Installing and configuring certbot on google compute engine

tianreagon · July 11, 2017, 2:37pm

Please fill out the fields below so we can help you better.

My domain is: magentamagazine.co.za

I ran this command: sudo certbot --apache

It produced this output: Domain: magentamagazine.co.za
Type: tls
Detail: remote error: tls: handshake failure

Domain: www.magentamagazine.co.za
Type: tls
Detail: remote error: tls: handshake failure

My web server is (include version): Apache HTTP Server (2.4.10)

The operating system my web server runs on is (include version):Debian 8

My hosting provider, if applicable, is: Google Cloud Console

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

Patches · July 11, 2017, 6:59pm

This domain appears to use CloudFlare. When you use CloudFlare, they provide SSL for the connection between CloudFlare and your visitors, but you typically also need to secure the connection between CloudFlare and your origin server in Google Compute Engine.

Unfortunately, the default method certbot uses to verify your domain (tls-sni-01) will not work with CloudFlare intercepting your SSL, because it relies on being able to temporarily present a special certificate. Since your server is hidden behind CloudFlare, Let’s Encrypt will only ever see CloudFlare’s certificates and this does not work.

You can instead force certbot to use a different method of verification called http-01 or webroot authentication, which just places a special file in your web directory and typically works fine with CloudFlare. In order to use it, you will need to figure out the local directory on your domain that contains the files that are served to the Internet. In most distributions, this is located at /var/www/html.

In that configuration, you would invoke certbot like so:

sudo certbot run -a webroot -i apache -w /var/www/html -d magentamagazine.co.za -d www.magentamagazine.co.za

tianreagon · July 13, 2017, 6:37am

Thanks I will try it out.

ahaw021 · July 13, 2017, 11:14am

this is technically not correct

You can use CloudFlare to proxy traffic in which case CloudFlare certificates will be used

However you can choose to pass traffic through by un-ticking the cloudflare icon.

This will mean that the traffic will be passed through to the origin server and the origin server will need to provide SSL.

I use cloudflare for most of my domains but don’t use their certificate and proxying services.

As you can see from the screenshot below 3 of my domains are pass through (grey icon) and one (www) is proxied by cloudFlare.

Andrei

system · August 12, 2017, 11:14am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.