Certificate generation fails with Cloudflare proxy ON

Hello,

I'm using a Direct Admin hosting provider for my website and Cloudflare proxy is set up with Full (Strict) SSL setting for the domain.

When I tried to generate the acme certificate on Direct Admin it failed with this log:

Found wildcard domain name and http challenge type, switching to dns-01 validation.
2025/08/22 13:03:37 [INFO] [developmelabs.com, .developmelabs.com] acme: Obtaining SAN certificate
2025/08/22 13:03:38 [INFO] [.developmelabs.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/2343568537/572652679007
2025/08/22 13:03:38 [INFO] [developmelabs.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/2343568537/572652679097
2025/08/22 13:03:38 [INFO] [.developmelabs.com] acme: use dns-01 solver
2025/08/22 13:03:38 [INFO] [developmelabs.com] acme: Could not find solver for: tls-alpn-01
2025/08/22 13:03:38 [INFO] [developmelabs.com] acme: Could not find solver for: http-01
2025/08/22 13:03:38 [INFO] [developmelabs.com] acme: use dns-01 solver
2025/08/22 13:03:38 [INFO] [.developmelabs.com] acme: Preparing to solve DNS-01
2025/08/22 13:03:39 2025/08/22 13:03:39 info executing task task=action=dns&do=delete&domain=developmelabs.com&name=_acme-challenge&type=TXT
2025/08/22 13:03:39 2025/08/22 13:03:39 info finished task duration=118.37153ms task=action=dns&do=delete&domain=developmelabs.com&name=_acme-challenge&type=TXT
2025/08/22 13:03:39 2025/08/22 13:03:39 info executing task task=action=dns&do=add&domain=developmelabs.com&name=_acme-challenge&named_reload=yes&ttl=5&type=TXT&value=%22TRcKkyBbNx3pTcd9aRkdOt_3YemcIkLpPsMWkr1k6Jc%22
2025/08/22 13:03:40 2025/08/22 13:03:40 info finished task duration=669.980164ms task=action=dns&do=add&domain=developmelabs.com&name=_acme-challenge&named_reload=yes&ttl=5&type=TXT&value=%22TRcKkyBbNx3pTcd9aRkdOt_3YemcIkLpPsMWkr1k6Jc%22
2025/08/22 13:03:40 [INFO] [.developmelabs.com] acme: Trying to solve DNS-01
2025/08/22 13:03:40 [INFO] [.developmelabs.com] acme: Checking DNS record propagation. [nameservers=[2001:4860:4860::8888]:53]
2025/08/22 13:04:10 [INFO] Wait for propagation [timeout: 5m0s, interval: 30s]
2025/08/22 13:04:10 [INFO] [.developmelabs.com] acme: Waiting for DNS record propagation.
2025/08/22 13:04:40 [INFO] [.developmelabs.com] acme: Waiting for DNS record propagation.
2025/08/22 13:05:10 [INFO] [.developmelabs.com] acme: Waiting for DNS record propagation.
2025/08/22 13:05:40 [INFO] [.developmelabs.com] acme: Waiting for DNS record propagation.
2025/08/22 13:06:10 [INFO] [.developmelabs.com] acme: Waiting for DNS record propagation.
2025/08/22 13:06:40 [INFO] [.developmelabs.com] acme: Waiting for DNS record propagation.
2025/08/22 13:07:10 [INFO] [.developmelabs.com] acme: Waiting for DNS record propagation.
2025/08/22 13:07:40 [INFO] [.developmelabs.com] acme: Waiting for DNS record propagation.
2025/08/22 13:08:10 [INFO] [.developmelabs.com] acme: Waiting for DNS record propagation.
2025/08/22 13:08:40 [INFO] [.developmelabs.com] acme: Waiting for DNS record propagation.
