Options for Renewing Certificates with CloudFlare Proxying Enabled

I am using Letsencrypt ssl certificate for website https://forumweb.hosting and today I received an email like this

Your certificate (or certificates) for the names listed below will expire in
19 days (on 29 Jun 17 01:19 +0000). Please make sure to renew
your certificate before then, or visitors to your website will encounter errors.

forumweb.hosting
https://forumweb.hosting

For any questions or support, please visit https://community.letsencrypt.org/.
Unfortunately, we can't provide support by email.

For details about when we send these emails, please visit
Expiration Emails - Let's Encrypt. In particular, note
that this reminder email is still sent if you've obtained a slightly
different certificate by adding or removing names. If you've replaced
this certificate with a newer one that covers more or fewer names than
the list above, you may be able to ignore this message.

I don't use certbot or letsencrypt auto renew on my hosting/control panel thus I would like to manually renew Letsencrypt ssl certificate for my website. Is it possible? Can anyone guide me?
It would be great if I can renew Letsencrypt with commands via SSH.
Thanks in advance
Tommy

I realize this doesn’t answer your question, but…

The cert on your site seems to be handled by CloudFlare:
Common names sni245170.cloudflaressl.com
Alternative names
sni245170.cloudflaressl.com *.ca-canh.com *.cruisefast1o.ga *.elevateeurope.com *.eroticnaughtyfree.xyz *.fastmoviels.tk *.forumweb.hosting *.heiminserate.ch *.internetmarketingstar.com *.jeffslaughterwrites.com *.krawattenmeister.ch *.mailboxlife.com *.moviesgoldonline.net *.moviesgoldonline.pro *.mymoviepot.xyz *.ojothemes.com *.onlinemovieplus.com *.onlinemoviesprime.net *.phonesok.com *.rawlikea.cf *.rmaul.de *.vtsieutruonghuyhoang.com *.womenescortslut.xyz ca-canh.com cruisefast1o.ga elevateeurope.com eroticnaughtyfree.xyz fastmoviels.tk forumweb.hosting heiminserate.ch internetmarketingstar.com jeffslaughterwrites.com krawattenmeister.ch mailboxlife.com moviesgoldonline.net moviesgoldonline.pro mymoviepot.xyz ojothemes.com onlinemovieplus.com onlinemoviesprime.net phonesok.com rawlikea.cf rmaul.de vtsieutruonghuyhoang.com womenescortslut.xyz

Hello rg305,

Yes I am using Cloudflare for my site but using SSL from Letsencrypt
Still asking how to renew Letsencrypt SSL? :slight_smile:
and how can you check to have the result above?
I didn’t use more domains like that.

To clarify, how are you "using SSL from LetsEncrypt"?
The current cert shows that Cloudflare is handling the SSL.
If so, then I don't think there is not much you can do without making changes in your Cloudflare account that would transfer that "responsibility" into your control.

I'm not a Cloudflare customer, so I can't help with that.

Thanks rg305, I will search and check the info as you said to find a solution for it.
If someone here is using Cloudflare, SSL from Letsencrypt and you could renew then please let me know.
I will be back with updates if I found a good way for this.

Hi @webhosting,

When you use a CDN like Cloudflare, you have two connections: end-user to CDN, and CDN to origin server. (For many requests, the CDN can handle the request itself without needing to get the content from the origin server, which is one way that using a CDN is helpful.)

Ideally both of these requests can be protected with HTTPS. Since they are separate requests, they can (and usually do) use separate certificates. However, only the end-user to CDN connection is visible to the general public, including people on forums trying to help diagnose problems. :slight_smile: The CDN hides the identity and location of the origin server that is really where the site content is ultimately coming from.

Since these certificates are separate and distinct, they can be issued by different CAs, have different contents, and expire at different times. Indeed, we can see that Let’s Encrypt has issued a certificate for forumweb.hosting, which is going to expire on June 20:

https://crt.sh/?id=107640790

This is probably the certificate that you use on your origin server, which authenticates and protects (only!) communications between Cloudflare and the origin server.

In order to figure out how to renew this certificate, we would need to know how you originally obtained it, back in March. The presence of Cloudflare is actually kind of a distraction here because they were not involved in issuing the Let’s Encrypt certificate; instead, you or someone else who administered your site obtained it yourself, using some kind of software or technology. Ideally that same software will work now to renew the certificate too.

