Welcome to Centmin Mod Community
Become a Member

Cloudflare SSL letsencrypt and cloudflare

Discussion in 'Domains, DNS, Email & SSL Certificates' started by SFLC, Dec 18, 2016.

  1. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:15 PM
    1
    10
    hello,

    So i setup letsencrypt certs using the acme tool and it says it checks the A record, which at the time it matches the servers ip, now i've added cloudflare for all the domains, when i go to renew the certs in a few months will there be any issues
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,170
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    8:15 PM
    Nginx 1.13.x
    MariaDB 5.5
    if you're using cloudflare then you don't really need letsencrypt ssl certs if you're using cloudflare flexible ssl

    you would only want letsencrypt ssl certs if you use cloudflare with full ssl certs or full strict ssl cert modes of ssl with cloudflare - in such case you may need to switch to cloudflare api method of acmetool.sh DNS mode outlined at Letsencrypt - Official acmetool.sh testing thread for Centmin Mod 123.09beta01 | Page 6 | Centmin Mod Community

    once you setup addons/acmetool.sh DNS mode for cloudflare via persistent acmetool config file at /etc/centminmod/acmetool-config.ini (you create), you can issue again letsencrypt ssl cert via DNS mode don't need to pass the www version of the domain
    Code (Text):
    ./acmetool.sh certonly-issue domain1.com
    
     
  3. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:15 PM
    1
    10
    I followed the instructions but when i issue the command
    ./acmetool.sh certonly-issue domain.com
    this is the output

    -----------------------------------------------------------
    [DNS mode] issue & install letsencrypt ssl certificate for domain.com
    -----------------------------------------------------------
    testcert value =
    /root/.acme.sh/acme.sh --staging --issue --force --dns dns_cf -d domain.com -d .... -k 2048 --useragent centminmod-centos7-acmesh-dns --log /root/centminlogs/acmetool.sh-debug-log-171216-174104.log --log-level 2
    [Sat Dec 17 17:41:08 UTC 2016] Using stage api:...
    [Sat Dec 17 17:41:08 UTC 2016] Multi domain='DNS:..........
    [Sat Dec 17 17:41:08 UTC 2016] Getting domain auth token for each domain
    [Sat Dec 17 17:41:08 UTC 2016] Getting webroot for domain='domain.com'
    [Sat Dec 17 17:41:08 UTC 2016] _w='dns_cf'
    [Sat Dec 17 17:41:08 UTC 2016] Getting new-authz for domain='domain.com'
    [Sat Dec 17 17:41:11 UTC 2016] The new-authz request is ok.
    [Sat Dec 17 17:41:11 UTC 2016] Getting webroot for domain='.....
    [Sat Dec 17 17:41:11 UTC 2016] _w='dns_cf'
    [Sat Dec 17 17:41:11 UTC 2016] Getting new-authz for domain='.........
    [Sat Dec 17 17:41:12 UTC 2016] The new-authz request is ok.
    [Sat Dec 17 17:41:12 UTC 2016] Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh
    [Sat Dec 17 17:41:12 UTC 2016] You don't specify cloudflare api key and email yet.
    [Sat Dec 17 17:41:12 UTC 2016] Please create you key and try again.
    [Sat Dec 17 17:41:12 UTC 2016] Error add txt for domain:_acme-challenge.domain.com
    [Sat Dec 17 17:41:12 UTC 2016] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-171216-174104.log

    ---------------------------------
    DNS mode via Cloudflare DNS API
    ---------------------------------
    setup TXT DNS record via Cloudflare API

    Null message body; hope that's ok


    i added the api keys to the /etc/centminmod/acmetool-config.ini so im not sure what's wrong, the txt record definitely is not added to cloudflare.

    do i even need to worry about this or are cloudflare ssl's auto renewed, i couldn't find much about that online
     
    Last edited: Dec 18, 2016
  4. eva2000

    eva2000 Administrator Staff Member

    30,170
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    8:15 PM
    Nginx 1.13.x
    MariaDB 5.5
    how did you create /etc/centminmod/acmetool-config.ini file ? use linux text editor like nano or vim to create and edit it

    nano which you can read up more about nano here and here. For vim text editor read here and here.

