Want more timely Centmin Mod News Updates?
Become a Member

How does acme renew SSL certs while behind Cloudflare?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by ElChorizo, Mar 28, 2023.

  1. ElChorizo

    ElChorizo Premium Member Premium Member

    54
    6
    8
    Apr 29, 2021
    Ratings:
    +10
    Local Time:
    4:27 PM
    1.19.10
    10.3.28
    I'm wondering how the certificates get renewed while the site is behind Cloudflare? I assume something behind the scenes goes on if Cloudflare detects an acme challenge and sends those through direct somehow? Otherwise, how does the server handle the challenge/response?


    I've got my sites working in Full/Strict mode but I'm worried that it might break when it comes time for the server to automatically renew the LetsEncrypt certs?

    TIA.
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    8:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    If you're behind Cloudflare and don't want to deal with the default Centmin Mod's Letsencrypt web root authentication, Centmin Mod's Letsencrypt SSL integration also supports using Letsencrypt DNS validation via Cloudflare's DNS API when you setup the optionally enabled variables for Cloudflare API Token is set in persistent config file at /etc/centminmod/custom_config.inc prior to creating your Centmin Mod Nginx HTTPS vhost domain name via centmin.sh menu option 2, 22 or nv command line.

    See details at https://community.centminmod.com/th...cloudflare-dns-api-domain-verification.22630/

    If you're switching an existing Centmin Mod Nginx vhost HTTPS site from Letsencrypt default web root authentication to Cloudflare DNS API validation, I suggested you remove /root/.acme.sh/yourdomain.com/ and /root/.acme.sh/yourdomain.com_ecc/ before switching to Cloudflare DNS API.
    Code (Text):
    cd /root/.acme.sh/
    rm -rf /root/.acme.sh/yourdomain.com/
    rm -rf /root/.acme.sh/yourdomain.com_ecc/
    

    As the acme.sh config file for the domain in /root/.acme.sh/yourdomain.com/yourdomain.com.conf and if applicable /root/.acme.sh/yourdomain.com_ecc/yourdomain.com.conf would have this entry to tell acme.sh to use webroot or CF DNS domain validation

    for webroot would list a setting in config file for
    Code (Text):
    Le_Webroot='/home/nginx/domains/yourdomain.com/public'

    for CF DNS API would list a setting in config file for
    Code (Text):
    Le_Webroot='dns_cf'

    acme.sh will look at config in /root/.acme.sh/yourdomain.com/yourdomain.com.conf and if applicable /root/.acme.sh/yourdomain.com_ecc/yourdomain.com.conf for subsequent SSL certificate renewals too.

    If using Cloudflare DNS API validation and you get errors for invalid domain when Letsencrypt is doing domain validation, ensure you created your Cloudflare API Token with permissions for all your domain zones and not just specific domain zones. You can manually verify if the created Cloudflare API Token has permissions to add TXT DNS records for your domain using below manual curl commands to add a test TXT DNS record and verify the test TXT DNS record. You can then delete the test TXT DNS record from Cloudflare DNS dashboard.

    Manual testing, 1st populate these 4 variables with your relevant values and type the commands in SSH as root user on the Centmin Mod server
    Code (Text):
    # same value as your CF_Token you set in persistent config file
    cftoken='your_cf_api_token'
    domain_hostname='your_domain_name_without_www'
    txtmsg='your_txt_msg'
    

    Then type these commands to create test TXT DNS record and verify it
    Code (Text):
    # get zoneid for domain_hostname
    cfzoneid=$(curl -4sX GET "https://api.cloudflare.com/client/v4/zones/?name=${domain_hostname}&status=active&page=1&per_page=100&order=status&direction=desc&match=all" -H Content-Type:application/json -H "Authorization: Bearer $cftoken" | jq -r --arg d ${domain_hostname} '.result[] | select(.name == $d) | .id')
    
    # create test TXT DNS record
    curl -4sX POST https://api.cloudflare.com/client/v4/zones/$cfzoneid/dns_records -H Content-Type:application/json -H "Authorization: Bearer $cftoken" --data "{\"type\":\"TXT\",\"name\":\"$domain_hostname\",\"content\":\"$txtmsg\",\"ttl\":120,\"proxied\":false}" | jq 'del(.result.zone_id)'
    
    # verify test TXT DNS record
    curl -4sX GET "https://api.cloudflare.com/client/v4/zones/$cfzoneid/dns_records?type=TXT&name=${domain_hostname}&page=1&per_page=100&order=type&direction=desc&match=all" -H Content-Type:application/json -H "Authorization: Bearer $cftoken" | jq -r --arg d $domain_hostname '.result[] | {id: .id, name: .name, type: .type, content: .content, proxiable: .proxiable, proxied: .proxied}'
    

    Post the output for both of the curl commands in CODE/CODEB bbcode tags.

    Further troubleshooting for Cloudflare DNS API Letsencrypt domain validation is to check that the SAVED_CF_Token id was updated/correct in acme.sh client's /root/.acme.sh/account.conf config file and matches what the CF_Token variable is set to in persistent config file at /etc/centminmod/custom_config.inc.

    You can inspect its contents filtered for SAVED_CF keyword using command
    Code (Text):
    cat /root/.acme.sh/account.conf | grep SAVED_CF

    No need to post contents just verify the SAVED_CF_Token is correct and SAVED_CF_Account_ID is correct and SAVED_CF_ZONE_ID variable is empty with no value
     
  3. ElChorizo

    ElChorizo Premium Member Premium Member

    54
    6
    8
    Apr 29, 2021
    Ratings:
    +10
    Local Time:
    4:27 PM
    1.19.10
    10.3.28
    I set up the domains using the default centminmod.sh Let's Encrypt forcing SSL option. Then I simply enabled Cloudflare and told it to do Full/Strict -- It's working out of the box.

    Do I have to change anything or will renewals happen without issue? I read your post and didn't really see an answer to that question.
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    8:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah if you set Full/Strict SSL for CF after initial Letsencrypt SSL issuance, should work fine. But if you switch to CF DNS API as outlined above, it will be more sure way of ensuring all works as it's all done at CF DNS API level.
     
  5. ElChorizo

    ElChorizo Premium Member Premium Member

    54
    6
    8
    Apr 29, 2021
    Ratings:
    +10
    Local Time:
    4:27 PM
    1.19.10
    10.3.28
    Awesome. I'll leave it as is until I run into an issue. Thank you for your time!