/ Register

Want more timely Centmin Mod News Updates?
Become a Member

Letsencrypt Cloudflare LetsEncrypt and Cloudflare error

Discussion in 'Domains, DNS, Email & SSL Certificates' started by quicksalad, Apr 12, 2022.

Previous Thread Next Thread
Loading...
  1. Apr 12, 2022 #1
    quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    10:21 PM
    After reading and browsing post here, I came to check some of the possible options that I can add up to my server.
    I tried LetsDebug to check but I got this error.
    Code:
    CloudflareCDN
WARNING
The domain mydomain.com is being served through Cloudflare CDN. Any Let's Encrypt certificate installed on the origin server will only encrypt traffic between the server and Cloudflare. It is strongly recommended that the SSL option 'Full SSL (strict)' be enabled.
    I tried enabling FULL Strict but it gives me 512 error when accessing my site.
    I read some of the post with the same error like what is mine here, I tried running
    echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
    It only gives me below:
    Code:
    ----------------------------------------------
nginx installed
----------------------------------------------

----------------------------------------------
acme.sh obtained
----------------------------------------------
    Then I tried re-issue only but still gives me error below.
    Code:
    [Tue Apr 12 06:03:45 UTC 2022] response='{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Unable to update challenge :: authorization must be pending",
  "status": 400
}'
    Vhost created via option 22 Wordpress install. Any advise will help! Thanks
     
  2. Apr 12, 2022 #2
    eva2000

    eva2000 Administrator Staff Member

    54,884
    12,240
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,811
    Local Time:
    2:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    disable Always Use HTTPS in Cloudflare and see if that works with reissue only mode.
     
  3. Apr 12, 2022 #3
    eva2000

    eva2000 Administrator Staff Member

    54,884
    12,240
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,811
    Local Time:
    2:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    If that doesn't work, and you have no data on Wordpress site, just delete the Wordpress site's Nginx using the Wordpress uninstall script generated by centmin.sh menu option 22.

    Every centmin.sh menu option 22 run has an accompanying uninstall script at /root/tools/wp_uninstall_${vhostname}.sh where ${vhostname} = your domain name. You can run that to uninstall almost everything except mysql database which you have to manually remove yourself - extra precaution in case you accidentally run the wrong uninstall script.

    Then ensure Cloudflare's Always Use HTTPS is disabled first and using Cloudflare Flexible SSL and then run centmin.sh menu option 22 and then afterwards after setup, you can re-enable Always Use HTTPS and Full SSL in Cloudflare dashboard.

    The reason is Letsencrypt's domain verification URL is tested over non-https version of your domain and it will follow non-https to https redirects if they exist. But if you have that redirect, it will evaluate domain verification over https version of your domain but you won't have a valid SSL certificate yet.
     
  4. Apr 12, 2022 #4
    eva2000

    eva2000 Administrator Staff Member

    54,884
    12,240
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,811
    Local Time:
    2:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Another option is if you're behind Cloudflare and don't want to deal with the default Centmin Mod's Letsencrypt web root authentication, Centmin Mod's Letsencrypt SSL integration also supports using Letsencrypt DNS validation via Cloudflare's DNS API when you setup the optionally enabled variables for Cloudflare API Token is set in persistent config file at /etc/centminmod/custom_config.inc prior to creating your Centmin Mod Nginx HTTPS vhost domain name via centmin.sh menu option 2, 22 or nv command line. See https://community.centminmod.com/th...cloudflare-dns-api-domain-verification.22630/
     
    Last edited: Apr 12, 2022
  5. Apr 12, 2022 #5
    quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    10:21 PM
    @eva2000
    I already have data on my WP :( What would be my best option?
    This prompt in option 22 forces you to have a non-https to https redirect by default.
    Code:
    Enter vhost domain name you want to add (without www. prefix): mydomain.com

Create a self-signed SSL certificate Nginx vhost? [y/n]: n
Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y

