Challenge failed for domain. Is cloudflare the issue?

Hi!
It's time to renew my certificates again, and the http-01 challenge fails:

Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for emilmoberg.com
http-01 challenge for www.emilmoberg.com
Waiting for verification...
Challenge failed for domain emilmoberg.com
Challenge failed for domain www.emilmoberg.com
http-01 challenge for emilmoberg.com
http-01 challenge for www.emilmoberg.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: emilmoberg.com
   Type:   unauthorized
   Detail: Invalid response from
   https://www.emilmoberg.com/.well-known/acme- 
   challenge/dTB5ORoJvHNgtYoeekiCu00yNLfA1OzqzLMCAqxwJyA
   [2606:4700:3032::ac43:d7b5]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx/1.17.10 (U"

   Domain: www.emilmoberg.com
   Type:   unauthorized
   Detail: Invalid response from
   https://www.emilmoberg.com/.well-known/acme- 
   challenge/zSwU0CfQWS8fhj_842a0COxYA2S84KEdBIVkauc8Rl8
   [2606:4700:3032::6812:2f28]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx/1.17.10 (U"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I ran into the same issue I ran into last time a couple months ago. At that time, I solved it by changing nameservers from cloudflare to digitaloceans nameservers, and disabled https redirects from nginx server blocks (back to how it was when I first created the certificates...)
That was a hassle, but it did not fail then.

(My certificate emilmoberg.com contains domains emilmoberg.com and www.emilmoberg.com)

this is my server block, which redirects all traffic to https://www.emilmoberg.com:

server {

if ($host = emilmoberg.com) {
    return 301 https://www.emilmoberg.com$request_uri;
}

server_name emilmoberg.com www.emilmoberg.com;
root /var/www/emilmoberg.com/public_html;

index index.html index.htm index.php;

location / {
    try_files $uri $uri.html $uri/ =404;
}

location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
 }

location ~ /\.ht {
    deny all;
}


listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/emilmoberg.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/emilmoberg.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
if ($host = www.emilmoberg.com) {
return 301 https://$host$request_uri;
} # managed by Certbot

if ($host = emilmoberg.com) {
    return 301 https://www.$host$request_uri;
} # managed by Certbot


listen 80;
listen [::]:80;

server_name emilmoberg.com www.emilmoberg.com;
return 404; # managed by Certbot

}

I also use the cloudflare TLS/SSL.

So my question is what is causing the challenges to fail?
What can I do to make renewals go without problems?

emilmoberg.com is only one of my domains, but all of my other personal websites with the same configuration has the same issue.

1 Like

So, I tried to disable TLS/SSL on cloudflare and then renew using certbot renew --dry-run
And it worked.

But in the future to have this renewal automatic, I shouldn't need to turn off cloudflare full encryption, right?

1 Like

Hi @3mil

that's

your root. So use the webroot authenticator, not --nginx.

See

4 Likes

emil@blablabla:~$ sudo certbot renew --cert-name emilmoberg.com --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/emilmoberg.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for emilmoberg.com
http-01 challenge for www.emilmoberg.com
Cleaning up challenges
Attempting to renew cert (emilmoberg.com) from /etc/letsencrypt/renewal/emilmoberg.com.conf
produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for emilmoberg.com:. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/emilmoberg.com/fullchain.pem (failure)

When using the webroot authenticator, I get that error.
However if I add the --webroot-path /var/www/emilmoberg.com/public_html it does work.
What can be done now to automate the renewal process?

You might want to read how SSL works with Cloudflare and consider getting a Cloudflare Origin CA certificate instead of a Let's Encrypt certificate.