SSL install when DNS is on cloudflare,

Help
1

I am trying to install certbot for my subdomains, my dns are on cloudflare. certbot is not installing ssl but throwing errors. [root@172-105-55-321 ~]# certbotSaving debug log to /var/log/letsencrypt/letse - Pastebin.com

from cloudflare i have selected the flexible SSL

DNS-Cloudflare
DNS-Cloudflare1003Ă—535 21.4 KB

[root@172-105-55-321 ~]# certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?

1: my-hidden-domain.com
2: my-hidden-domain.in
3: caregiver.my-hidden-domain.in
4: www.caregiver.my-hidden-domain.in
5: cdf.my-hidden-domain.in
6: www.cdf.my-hidden-domain.in
7: clearjoy.my-hidden-domain.in
8: www.clearjoy.my-hidden-domain.in
9: content.my-hidden-domain.in
10: www.content.my-hidden-domain.in
11: dba.my-hidden-domain.in
12: www.dba.my-hidden-domain.in
13: nchlcapartment.my-hidden-domain.in
14: www.nchlcapartment.my-hidden-domain.in
15: nchlcland.my-hidden-domain.in
16: www.nchlcland.my-hidden-domain.in
17: pressory1.my-hidden-domain.in
18: www.pressory1.my-hidden-domain.in
19: pressory2.my-hidden-domain.in
20: www.pressory2.my-hidden-domain.in
21: rajat.my-hidden-domain.in
22: www.rajat.my-hidden-domain.in
23: reservechalet.my-hidden-domain.in
24: www.reservechalet.my-hidden-domain.in
25: s1.my-hidden-domain.in
26: www.s1.my-hidden-domain.in
27: s2.my-hidden-domain.in
28: www.s2.my-hidden-domain.in
29: s3.my-hidden-domain.in
30: www.s3.my-hidden-domain.in
31: s4.my-hidden-domain.in
32: www.s4.my-hidden-domain.in
33: thrisky.my-hidden-domain.in
34: www.thrisky.my-hidden-domain.in
35: upload.my-hidden-domain.in
36: www.upload.my-hidden-domain.in
37: www.my-hidden-domain.com
38: www.my-hidden-domain.in

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/www.my-hidden-domain.com.conf)

It contains these names: www.my-hidden-domain.com, my-hidden-domain.com

You requested these names for the new certificate: my-hidden-domain.com,
my-hidden-domain.in, caregiver.my-hidden-domain.in, www.caregiver.my-hidden-domain.in,
cdf.my-hidden-domain.in, www.cdf.my-hidden-domain.in, clearjoy.my-hidden-domain.in,
www.clearjoy.my-hidden-domain.in, content.my-hidden-domain.in, www.content.my-hidden-domain.in,
dba.my-hidden-domain.in, www.dba.my-hidden-domain.in, nchlcapartment.my-hidden-domain.in,
www.nchlcapartment.my-hidden-domain.in, nchlcland.my-hidden-domain.in,
www.nchlcland.my-hidden-domain.in, pressory1.my-hidden-domain.in,
www.pressory1.my-hidden-domain.in, pressory2.my-hidden-domain.in,
www.pressory2.my-hidden-domain.in, rajat.my-hidden-domain.in, www.rajat.my-hidden-domain.in,
reservechalet.my-hidden-domain.in, www.reservechalet.my-hidden-domain.in,
s1.my-hidden-domain.in, www.s1.my-hidden-domain.in, s2.my-hidden-domain.in,
www.s2.my-hidden-domain.in, s3.my-hidden-domain.in, www.s3.my-hidden-domain.in,
s4.my-hidden-domain.in, www.s4.my-hidden-domain.in, thrisky.my-hidden-domain.in,
www.thrisky.my-hidden-domain.in, upload.my-hidden-domain.in, www.upload.my-hidden-domain.in,
www.my-hidden-domain.com, www.my-hidden-domain.in.

Do you want to expand and replace this existing certificate with the new
certificate?