You have 4 options:
1. issue staging test cert with HTTP + HTTPS
2. issue staging test cert with HTTPS default
3. issue live cert with HTTP + HTTPS
4. issue live cert with HTTPS default
Enter option number 1-4: 4
    After option 4, I should have the LestEncrypt cert right?
    Why /usr/local/src/centminmod/addons/acmetool.sh checkdates doesn't recognize the cert?
    Maybe I run the same kind of error on this thread https://community.centminmod.com/th...blem-with-letsencrypt-cloudflare.22446/page-2
     
  6. Apr 12, 2022 #6
    eva2000

    eva2000 Administrator Staff Member

    54,884
    12,240
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,811
    Local Time:
    2:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    You should only if you haven't set Cloudflare Full SSL and haven't set Cloudflare Always Use HTTPS before hand. If you set those 2 options before running centmin.sh menu option 22 Wordpress install and set HTTPS default Letsencrypt, then Letsencrypt domain verification fails as Letsencrypt follows the non-https to https redirect setup by those 2 Cloudflare options and verifies on https version of the domain. But because https version of domain doesn't have valid SSL cert yet, Letsencrypt domain verification fails.

    Why it works if you haven't set Cloudflare Full SSL and haven't set Cloudflare Always Use HTTPS before hand is due to centmin.sh menu option 22 routine creating Wordpress install first with actually both non-https domain.com.conf and https domain.com.ssl.conf Nginx vhosts and it does the letsencrypt domain verification over non-https URL first to get Letsencrypt SSL cert setup on https Nginx vhost. Then if you choose HTTPS default, the routine removes the non-https Nginx vhost domain.com.conf and enables 302 non-https to https redirect in Nginx HTTPS vhost at domain.com.ssl.conf.

    If you have data in Wordpress and can't remove, then best bet is switch to Cloudflare DNS API domain verification https://community.centminmod.com/th...cloudflare-dns-api-domain-verification.22630/ and then run acmetool.sh add reissue-only option for existing nginx HTTPS SSL vhosts with domain.com.ssl.conf vhost config files that exist. This only does reissue of letsencrypt SSL cert without touching the nginx vhost. Ideal for use when you tried creating a Nginx HTTPS SSL default vhost site but letsencrypt SSL issuance failed the first time. When it fails, Centmin Mod usually falls back to self-signed SSL as a place holder for the domain.com.ssl.conf vhost config. When you run:
    Code (Text):
    cd /usr/local/src/centminmod/addons
./acmetool.sh reissue-only domain.com live

    It will only try reissuing the letsencrypt SSL certificate for the domain = domain.com for live production SSL certificate without touching any of the existing nginx vhost at domain.com.ssl.conf
     
  7. Apr 13, 2022 #7
    quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    10:21 PM
    Thank you @eva2000 That was my mistake I think. Thanks for very accurate explanation.
    It tried doing this https://community.centminmod.com/th...cloudflare-dns-api-domain-verification.22630/
    I still get this error when using Full (Strict)
    Code:
    The domain mydomain.com is being served through Cloudflare CDN. Any Let's Encrypt certificate installed on the origin server will only encrypt traffic between the server and Cloudflare. It is strongly recommended that the SSL option 'Full SSL (strict)' be enabled.
https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-
    And why my domain name resolves to my real server IP not Cloudflare when using SSL Shopper checker? Any misconfig? Proxy status on CF DNS are orange.
     
    Last edited: Apr 13, 2022
  8. Apr 13, 2022 #8
    eva2000

    eva2000 Administrator Staff Member

    54,884
    12,240
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,811
    Local Time:
    2:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    You can ignore that letsdebug message if your domain is working through Cloudflare with Full Strict SSL mode.
     
  9. Apr 13, 2022 #9
    quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    10:21 PM
    Thanks for the confirmation, any idea why my domain resolve to my real server IP using sslshopper checker? but other checker resolves to CF IP.
     
  10. Apr 13, 2022 #10
    eva2000

    eva2000 Administrator Staff Member

    54,884
    12,240
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,811
    Local Time:
    2:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    You mean for https://www.sslshopper.com/ssl-checker.html ? If you ever check with Cloudflare disabled before? maybe cached?
     
  11. Apr 14, 2022 #11
    quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    10:21 PM
Previous Thread Next Thread
Loading...

.