Renew Let's encrypt cert issued with cert-bot behind Cloudflare?

Help
1

Hello,
I have several different websites with let’s encrypt certificates all running behind Cloudflare.

My servers are running Ubuntu 16.04lts with apache. Let’s encrypt certificates are installed with cert-bot.

The problem is that every time I need to issue a new certificate or to renew existing certificate I should pause Cloudflare so that the verification procedure may complete. This way I am unable to auto-renew my certificates using cron-job (as suggested in cert-bot documentation).

I’ve read through several “how-to” articles over the internet to fix this problem, with no luck…

So, my question is how can I achieve auto-renew without pausing Cloudflare?

2

Hi @donchev,

Just guessing... I suppose you issued your certificates using tls-sni-01 challenge, this challenge is now deprecated and will only works if you are trying to renew an existing certificate issued using this challenge, also, due the way this challenge works it isn't possible to use it with cloudflare activated due cloudflare is terminating the TLS connection instead of your origin web server.

As I said, I'm just guessing and you should provide the command used to issue your certificates but right now you have two options to renew your certs without pausing cloudflare and it is using http-01 or dns-01 challenges (in this case I think http-01 will be the easiest challenge to accomplish the task.

You should re-issue.your certs but this time using the http-01 challenge but this action will depends on the certbot version used, if using 0.21.1 or above this command could solve your issue:

Warning: Backup /etc/letsencrypt/ completely before issuing any of the below commands... just in case :wink:

certbot renew --preferred-challenges http-01

if you are not using that version or above you could re-issue your certs using webroot method:

First issue this command:

certbot certificates

and you will get a list of your certificates, for example:

Certificate Name: my.domain.tld
   Domains: my.domain.tld
   Expiry Date: 2018-05-28 04:17:25+00:00 (VALID: 65 days)
   Certificate Path: /etc/letsencrypt/live/my.domain.tld/fullchain.pem
   Private Key Path: /etc/letsencrypt/live/my.domain.tld/privkey.pem
Certificate Name: otherdomain.tld
  Domains: otherdomain.tld sub1.otherdomain.tld sub2.otherdomain.tld
  Expiry Date: 2018-06-12 14:51:38+00:00 (VALID: 81 days)
  Certificate Path: /etc/letsencrypt/live/otherdomain.tld/fullchain.pem
  Private Key Path: /etc/letsencrypt/live/otherdomain.tld/privkey.pem

so take the name shown on Certificate Name: and the domains it is covering in Domains: and you should re-issue the certificates but using the webroot authentication method (there is no need to stop/pause cloudflare).

certbot certonly --cert-name my.domain.tld -a webroot -w /path/to/your/document/root -d my.domain.tld

And you will get this question:

What would you like to do?
-------------------------------------------------------------------------------
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

You should use 2 and continue.

Note: This question will be asked only once so there would be no problems to renew.

If all is working as expected your certificate will be re-issued and the next unnatended renew should complete with success.

Just in case, following the example, the command for the second domain would be:

certbot certonly --cert-name otherdomain.tld -a webroot -w /path/to/your/document/root -d otherdomain.tld,sub1.otherdomain.tld,sub2.otherdomain.tld

or this one if the domains covered by the certificate are using different document roots:

certbot certonly --cert-name otherdomain.tld -a webroot -w /path/to/your/document/root -d otherdomain.tld -w /path/to/socument/root/sub1 sub1.otherdomain.tld -w /path/to/socument/root/sub2 sub2.otherdomain.tld

As I said, I'm just guessing, if your problem is not the tls-sni-01 challenge then we should review the errors you are getting to renew your certs.

I hope this helps.

Cheers,
sahsanu

2 Likes
3

Hello,
first of all, thank You for the detailed reply.

I am installing the certificates using this guide:

https://certbot.eff.org/lets-encrypt/ubuntuxenial-apache

and trying to renew:
sudo certbot renew
(sudo certbot renew --dry-run) to test.

When I run
certbot renew --preferred-challenges http-01

I get an error:

Attempting to renew cert (site.com) from /etc/letsencrypt/renewal/site.com.conf produced an unexpected error: Failed authorization procedure. site.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from

4

What’s the rest of the error message?

What’s the rest of Certbot’s output?

What’s the real name of your site?

What’s in the web server’s error log?

What’s the document root (or roots) configured in /etc/letsencrypt/renewal/site.com.conf?

5
  • This is the full output:

output1
output1.PNG832×983 85.1 KB

  • Real name: djzone.me (www.djzone.me)

  • No errors in apache error.log

  • content of the djzone.me.conf file:

    renew_before_expiry = 30 days

    version = 0.22.2
    archive_dir = /etc/letsencrypt/archive/djzone.me
    cert = /etc/letsencrypt/live/djzone.me/cert.pem
    privkey = /etc/letsencrypt/live/djzone.me/privkey.pem
    chain = /etc/letsencrypt/live/djzone.me/chain.pem
    fullchain = /etc/letsencrypt/live/djzone.me/fullchain.pem

    Options used in the renewal process

    [renewalparams]
    account = …
    authenticator = apache
    installer = apache

6

I think it’s due to this issue:

Cloudflare is set to redirect HTTP to HTTPS, right? But Certbot currently only configures the HTTP virtual host to pass validation. And Let’s Encrypt follows the redirect to HTTPS, requests the validation file, and gets a 404 Not Found page from WordPress.

One option is to wait and hope they fix it before your certificates expire.

Another is to disable the HTTP to HTTPS redirect on Cloudflare and configure your web servers (for every subdomain) to redirect every path except /.well-known/acme-challenge/.

Another is to use “certbot -a webroot -i apache -w /path/to/document/root -d example.com -d www.example.com” with the HTTPS virtual hosts configured appropriately to serve the files.

(Another is to use Cloudflare Workers to set up a customized HTTP to HTTPS redirect.)

3 Likes
7

Yes, You are absolutely right.
Disabling the HTTP to HTTPS rule in Cloudflare solves the problem.

I’ve added an additional rule to Cloudflare for url:
http://djzone.me/.well-known/acme-challenge/
to simply disable caching (as only one Cloudflare rule is applied, this one deactivates the other that redirect traffic to https)

As soon as the problem is resolved, I will remove the rule.

001
001.PNG977×235 11.3 KB

Thank you for the provided solutions!

3 Likes
8

Ah! I didn’t think of that. Good idea. :smile:

1 Like
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.