Installing and configuring certbot on google compute engine

tianreagon · July 11, 2017, 2:37pm

Please fill out the fields below so we can help you better.

My domain is: magentamagazine.co.za

I ran this command: sudo certbot --apache

It produced this output: Domain: magentamagazine.co.za
Type: tls
Detail: remote error: tls: handshake failure

Domain: www.magentamagazine.co.za
Type: tls
Detail: remote error: tls: handshake failure

My web server is (include version): Apache HTTP Server (2.4.10)

The operating system my web server runs on is (include version):Debian 8

My hosting provider, if applicable, is: Google Cloud Console

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

Patches · July 11, 2017, 6:59pm

This domain appears to use CloudFlare. When you use CloudFlare, they provide SSL for the connection between CloudFlare and your visitors, but you typically also need to secure the connection between CloudFlare and your origin server in Google Compute Engine.

Unfortunately, the default method certbot uses to verify your domain (tls-sni-01) will not work with CloudFlare intercepting your SSL, because it relies on being able to temporarily present a special certificate. Since your server is hidden behind CloudFlare, Let’s Encrypt will only ever see CloudFlare’s certificates and this does not work.

You can instead force certbot to use a different method of verification called http-01 or webroot authentication, which just places a special file in your web directory and typically works fine with CloudFlare. In order to use it, you will need to figure out the local directory on your domain that contains the files that are served to the Internet. In most distributions, this is located at /var/www/html.

In that configuration, you would invoke certbot like so:

sudo certbot run -a webroot -i apache -w /var/www/html -d magentamagazine.co.za -d www.magentamagazine.co.za

tianreagon · July 13, 2017, 6:37am

Thanks I will try it out.

ahaw021 · July 13, 2017, 11:14am

this is technically not correct

You can use CloudFlare to proxy traffic in which case CloudFlare certificates will be used

However you can choose to pass traffic through by un-ticking the cloudflare icon.

This will mean that the traffic will be passed through to the origin server and the origin server will need to provide SSL.

I use cloudflare for most of my domains but don’t use their certificate and proxying services.

As you can see from the screenshot below 3 of my domains are pass through (grey icon) and one (www) is proxied by cloudFlare.

Andrei

system · August 12, 2017, 11:14am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Getting TSL error when running ./cerbot-auto --apache Help	3	1601	August 11, 2017
SSL/HTTPS for a Google Domain [compute engine Ubuntu] Help	39	1468	January 5, 2023
Problem to Execute ./certbot-auto command Help	17	2163	September 29, 2016
Certbot "Some challenges have failed." Help	18	730	February 8, 2023
Newbie needs help getting Filecloud with SSL running Help	86	2310	April 16, 2023

Installing and configuring certbot on google compute engine

Related topics