2025/08/22 13:09:10 [INFO] [*.developmelabs.com] acme: Cleaning DNS-01 challenge
2025/08/22 13:09:10 2025/08/22 13:09:10 info executing task task=action=dns&do=delete&domain=developmelabs.com&name=_acme-challenge&type=TXT
2025/08/22 13:09:11 2025/08/22 13:09:11 info finished task duration=242.186401ms task=action=dns&do=delete&domain=developmelabs.com&name=_acme-challenge&type=TXT
2025/08/22 13:09:11 [INFO] [developmelabs.com] acme: Preparing to solve DNS-01
2025/08/22 13:09:11 2025/08/22 13:09:11 info executing task task=action=dns&do=delete&domain=developmelabs.com&name=_acme-challenge&type=TXT
2025/08/22 13:09:11 2025/08/22 13:09:11 info finished task duration=149.720304ms task=action=dns&do=delete&domain=developmelabs.com&name=_acme-challenge&type=TXT
2025/08/22 13:09:11 2025/08/22 13:09:11 info executing task task=action=dns&do=add&domain=developmelabs.com&name=_acme-challenge&named_reload=yes&ttl=5&type=TXT&value=%22QcwAvuoVryZQJbfBxf-czhTD1crIG_e5axrYsoBPVGc%22
2025/08/22 13:09:12 2025/08/22 13:09:12 info finished task duration=826.326743ms task=action=dns&do=add&domain=developmelabs.com&name=_acme-challenge&named_reload=yes&ttl=5&type=TXT&value=%22QcwAvuoVryZQJbfBxf-czhTD1crIG_e5axrYsoBPVGc%22
2025/08/22 13:09:12 [INFO] [developmelabs.com] acme: Trying to solve DNS-01
2025/08/22 13:09:12 [INFO] [developmelabs.com] acme: Checking DNS record propagation. [nameservers=[2001:4860:4860::8888]:53]
2025/08/22 13:09:42 [INFO] Wait for propagation [timeout: 5m0s, interval: 30s]
2025/08/22 13:09:42 [INFO] [developmelabs.com] acme: Waiting for DNS record propagation.
2025/08/22 13:10:12 [INFO] [developmelabs.com] acme: Waiting for DNS record propagation.
2025/08/22 13:10:42 [INFO] [developmelabs.com] acme: Waiting for DNS record propagation.
2025/08/22 13:11:12 [INFO] [developmelabs.com] acme: Waiting for DNS record propagation.
2025/08/22 13:11:42 [INFO] [developmelabs.com] acme: Waiting for DNS record propagation.
2025/08/22 13:12:12 [INFO] [developmelabs.com] acme: Waiting for DNS record propagation.
2025/08/22 13:12:42 [INFO] [developmelabs.com] acme: Waiting for DNS record propagation.
2025/08/22 13:13:12 [INFO] [developmelabs.com] acme: Waiting for DNS record propagation.
2025/08/22 13:13:42 [INFO] [developmelabs.com] acme: Waiting for DNS record propagation.
2025/08/22 13:14:12 [INFO] [developmelabs.com] acme: Waiting for DNS record propagation.
2025/08/22 13:14:42 [INFO] [developmelabs.com] acme: Cleaning DNS-01 challenge
2025/08/22 13:14:42 2025/08/22 13:14:42 info executing task task=action=dns&do=delete&domain=developmelabs.com&name=_acme-challenge&type=TXT
2025/08/22 13:14:43 2025/08/22 13:14:43 info finished task duration=109.448752ms task=action=dns&do=delete&domain=developmelabs.com&name=_acme-challenge&type=TXT
2025/08/22 13:14:43 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz/2343568537/572652679007
2025/08/22 13:14:44 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz/2343568537/572652679097
2025/08/22 13:14:44 Could not obtain certificates:

