Certificates are not renewing

Hi,

My domain is: sherlokserial.ru

The operating system my web server runs on: CentOS 7

My hosting provider: Inferno Solutions. Proxied through CloudFlare with Full (strict) encryption mode.

I can login to a root shell on my machine: Yes

I'm using a control panel to manage my site: Control Web Panel


As of late several of my domains aren't receiving certificate updates. I use the built-in feature in Control Web Panel (CWP) to auto-renew (and force-renew manually) my certificates, but it no longer works. There are no errors when i try to renew a certificate, and CWP shows me the new expiration date correctly (89 days, which is shown in the screenshot).

But when i check the ssl state of my website on ssllabs.com, it shows the old expiration date: Tue, 14 Jun 2022 14:28:50 UTC (expires in 14 hours and 44 minutes). Same in my web browser. If i check crt.sh | sherlokserial.ru - it shows updated entries.

I have at least 3 domains with the same problem.

Hi @Slavison, and welcome to the LE community forum :slight_smile:

This is a very strange case; Usually CF handles everything required for cert renewals - especially when it is being used as authoritative DNS servers:

sherlokserial.ru        nameserver = alec.ns.cloudflare.com
sherlokserial.ru        nameserver = beth.ns.cloudflare.com

The only "inconsistency" that I can find is that the cert being used is a wildcard cert [which has not been renewed].
The certs being renewed are for "sherlokserial.ru" and "www.sherlokserial.ru".
See: crt.sh | sherlokserial.ru

Perhaps if you could switch CF to not use the wildcard cert then things might improve.

3 Likes

Thanks for your answer, rg305!

I didn't know that CF can install and manage Let's Encrypt certificates for me. There was a warning on the 'Edge Certificates' page, saying that i must validate acme challenge through TXT DNS records.

I removed the certificate from my server, validated TXT records in CF and changed encryption mode from Full (strict) to Flexible. Now everything works as expected.

As far as i understand, there is no need to install certs on my server, if a website is fully proxied through CF. Is that correct?

Using Flexible does not need a cert on your origin server as Cloudflare edge will use HTTP to communicate to your origin server. However, I quote from Cloudflare docs:

If possible, Cloudflare strongly recommends using Full or Full (strict) modes to prevent malicious connections to your origin.

You can view Cloudflare's docs about the pros and cons of its various options:

https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/

5 Likes

That depends entirely on your definition of "fully proxied" and your tolerance to MiTM manipulation/eavesdropping.
If any portion of the connection is via HTTP, that part is exposed to such actions.
If your server IP responds to HTTP requests from all IPs, then the possibility exists that someone can reach your server insecurely.
I try not to leave anything to chance, so I encrypt everything that can be encrypted.

5 Likes

Now i understand. Thank you for your time, rg305 and MikeMcQ.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.