Cloudflare ssl let's encrypt certificate expired

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dome.gallery

I ran this command:

It produced this output:
nginx-letsencrypt | [Mon Oct 4 23:49:07 UTC 2021] dome.gallery:Verify error:Invalid response from https://dome.gallery/.well-known/acme-challenge/L7bjXykjSeA12MICOU0EFEsWu8VJwZx7IPxoUmiXkg4 [2606:4700:3035::ac43:a4a7]:

My web server is (include version): nginx

The operating system my web server runs on is (include version):
Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-88-generic x86_64)

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don't know): yes

If your DNS resolves to an IPv6 address, there must be functional web site there; As LE prefers IPv6 over IPv4 (when present).

curl -Iki6 http://dome.gallery/
HTTP/1.1 301 Moved Permanently
Location: https://dome.gallery/

curl -Iki6 https://dome.gallery/
HTTP/2 526
content-length: 0

As that is a CloudFlare IP, I would take this up with them.

FYI, just contact Cloudflare technical support and request that they reissue your CF edge certificate using Digicert instead of Letsencrypt. CF has stated that is an acceptable request besides the other option which is paid - upgrading to Cloudflare ACM - Advanced Certificate Management product at $10/month where you can reissue your own custom CF edge certificates and choose your CA provider Digicert or Letsencrypt.

@eva2000
How will that overcome the 526 error shown when connecting to his site securely via IPv6?:

I see. If he is using Cloudflare FULL Strict SSL, they there's a validation of origin server side SSL certificate at play. You can try switching from CF Full Strict SSL to CF Full non-strict SSL mode and see if that works. If the origin server is using Letsencrypt SSL with the longer default Letsencrypt chain or if Letsencrypt SSL cert has expired, then you can possibly get a CF 526 Community Tip - Fixing Error 526: Invalid SSL certificates - Tutorials - Cloudflare Community

@willemo you can also use curl to bypass and check your origin SSL certificate/HTTPS config to see if it's returning a valid SSL certificate

so in SSH on command line populate the domain variable with your domain name and IP variable replacing your_origin_real_ip_address with your origin server's real IP address and then run the curl command and only post the output you get of that curl command

domain=dome.gallery
ip=your_origin_real_ip_address
curl -sIv https://$domain --resolve $domain:443:$ip 2>&1 | sed -e "s|$ip|ipaddress|g"

Note, you won't be able to run this curl resolve command if you have Cloudflare Authenticated Origin Pull certificates configured on your origin server as that would only allow CF Edge server requests to your origin via a client TLS certificate verification. Nor would curl command work if you are using CF Argo Tunnel and have configured a cloudflared daemon tunnel to secure your origin server from direct real IP origin access.

Also if you're using Cloudflare, you can use Cloudflare DNS API with a supporting ACME client like acme.sh to use DNS API domain validation instead of web root validation.

I'm still getting this error for www.dome.gallery & dome.gallery
nginx-letsencrypt | [Wed Oct 6 00:44:09 UTC 2021] dome.gallery:Verify error:Invalid response from https://dome.gallery/.well-known/acme-challenge/ZF-3WPddbZXOicZrE0Dch0DZHQcKPubxeQYOMsGKhkQ [2606:4700:3035::6815:3acd]:
nginx-letsencrypt | [Wed Oct 6 00:44:18 UTC 2021] www.dome.gallery:Verify error:Invalid response from https://www.dome.gallery/.well-known/acme-challenge/dTwZcHmaLgldSGWKWOzkSSjZYA-Y-WhdZwgJHaGKG6U [2606:4700:3035::ac43:a4a7]:

along with the 526 Invalid SSL certificate Error.

I still don't understand how to ignore the expired SSL cert, and create a new one ?

Hi @willemo,

I would suggest trying some of the tips from @eva2000... it seems like your origin server (the one that you run, that is behind Cloudflare) has an expired certificate and you have the "full strict" option turned on, which is enforcing validation of it. If you, for example, turn that option off temporarily, it should be possible to renew your certificate on your origin server—or at least get a different and more more useful error message!

OK I see it now:
CloudFlare offers IPv4 and IPv4 CDN IPs.

curl -4  http://dome.gallery/  WORKS
curl -6  http://dome.gallery/  WORKS

curl -4 https://dome.gallery/  FAILS
curl -6 https://dome.gallery/  FAILS

I also concur with @eva2000

Hi, thanks for your help, I got this result:

• Added dome.gallery:443:ipaddress to DNS cache
• Hostname dome.gallery was found in DNS cache
• Trying ipaddress:443...
• TCP_NODELAY set
• Connected to dome.gallery (ipaddress) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs
  } [5 bytes data]
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
  } [512 bytes data]
• TLSv1.3 (IN), TLS handshake, Server hello (2):
  { [106 bytes data]
• TLSv1.2 (IN), TLS handshake, Certificate (11):
  { [1351 bytes data]
• TLSv1.2 (OUT), TLS alert, unknown CA (560):
  } [2 bytes data]
• SSL certificate problem: self signed certificate
• Closing connection 0

It confirms a cert problem

Well, I think I have fixed this problem, but I will wait and test a little more
I executed the cmd update-ca-certificates and rebuilt the container with Full (strict )
and it's working now.

Thanks for all the help. I am learning as I go and appreciate this forum.

Yup was your CA cert expiry on origin server with curl resolve clue

TLSv1.2 (OUT), TLS alert, unknown CA (560):

may I ask what form of container were you using ? docker or LXC/LXD ?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.