Renew domains behind cloudflare


I ran this command:
certbot renew

It produced this output:
Domain: my.domain.tld
Type: tls
Detail: Failed to connect to for tls-sni-01

My operating system is (include version):
Debian 8

My web server is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

I cannot remove cloudflare because of security issuses. Also, I got different vhosts with different webroots.


The tls-sni-01 challenge doesn’t work behind Cloudflare, so you’ll have to use a different challenge. Either of the others (http-01 or dns-01) should be fine. You can use http-01 with Certbot via the --webroot plugin. To handle your different vhosts with different webroots, you can provide the -w option multiple times, for example:

certbot certonly --webroot -w /var/www/ -d -w /var/www/ -d

There’s still a possibility that this won’t work, if you’ve configured Cloudflare to present a challenge to bots. If that’s the case, you can disable the challenge, or use dns-01 instead.

If you want/need to use dns-01, I’d recommend using one of the bash clients as they have more comprehensive support for it than Certbot at the moment.


@jmorahan It’s probably better to ask @m8Flo his original method of installing the cert. Because if @m8Flo used the apache plugin for authentication and installation, you’re putting him in a rather different situation by advising the certonly mode.

Better is to advise using the webroot plugin for authentication while continuing to use the apache plugin for installation:

certbot -i apache -a webroot ....


It’s complicated, because if the cert is already installed, a certonly renewal will update symbolic links and result in the new cert’s being installed (with the need to restart or reload the associated web server).


Another reason to use -i apache and not certonly if the apache plugin was used initially I’d say! :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.