Also, Cloudflare provides an option where they can issue a certificate just for the connection between Cloudflare and your site (as an alternative to using a publicly-trusted CA at all). I believe they call this something like an “origin certificate”. When the certificate is only meant to be validated by a single entity, there is no loss in security from using this approach. So you could consider switching to that option as long as you intend to use Cloudflare and if you encounter any difficulties renewing your Let’s Encrypt certificate now.

1 Like

I got your points

On Cloudflare, I only enabled SSL -> FULL ( in Crypto tab), on my DirectAdmin control panel, I enabled Letsencrypt ssl by generate cert key for it. Just that and I could use https for my site.

I read some guys on my site said using Certbot to renew Letsencrypt SSL certificate

or running this command ./letsencrypt-auto renew

but I am not sure about them, if using Certbot can help me to renew Letsencrypt then I would give it a try.

Thanks

Hi @webhosting,

Certbot can only renew your certificate if you used Certbot to obtain the certificate in the first place, which it sounds like you didn’t.

If you used DirectAdmin to obtain the Let’s Encrypt certificate, you should also be able to use DirectAdmin to renew it. However, one thing to note is that one of the methods that can be used to prove your control of a domain name (called TLS-SNI-01) doesn’t work if your server is behind a CDN. So if you weren’t using Cloudflare yet when you first got your certificate, and if the TLS-SNI-01 method was used to prove your control of the domain name, it might have stopped working once you started using Cloudflare.

1 Like

I have to agree with @schoen, once you started using Cloudflare it all changed.
The DNS now resolves to their IPs - not yours.
You won’t be able to use HTTP nor HTTPS authentication methods (natively) as they won’t reach your system.
The Cloudflare cert will be renewed by Cloudflare and that cert should have no issues.
As for renewing the expiring cert on your server, I think your best bet to use DNS authentication.

HTTP-01 authentication can work with Cloudflare because they will pass the request through to the origin server. We've seen people renew successfully in this configuration before.

Hmmmm…
I was under the impression that all content was cached by their systems.
Good to know.

But that makes sense since their content must be updated at some point.
If the request is for unknown content then it must be relayed to the original server…

Well, they might do both positive and negative caching, but when you have an incoming request for a file with a randomized name (like in the HTTP-01 challenge), they won’t have a prior basis for knowing whether or not that file existed, so they’ll have to consult the origin server about it.

hi @webhosting

It's not all doom and gloom.

A) Use the manual with cloudflare is very easy

certbot certonly --manual -d forumweb.hosting -preferred-challenges="dns"

I see you are using cloudflare so it should be straightforward to add the required dns records

Future versions of certbot have the cloudflare record updating automated use the Python Lexicon library

B) You can turn the proxying off while you issue the certificate this will give you the ability to use the TLS-SNI and HTTP-01 challenge and after that you can turn the proxying back on.

Andrei

1 Like

Yeah I didn't use Certbot but now if I install it, can I renew Letsencrypt SSL with Certbot while using Cloudflare and Letsencrypt?

You are right, and that's why I asked this question here.

Do I need to install certbot to run this command?

Where to add these dns records?
I think I already added them for my domain name.

Can you share more details on how to do this B step? maybe a full guide.

Thanks @schoen and @ahaw021!!

Hi @webhosting,

It would probably be easier if you continued using DirectAdmin if possible. Sometimes Certbot and control panels don't interact well because they're trying to modify the same files in inconsistent ways.

I don't know anything about DirectAdmin, though. It would be good if you could find documentation or support from its developers that can explain how to use a different authentication method.

In response to two specific questions:

Yes, so that might not be the best choice if you're also going to continue to use DirectAdmin.

The DNS records that you added are probably other DNS records. These records would potentially be different for each new certificate request, authenticating the fact that the person requesting the certificate has control over the domain.

Each Let's Encrypt client handles this differently; some of the clients attempt to set the DNS records for you (if you tell them the credentials and information necessary to update your DNS zone), while others would simply tell you what the requested DNS changes are, and then invite you to make the changes yourself.

The command that @ahaw021 suggested, using Certbot, would be in the second category; it would tell you that you are supposed to make certain changes at a certain point, and then you would be responsible for doing this yourself and telling Certbot when you've finished.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.