Unable to issue certificate because acme API is behind CloudFlare

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: (redacted)

I ran this command:
certbot issue command

It produced this output:
Unable to connect ACME API (DNS resolution failed OR Connection Failed)

My web server is (include version): (redacted)

The operating system my web server runs on is (include version):
(redacted)

My hosting provider, if applicable, is:
(redacted)

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): latest

Here's a thing. I'm blocking CloudFlare with nftable firewall and when I tried to issue certificate for my site it failed miserably.

Turns out your ACME API is on Cloudflare server.

Could you stop using it and use your own server? Other *.letsencrypt.org servers are running on Akamai. Do so.

Why I block Cloudflare

No, we’re unlikely to be changing CDNs in the near future.

[Edited to add:] "CDN" wasn't quite the right term here, and I wouldn't want to give you the wrong impression, since it sounds like interception of requests is one of your concerns. Let's Encrypt is using Cloudflare Spectrum and terminating TLS sessions itself. Cloudflare can't observe data being sent to/from the API, other than connection metadata.

5 Likes

This is good information to know, but just as a hypothetical: If Cloudflare "turned evil" (or was hacked, or had a malicious rogue employee, or whatever), since the DNS points to them, they could in theory get their own certificate [maybe even from Let's Encrypt(!), but I don't see a CAA preventing issuance from other CAs (and if they control DNS they might even be able to update CAA regardless)] and then act as a man-in-the-middle and intercept connections, right? This would likely be detected at some point (and Certificate Transparency might help), and I don't know what value it would have (as no private keys get changed over the API connection or anything like that), but as it is Cloudflare does have a lot of power over the connection merely by being in the middle.

[Though I don't really mean to pick on Cloudflare here, it'd really be the same story with Akamai/Azure/Google/AWS/whomever is being used to handle Internet traffic, that by handling the traffic they get a lot of power to see or manipulate what's going through them and could fulfill whatever requirements there are to get a certificate accordingly.]

1 Like

Yes, that would be a very bad day.

2 Likes

Would that matter? Your account private key is private and your certificates private keys are private: they are never sent through the ACME protocol at all.

Of course it would have privacy issues because they can listen to your ACME "conversation", but it wouldn't have security implications if I'm not mistaken. But please correct me if I'm wrong here :slight_smile:

Edit: right. you said the same later in your post, I really need to read complete posts before quoting a piece and reacting to just that :stuck_out_tongue:

2 Likes

Are you waving a finger at me? :angry:

Oh... there are three others and a thumb too! :grinning:

Hi :wave: