Failed to connect to 104.28.3.182:443 for TLS-SNI-01 & Cloudflare


#1

Hallo,

i use Cloudflare and this is blocking creating or renew certs, is there a way to fix it?

Error:
Attempting to renew cert from /etc/letsencrypt/renewal/www.anzah.cloud.conf produced an unexpected error: Failed authorization procedure. www.anzah.cloud (tls-sni-01): urn:acme:error:tls :: The server experienced a TLS error during domain verification :: Failed to connect to 104.28.3.182:443 for TLS-SNI-01 challenge. Skipping.


#2

Hi,

You can’t use TLS-SNI-01 if your site is behind Cloudflare. (It tries to make a change to the TLS configuration on your server, but if you’re behind Cloudflare, then Cloudflare, not you, controls the TLS configuration of the server that the general public actually connects to.)

You can use HTTP-01 or DNS-01 instead.

If you need more help doing so, you should fill in all of the answers for the Help template. The template will come up automatically if you start a Help thread. Thanks!


#3

"If you need more help doing so, you should fill in all of the answers for the Help template"
I have no help template oO?

How i use HTTP-01 or DNS-01 on apache to renew the cert?


#4

The Help template appears when first starting a new topic in the Help category. It looks like this:

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:

It produced this output:

My operating system is (include version):

My web server is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#5

Sorry, but i havent seen this.

My domain is:
some, one is anzah.cloud

I ran this command:
certbot renew --dry-run

It produced this output:
Processing /etc/letsencrypt/renewal/anzah.cloud.conf

Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘Running manual mode non-interactively is not supported’,)
Attempting to renew cert from /etc/letsencrypt/renewal/anzah.cloud.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘Running manual mode non-interactively is not supported’,). Skipping.

My operating system is (include version):
Debian GNU/Linux 8.7 (jessie)

My web server is (include version):
Apache/2.4.10 (Debian)

My hosting provider, if applicable, is:
Hetzner, VServer

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No


#6

Aha! So, certbot renew can’t work if you obtained a certificate with --manual. The idea is that certbot renew is meant to be run unattended (usually from cron), so it doesn’t make sense to use --manual, which requires you to take specific steps at specific times. certbot --manual is only meant to be run interactively.

One alternative would be to run certbot certonly --manual --force-renewal -d anzah.cloud (if www.anzah.cloud is also covered in the same certificate, then you would add another -d www.anzah.cloud to the same command, and similarly for any other domain that is covered by that certificate). Then the manual process will be run through again, and the new certificate will be available at the end at the same path in /etc/letsencrypt/live/anzah.cloud where the previous certificate was.


#7

So I have to create an own cronjob for each domain?


#8

Why did you use --manual originally? Was it necessary for some reason in your setup?

I would say that if you’ve used --manual, Certbot currently doesn’t offer any support for automated renewals at all, so you have to do some kind of scripting or automation work on your own to make them work. This is something that leads me to discourage the use of --manual as much as possible.


#9

how i should renew a cert with cloudflare automatically?
the only way i see atm is that i deactivate cloudflare :’(


#10

You can use the webroot method, or the dns-01 challenge


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.