error: one or more domains had a problem:

[*.developmelabs.com] propagation: time limit exceeded: last error: authoritative nameservers: NS ingrid.ns.cloudflare.com.:53 did not return the expected TXT record [fqdn: _acme-challenge.developmelabs.com., value: TRcKkyBbNx3pTcd9aRkdOt_3YemcIkLpPsMWkr1k6Jc]:
[developmelabs.com] propagation: time limit exceeded: last error: authoritative nameservers: NS ingrid.ns.cloudflare.com.:53 did not return the expected TXT record [fqdn: _acme-challenge.developmelabs.com., value: QcwAvuoVryZQJbfBxf-czhTD1crIG_e5axrYsoBPVGc]:
Failed to issue new certificate

When I tried again with DA-provided DNS TXT record added on Cloudflare with proxy on OR with proxy off (DNS only mode) Direct Admin was able to generate the certificate. I can't remember which of the above was the correct setting at the time.

Now I'm worried that the renewal will not work when renewal time arrives.

I deleted the acme certificate from DA for now, and am looking for the best way to proceed with ssl certificate with proxy on. I'm also hoping to host client websites and would like to know a sure-fire way to generate all ssl and have them renewed automatically, because they will depend on me for everything.

Please advise.

Thanks!

Turn off the http -> https redirect on cloudflare.

Let cloudflare proxy http and https independently. Let your server perform the redirect.

You're using dns-01, the proxy is completely irrelevant. It can be a problem with http-01, solved by reading the rest of the post.

dns-01 failing is something that needs familiarity with your client to be solved.

Hi,

Which one? Automatic HTTPS Rewrites to be disabled on CF?

And enable Force SSL with https redirect on DA?

So can I just request cert this way and it will go through?

image1328×918 131 KB

With this way will all sites be able to create acme certs just by clicking SAVE and also get them renewed at the renewal time without any issues?

Thanks!

If you turn off "always use" you should be able to issue certificates using http-01 (this means no wildcards).

I have no idea how direct admin works, tho.

I would like to keep wildcards.

What if both HTTPS options were enabled on CF and disabled on DA?

Would that work?

if you want wildcards you have to use dns-01
dns-01 should work regardless of proxy (orange cloud) is turned ON or OFF

Then why did it fail the first time?

So, will the current one auto renew now without issues?

Also how do I select which method it should go with?

I just clicked Save on the Get ACME from provider tab on DA.

You might try the DA forum for help. Yours is a configuration problem with DA and its ability to place / check the TXT record on Cloudflare.

We don't see DA here often but perhaps some other volunteer will have personal experience with it. I do not.

Before posting at DA forum be sure to read below. It even uses Cloudflare as the example

With other ACME Clients the most common error we see is people not using the correct Cloudflare token. So, be sure to check that. It is described in the link above

So let's say I placed the TXT record on Cloudflare DNS and its proxy is on, and DA created a cert successfully. In that case will that cert auto renew properly without errors?

If you did that manually it is (highly) unlikely to renew automatically

DA has various options to control auto-renew. You'd have to review those settings. Ideally it would offer a way to test renewal so you wouldn't have to guess (as much). Stand-alone ACME Clients often have ways to do that but, as noted, I don't know DA very well.

System configurators like DA often coordinate multiple components and you want them all to work properly. The DA forum experts are best suited for that.

Ok, so now I have deleted the ssl from DA.

CF proxy is on.

No wildcards on DA.

It still doesn’t generate the certificate.

Should the proxy be disabled when generating for the first time and can it be enabled later without any effect on the renewal?
Should the “Always use https” or “redirect http to https” options be disabled on CF at all times?

Is there an error message? That isn't enough info to suggest a remedy.

With a DNS Challenge that doesn't matter

No error messages. Nothing on DA when I tried with CF proxy on.

Now I tried with CF proxy off (dns only) and still the same. Nothing on the Messages section.

These are the last entries I have and nothing on SSL Certificates section.

image1496×465 20.8 KB

Isn't this a http challenge? Because there is no CF token used.

The DA forum best place to ask why that is. Or review the Troubleshooting guide in their docs. It's just below the topic I linked earlier.

An HTTP Challenge can work with or without Always HTTPS but only if DA sets up your origin server to support that. If it doesn't, there are several ways to configure Cloudflare to support that. See: Cloudflare "Let's Verify You Are Human" stopping letsencrypt challenge - #10 by linkp

What DA requires in this case is best derived from their docs or forum. See: https://forum.directadmin.com/

Generally, all the problems you have described are in using and configuring Direct Admin. I am sure you will get better results from the experts at the DA forum.

do you expect clients will connect your server without cloudflare? if not you can use cloudflare origin CA and forget about renewal at all

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.