    Also there's numerous online how to use guides for nano and vim you can search for via google :)

    yeah cloudflare's ssl auto renews
     
  5. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:15 PM
    1
    10
    i used vi, it definitely read the file as i added the pushover api at the top and even got a notification on my phone
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,170
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    8:15 PM
    Nginx 1.13.x
    MariaDB 5.5
    what does the debug log say /root/centminlogs/acmetool.sh-debug-log-171216-174104.log - pastebin or gist link/post it
     
  7. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:15 PM
    1
    10
    [Sat Dec 17 17:41:08 UTC 2016] Lets find script dir. [Sat Dec 17 17:41:08 UTC 2 - Pastebin.com

    the only thing i can thing of is maybe the way i set things up, as i initially did not have any intentions of using cloudflare

    i set up the domains with lets encrypt https only and then switched all dns at registrar and then after that after its all live from cloudflare then tried this.

    although then again im not sure why it says theres no api there, its not the first time ive created a file and edited it
     
  8. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:15 PM
    1
    10
    would dns sec cause these issues, im going to disable it on one domain and try again
     
  9. eva2000

    eva2000 Administrator Staff Member

    30,170
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    8:15 PM
    Nginx 1.13.x
    MariaDB 5.5
    debug log doesn't reveal anything more useful so can't see why it's not picking up cloudflare api key and cloudflare account email etc ?

    not sure worth trying
     
  10. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:15 PM
    1
    10
    ya still no joy, its all good @eva2000 i appreciate your help, theres no need to look into this further as ssl will work from cloudflares side
     
    • Like Like x 1
  11. KeVo

    KeVo Active Member

    179
    70
    28
    May 28, 2014
    Ratings:
    +100
    Local Time:
    5:15 AM
    1.11.x
    10.1.18
    I've not been doing this before. Can not doing this step cause the log to say that LetsEncrypt couldn't connect to the site in question when trying to issue the cert?

    Forgot to add www to my DNS. lol
     
    Last edited: Dec 28, 2016
    • Funny Funny x 2
  12. eva2000

    eva2000 Administrator Staff Member

    30,170
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    8:15 PM
    Nginx 1.13.x
    MariaDB 5.5
    did you ever get it to work ?

    that would help :)
     
  13. KeVo

    KeVo Active Member

    179
    70
    28
    May 28, 2014
    Ratings:
    +100
    Local Time:
    5:15 AM
    1.11.x
    10.1.18
    That and turning off the orange clouds (make them grey momentarily) for your A/AAAA and CNAME records while LetsEncrypt is issuing the certificate if using Cloudflare.

    :D
     
  14. eva2000

    eva2000 Administrator Staff Member

    30,170
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    8:15 PM
    Nginx 1.13.x
    MariaDB 5.5
    shouldn't need to do that for webroot authentication or for acmetool.sh in DNS mode as it uses cloudflare api to validate domain via DNS TXT based record.
     
  15. KeVo

    KeVo Active Member

    179
    70
    28
    May 28, 2014
    Ratings:
    +100
    Local Time:
    5:15 AM
    1.11.x
    10.1.18
    Wasn't aware of that! Next time I'll remember this. hehe
     
    • Like Like x 1
  16. eva2000

    eva2000 Administrator Staff Member

    30,170
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    8:15 PM
    Nginx 1.13.x
    MariaDB 5.5
  17. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:15 PM
    1
    10
    Ya I got it to work @eva2000, probably in a very greasy way but i think it should be good, switched off each domains cloudflare proxy one by one, exposing the server ip, then installed the letsencrypt cert, then switched it back on after, and for good measure, disabled the acme tool cron. I figure even when the cert expires cloudflare wont care so there should be no disruption, but for good measure i did 1 site first then a few days later the rest, so when the first site expires and theres no issues then its all good, if not then ill just redo the aforementioned and within 10min everything should be good again
     
    • Informative Informative x 1
  18. eva2000

    eva2000 Administrator Staff Member

    30,170
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    8:15 PM
    Nginx 1.13.x
    MariaDB 5.5
    strange letsencrypt DNS mode via addons/acmetool.sh should work for validation with cloudflare as it validates via TXT DNS record not ip address

    and even non-DNS mode via addons/acmetool.sh uses webroot authentication so validates by a file check on server so doesn't rely on ip address in DNS record either.

    Though i guess letsencrypt might check for DNS a record still but shouldn't matter
     
  19. eva2000

    eva2000 Administrator Staff Member

    30,170
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    8:15 PM
    Nginx 1.13.x
    MariaDB 5.5
    i think your original problem with cloudflare api key setup which the orange cloud shouldn't affect ?
     
  20. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:15 PM
    1
    10
    I see what your saying @eva2000, i forgot to mention that i backed up each domain and deleted it and then re-setup from menu option 2