(E)xpand/(C)ancel: E
Renewing an existing certificate for my-hidden-domain.com and 37 more domains
Performing the following challenges:
http-01 challenge for www.caregiver.my-hidden-domain.in
http-01 challenge for www.cdf.my-hidden-domain.in
http-01 challenge for www.clearjoy.my-hidden-domain.in
http-01 challenge for www.content.my-hidden-domain.in
http-01 challenge for www.dba.my-hidden-domain.in
http-01 challenge for www.nchlcapartment.my-hidden-domain.in
http-01 challenge for www.nchlcland.my-hidden-domain.in
http-01 challenge for www.pressory1.my-hidden-domain.in
http-01 challenge for www.pressory2.my-hidden-domain.in
http-01 challenge for www.rajat.my-hidden-domain.in
http-01 challenge for www.reservechalet.my-hidden-domain.in
http-01 challenge for www.s1.my-hidden-domain.in
http-01 challenge for www.s2.my-hidden-domain.in
http-01 challenge for www.s3.my-hidden-domain.in
http-01 challenge for www.s4.my-hidden-domain.in
http-01 challenge for www.thrisky.my-hidden-domain.in
http-01 challenge for www.upload.my-hidden-domain.in
Waiting for verification...
Challenge failed for domain www.caregiver.my-hidden-domain.in
Challenge failed for domain www.cdf.my-hidden-domain.in
Challenge failed for domain www.clearjoy.my-hidden-domain.in
Challenge failed for domain www.content.my-hidden-domain.in
Challenge failed for domain www.dba.my-hidden-domain.in
Challenge failed for domain www.nchlcapartment.my-hidden-domain.in
Challenge failed for domain www.nchlcland.my-hidden-domain.in
Challenge failed for domain www.pressory1.my-hidden-domain.in
Challenge failed for domain www.pressory2.my-hidden-domain.in
Challenge failed for domain www.rajat.my-hidden-domain.in
Challenge failed for domain www.reservechalet.my-hidden-domain.in
Challenge failed for domain www.s1.my-hidden-domain.in
Challenge failed for domain www.s2.my-hidden-domain.in
Challenge failed for domain www.s3.my-hidden-domain.in
Challenge failed for domain www.s4.my-hidden-domain.in
Challenge failed for domain www.thrisky.my-hidden-domain.in
Challenge failed for domain www.upload.my-hidden-domain.in
http-01 challenge for www.caregiver.my-hidden-domain.in
http-01 challenge for www.cdf.my-hidden-domain.in
http-01 challenge for www.clearjoy.my-hidden-domain.in
http-01 challenge for www.content.my-hidden-domain.in
http-01 challenge for www.dba.my-hidden-domain.in
http-01 challenge for www.nchlcapartment.my-hidden-domain.in
http-01 challenge for www.nchlcland.my-hidden-domain.in
http-01 challenge for www.pressory1.my-hidden-domain.in
http-01 challenge for www.pressory2.my-hidden-domain.in
http-01 challenge for www.rajat.my-hidden-domain.in
http-01 challenge for www.reservechalet.my-hidden-domain.in
http-01 challenge for www.s1.my-hidden-domain.in
http-01 challenge for www.s2.my-hidden-domain.in
http-01 challenge for www.s3.my-hidden-domain.in
http-01 challenge for www.s4.my-hidden-domain.in
http-01 challenge for www.thrisky.my-hidden-domain.in
http-01 challenge for www.upload.my-hidden-domain.in
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

2

Welcome to the community @nknaresh

First off, this sort of problem is difficult to provide solutions when you do not supply the domain name.

For your example shown below, does it work in a browser to go to

https://www.caregiver.my-hidden-domain.in

Because your domain is proxied it uses Cloudflare CDN. A TLS handshake failure between the Let's Encrypt server and the CDN Edge is very unusual. Errors between the Edge and your Origin Server usually have a different kind of error message.

For the errors which said "DNS Problem: NXDOMAIN ..." those should be easy to correct. You have not defined those names in the DNS at Cloudflare (or anywhere).

7 Likes
3

*When you've proxy mode / Orange Cloud

Solution for Apache2 server

Install Wildcard Let’s Encrypt SSL Certificate

Create a cloudflare.ini file inside /root/.secrets/ directory.

mkdir -p /root/.secrets/ && cd /root/.secrets/ && nano cloudflare.ini

Add the below code and save using CTRL+O and exit using CTRL+X

dns_cloudflare_email = "your-cloudflare-email@example.com"
dns_cloudflare_api_key = "XXXXXXXXXXXXXXXXX"

Find your Cloudflare e-mail and Global API key at “My Profile” > API Tokens > Global API Key

chmod 0400 /root/.secrets/cloudflare.ini

Install Certbot and DNS Authenticator according to OS and HTTP web server

snap install --beta --classic certbot
snap set certbot trust-plugin-with-root=ok
snap install --beta certbot-dns-cloudflare
snap connect certbot:plugin certbot-dns-cloudflare

Get Wildcard SSL Certificate

certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d example.com,*.example.com --preferred-challenges dns-01

Set Automatic Renewal using Cron Job

  • Type crontab -e
  • Type 1 for nano editor
  • Enter below command and save
0 0 * * *  /etc/init.d/apache2 reload >/dev/null 2>&1

Test renewal

certbot renew --dry-run

Then, change Cloudflare SSL mode from Flexible to Full (at least) or Full Strict (Recommended). This will force Cloudflare to communicate over HTTPS and serve in HTTPS as well. Instead of going through HTTP and trying to HTTPS then showing redirect loop in generic configuration.

If you don't want to go through this much process. Then turn off Cloudflare Proxy for a while, then re-issue cert. Keep Full SSL mode after then. (I know, at some point renew will fail but Full settings won't care about it). --- This shortcut approach is not recommended.

Another solution (better in my opinion due to best compatibility with Cloudflare proxy mode without worrying about renewal for 15 yrs). Just want to leave a hint. Rest you can figure out reading docs.

image
image1305Ă—394 23.4 KB

3 Likes
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.