates and configurations should be working

Andrei

tomato · May 25, 2017, 9:44am

Thank you @ahaw021,

It seems that, as you say, CloudFlare is proxying the requests, blocking certbot certificates.
Something must happened with CloudFlare’s account, but now it’s working.

Regards,

system · June 24, 2017, 9:44am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Letsencrypt creating wrong certificates? Help	7	3142	October 30, 2016
Certbot with nginx reverse proxy and CloudFlare Server	3	2285	August 21, 2017
Certbot + nginx + ipv6 + cloudflare issue Help	11	2898	June 17, 2017
Certificate is only for local domain (.home) Server	16	10133	September 18, 2017
Certbot: unable to renew cert w/ nginx + cloudflare dns Help	5	2181	January 31, 2020

Certificate bypassed by CloudFlare

Related topics