Certificates are not renewing

Slavison · June 14, 2022, 12:35am

Hi,

The operating system my web server runs on: CentOS 7

My hosting provider: Inferno Solutions. Proxied through CloudFlare with Full (strict) encryption mode.

I can login to a root shell on my machine: Yes

I'm using a control panel to manage my site: Control Web Panel

As of late several of my domains aren't receiving certificate updates. I use the built-in feature in Control Web Panel (CWP) to auto-renew (and force-renew manually) my certificates, but it no longer works. There are no errors when i try to renew a certificate, and CWP shows me the new expiration date correctly (89 days, which is shown in the screenshot).

But when i check the ssl state of my website on ssllabs.com, it shows the old expiration date: Tue, 14 Jun 2022 14:28:50 UTC (expires in 14 hours and 44 minutes). Same in my web browser. If i check crt.sh | sherlokserial.ru - it shows updated entries.

I have at least 3 domains with the same problem.

rg305 · June 14, 2022, 12:44am

Hi @Slavison, and welcome to the LE community forum

This is a very strange case; Usually CF handles everything required for cert renewals - especially when it is being used as authoritative DNS servers:

sherlokserial.ru        nameserver = alec.ns.cloudflare.com
sherlokserial.ru        nameserver = beth.ns.cloudflare.com

The only "inconsistency" that I can find is that the cert being used is a wildcard cert [which has not been renewed].
The certs being renewed are for "sherlokserial.ru" and "www.sherlokserial.ru".
See: crt.sh | sherlokserial.ru

Perhaps if you could switch CF to not use the wildcard cert then things might improve.

Slavison · June 14, 2022, 2:03am

Thanks for your answer, rg305!

I didn't know that CF can install and manage Let's Encrypt certificates for me. There was a warning on the 'Edge Certificates' page, saying that i must validate acme challenge through TXT DNS records.

I removed the certificate from my server, validated TXT records in CF and changed encryption mode from Full (strict) to Flexible. Now everything works as expected.

As far as i understand, there is no need to install certs on my server, if a website is fully proxied through CF. Is that correct?

MikeMcQ · June 14, 2022, 2:44am

Using Flexible does not need a cert on your origin server as Cloudflare edge will use HTTP to communicate to your origin server. However, I quote from Cloudflare docs:

If possible, Cloudflare strongly recommends using Full or Full (strict) modes to prevent malicious connections to your origin.

You can view Cloudflare's docs about the pros and cons of its various options:

rg305 · June 14, 2022, 1:05pm

That depends entirely on your definition of "fully proxied" and your tolerance to MiTM manipulation/eavesdropping.
If any portion of the connection is via HTTP, that part is exposed to such actions.
If your server IP responds to HTTP requests from all IPs, then the possibility exists that someone can reach your server insecurely.
I try not to leave anything to chance, so I encrypt everything that can be encrypted.

Slavison · June 14, 2022, 6:37pm

Now i understand. Thank you for your time, rg305 and MikeMcQ.

system · July 14, 2022, 6:38pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.