Cloudflare Cache Blocking Renewal?

My domain is: osf.dev

I ran this command: certbot renew

It produced this output:

Type: unauthorized
Detail: Invalid response from
https://osf.dev/.well-known/acme-challenge/90n6Y2LLR6VenIaWz0meLKts0F7DAWsLirfM92cre_Y
[2606:4700:20::6819:7f14]: "\n<html
lang=“en-US”>\n\n<meta charset=“utf-8”>\n<meta
name=“viewport” content=“width=device-width,initial-scal”

My web server is (include version): nginx

The operating system my web server runs on is (include version): ubuntu 18.04

My hosting provider, if applicable, is: vexxhost

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

This is partially referencing this post: LetsEncrypt Renewal Failing with CloudFlare enabled IPv6 --> IPv4

In this post I noticed that disabling cloud flare, then re-enabling it to the origin server solved the issue. The certificates would issue / renew as expected. Note this not only works when disabling it, but also if I re-enable it immediately, it starts working again.

Once again, the certificate suddenly failed to renew. Looking into it the same action worked. Disable cloudflare to origin, re-enable cloudflare to origin.

I’m really just posting here to see if anyone else has experienced this. I’m putting in a page rule on cloud flare to disable the cache to origin for /.well-known/* URLs, we will see if it works going forward. But even if it does should this even be necessary?

Any insight appreciated.

It’s not an uncommon problem.

From the previous instances I’ve seen, the issue is usually that the Certbot authenticator that you’re using would only succeed over port 80 (which is usually fine), but Cloudflare always talks to your site directly over port 443.

In that case, the solution would be to tune your authenticator and/or webserver config to make it succeed over either protocol.

To begin with, what authenticator are you using?

cat /etc/letsencrypt/renewal/osf.dev.conf

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.