Errors behind Cloudflare

jorge.figueroa · October 21, 2020, 5:38pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
A lots domains with same issue behind Cloudflare
I ran this command:
certbot 0.31.0
It produced this output:

My web server is (include version):
nginx/1.14.0

The operating system my web server runs on is (include version):
Ubuntu 18.04.5 LTS

My hosting provider, if applicable, is:
NA
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

Hi,

I know they have other msj about this but they are old and I don't understand reason.

I have WEB server with a lot different domains, but I have few they are behind Cloudflare and I can't renew them. I try follow this How to get a Let’s Encrypt certificate while using CloudFlare ( 2015) but I don't work, and the error it show in certbot is:

Invalid response from /.well-known/acme-challenge/KiLitU7rygw62szA9zkpIJeQc2xMXCf9C94gLU92DS8 [2606:4700::6812:7a1]: "\n\n<!--[if IE 7]> <html class="no-js "

certbot.errors.FailedChallenges: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from

And I have the other cert working fine with same config. in Cloudflare , we have disable "always HTTPS" and "SSL mode" Full. So I can see .well-known/acme-challenge/testfile by HTTP and HTTPS in all domains but error said it

My question
Why it give error "Failed authorization" when is behind Cloudflare?
** If you can see the .well-known / acme-challenge / testfile file, what other Let's Encrypt authentication executes to validate and which Cloudflare does not allow? *

saludos

griffin · October 21, 2020, 6:08pm

Welcome to the Let's Encrypt Community

Sorry you're running into trouble. The "failed authorization" error message is very common and you haven't specified any affected domain names, so we will need further information on order to be able to help.

Are all of the affected domain names running nginx/1.14.0 on Ubuntu 18.04.5 LTS?

Are you using a load balancer?

What is the complete output of certbot?

Could be secondary validation. Depends on the specific error.

There is almost certainly a better way to get your certificates. You should probably be using Cloudflare Origin CA certificates (instead of Let's Encrypt certificates) to encrypt traffic between your webservers and Cloudflare:
https://support.cloudflare.com/hc/en-us/articles/115000479507

rg305 · October 21, 2020, 8:58pm

If you could provide one of the domain names that is having this problem, we may be better abled to provide some useful troubleshooting results.

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

_az · October 21, 2020, 9:08pm

Certbot's --nginx plugin doesn't work with Cloudflare sites if you have the "Full" or "Strict" setting on.

For now, the best solution is to use the --webroot plugin instead.

A less secure alternative is to use the "Flexible" setting.

jorge.figueroa · October 21, 2020, 10:04pm

Are all of the affected domain names running nginx/1.14.0 on Ubuntu 18.04.5 LTS?

No, I have other in nginx/1.10.2 on Centos 6.10 and certbot 1.9.0 with same problem but differens domain. All domain with problems are behind Cloudflare

Are you using a load balancer?
Yes

What is the complete output of certbot?
For example this domain

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for spm.heritagesports.eu
Using the webroot path /var/www/html/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. spm.heritagesports.eu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://spm.heritagesports.eu/.well-known/acme-challenge/W635fXFcyDygnsagMKYmeLiOlDf4l5eOJP3kjTwKqm0 [2606:4700::6812:6a1]: "\n\n<!--[if IE 7]> <html class="no-js "

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: spm.heritagesports.eu
Type: unauthorized
Detail: Invalid response from
http://spm.heritagesports.eu/.well-known/acme-challenge/W635fXFcyDygnsagMKYmeLiOlDf4l5eOJP3kjTwKqm0
[2606:4700::6812:6a1]: "\n\n<!--[if IE
7]> <html class="no-js "

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

Could be secondary validation. Depends on the specific error.
Which second validation?

We want have have cert for specify subdomain, we hosted, separate from all other domains

rg305 · October 21, 2020, 10:12pm

Have you tried using certbot with --webroot ?

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

_az · October 21, 2020, 10:22pm

With this domain in particular, it looks like it's being blocked due to Cloudflare Page Rules or some other setting.

Try visit http://spm.heritagesports.eu.

This is what I see. The request it not even being sent to your server, it stops at Cloudflare's edge.

jorge.figueroa · October 21, 2020, 11:13pm

Yes, I try with cerbot and cerbot-auto:
certbot certonly --webroot -w /usr/share/nginx/html -d

jorge.figueroa · October 21, 2020, 11:24pm

I see the site , I check from other locations without issues.
We don't have any Cloudflare Page Rules.

rg305 · October 21, 2020, 11:28pm

Try placing a test text file in the expected challenge location:
/usr/share/nginx/html/.well-known/acme-challenge/test-file-1234
[You may need to create the missing folders]
Then try accessing it via the Internet:
http://your.domain/.well-known/acme-challenge/test-file-1234

Is it accessible?

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

_az · October 21, 2020, 11:30pm

4/6 locations I checked gave me a 403:

[root@p ~]# curl -i spm.heritagesports.eu
HTTP/1.1 403 Forbidden

root@syd-01:~# curl -i spm.heritagesports.eu
HTTP/1.1 403 Forbidden

root@au:~# curl -i spm.heritagesports.eu
HTTP/1.1 403 Forbidden

$ curl -i spm.heritagesports.eu
HTTP/1.1 403 Forbidden

2/6 gave me the normal HTTP 200 (301):

root@north:~# curl -i spm.heritagesports.eu
HTTP/1.1 301 Moved Permanently

root@letsdebug:~# curl -i spm.heritagesports.eu
HTTP/1.1 301 Moved Permanently

It sounds like you have the Cloudflare security rules cranked up to the max. Try lower them temporarily.

jorge.figueroa · October 21, 2020, 11:43pm

Yes.
_az have right , cloudflare was blocking all traffic FROM these IPs .

thanks

jorge.figueroa · October 21, 2020, 11:46pm

do you have IP validation from letsencrypt? to add them in the whitelist

_az · October 21, 2020, 11:48pm

No, it's not possible to whitelist them: https://letsencrypt.org/docs/faq/#what-ip-addresses-does-let-s-encrypt-use-to-validate-my-web-server

Whitelisting the /.well-known/acme-challenge/* URL prefix is possible, though.

system · November 20, 2020, 11:48pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.