SSL Letsencrypt Cloudflare SSL Failed

cloud9 · Jul 23, 2024

Latest CMM Alam 8 (beta 140)

Now cmupdate run but on invoking cmm I get a message there is a newer version of acme tool available - but cmupdate doesnt appear to update to the latest version
Code:
------------------------------------------------------------------------------
Version Check:
------------------------------------------------------------------------------
!!!  there maybe a newer version of ./acmetool.sh available  !!!
https://community.centminmod.com/posts/34492/
update using centmin.sh menu option 23 submenu option 2

or via command: cmupdate

Always ensure Current Version is higher or equal to Latest Version
------------------------------------------------------------------------------
Current acmetool.sh Version: 1.0.93
Latest acmetool.sh Version: 1.0.92
------------------------------------------------------------------------------ 
This I dont believe is the problem

Site running Letsencrypt behind cloudflare on full strict mode with origin pull enabled all the ssl config correct - site been running for a year now with no changes

Getting CF error no ssl certificate as of July 2025 - nothing has changed though

Running
Code:
./acmetool.sh reissue-only MYDOMAIN.co.uk live
 
Was Getting
Code:
Invalid status. Verification error details: During secondary validation:
Changed some settings in CF including turning off and after a few attempts at reissue (all with the same above result) now get
Code:
[Tue Jul 23 07:27:24 UTC 2024] Error creating new order. Le_OrderFinalize not found. {
  "type": "urn:ietf:params:acme:error:rateLimited",
  "detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/",
  "status": 429

Jon Snow · Jul 23, 2024

The last error is a rate limit. I've ran into it before and had to wait it out then re-run it again.

eva2000 · Jul 23, 2024

What's output for
Code (Text):
cminfo versions
cloud9 said: ↑

Invalid status. Verification error details: During secondary validation
Click to expand...

Do you have dns setup for both non-www and www domain dns?

If you are already using Cloudflare DNS API for letsencrypt it could of been an intermittent issue with DNS validation at Cloudflare's end

Edit: ah Letsencrypt now does domain validations via default web root across 4 remote servers Let's Encrypt is adding two new remote perspectives for domain validation

Let's Encrypt is adding two new remote perspectives for domain validation. This change is motivated by the fact that increased perspectives provide more domain validation security. Increasing the number and coverage of our domain validation perspectives improves visibility and protection against BGP attacks.

During domain validation, this means that we will make 5 total validation requests, 1 from the primary datacenter and 4 from remote perspectives (previously 2). For validation to succeed, the primary server and a quorum of remote perspectives must receive the correct challenge response. This makes it more difficult for attackers to hijack validation requests. To learn more about multi-perspective domain validation, please see our earlier blog post when Let's Encrypt first added new perspectives.

We expect little to no impact to users. Let's Encrypt will begin performing domain validation with the new regions in staging next week on Wednesday March 6. Assuming all goes well, we will rollout to production the following week. Updates will be posted in this thread.
Click to expand...

Let’s Encrypt Domain Multiple Perspective Validation Ordering Change

Let’s Encrypt has made a minor change to how we validate domain control from multiple perspectives. This should have no effect on most users, but may appear differently in logs, so we are making a post to help diagnose failures to validate domain control.

Let’s Encrypt will now do secondary validation only once the primary validation has successfully completed. If primary validation fails, or CAA records prohibit issuance, we will not attempt secondary validation. In a successful validation, all the same requests will happen, but slightly more spread out in time.

If you’re interested in more technical detail, you can check out the code change in Boulder, our CA software. If you have any questions, please open a topic on this forum to ask them.
Click to expand...

Jon Snow said: ↑

The last error is a rate limit. I've ran into it before and had to wait it out then re-run it again.
Click to expand...

Yeah that is letsencrypt rare limit so need to wait it out

If your Centmin Mod Nginx domain is behind Cloudflare orange cloud enabled proxy and you have Cloudflare Full or Full Strict SSL mode enabled, it's recommended you use Cloudflare DNS API domain validation method for issuing Letsencrypt SSL certificates on your Centmin Mod Nginx origin server side. Set that up and do
Code (Text):
./acmetool.sh reissue-only MYDOMAIN.co.uk live

cloud9 · Jul 23, 2024

Thanks

Code:

If your Centmin Mod Nginx domain is behind Cloudflare orange cloud enabled proxy and you have Cloudflare Full or Full Strict SSL mode enabled, it's recommended you use Cloudflare DNS API domain validation method for issuing Letsencrypt SSL certificates on your Centmin Mod Nginx origin server side. Set that up and do

I havent set that up - so will do a retry

cloud9 · Jul 23, 2024

new error

Code:

-----------------------------------------------------------
reissue & install letsencrypt ssl certificate for MYDOMAIN.co.uk
-----------------------------------------------------------
/root/.acme.sh/acme.sh --force --createDomainKey -d MYDOMAIN.co.uk -d www.MYDOMAIN.co.uk -k 2048 --useragent centminmod-centos8-acmesh-webroot
[Tue Jul 23 11:32:43 UTC 2024] Creating domain key
[Tue Jul 23 11:32:43 UTC 2024] The domain key is here: /root/.acme.sh/MYDOMAIN.co.uk/MYDOMAIN.co.uk.key
testcert value = live
/root/.acme.sh/acme.sh --force --dns dns_cf --issue -d MYDOMAIN.co.uk -d www.MYDOMAIN.co.uk --days 60 --pre-hook "/usr/local/src/centminmod/tools/pre-acme-hooks.sh all-check MYDOMAIN.co.uk" -w "/home/nginx/domains/MYDOMAIN.co.uk/public" -k "2048" --useragent "centminmod-centos8-acmesh-webroot" --log /root/centminlogs/acmetool.sh-debug-log-230724-113238.log --log-level 2 --preferred-chain "ISRG"
[Tue Jul 23 11:32:45 UTC 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue Jul 23 11:32:45 UTC 2024] Runing pre hook:'/usr/local/src/centminmod/tools/pre-acme-hooks.sh all-check MYDOMAIN.co.uk'
Nginx root path: /home/nginx/domains/MYDOMAIN.co.uk/public
Le_Webroot: dns_cf,/home/nginx/domains/MYDOMAIN.co.uk/public
ECC Le_Webroot: /home/nginx/domains/MYDOMAIN.co.uk/public
The root paths match. Proceeding with the acme.sh operation.
[Tue Jul 23 11:32:45 UTC 2024] Multi domain='DNS:MYDOMAIN.co.uk,DNS:www.MYDOMAIN.co.uk'
[Tue Jul 23 11:32:48 UTC 2024] Getting webroot for domain='MYDOMAIN.co.uk'
[Tue Jul 23 11:32:48 UTC 2024] Getting webroot for domain='www.MYDOMAIN.co.uk'
[Tue Jul 23 11:32:49 UTC 2024] Adding TXT value: 4Z6t25Xxwjl8gbkzjVVgi7nG9PV8MBfvYQVcOoMxOwY for domain: _acme-challenge.MYDOMAIN.co.uk
[Tue Jul 23 11:32:52 UTC 2024] invalid domain
[Tue Jul 23 11:32:52 UTC 2024] Error adding TXT record to domain: _acme-challenge.MYDOMAIN.co.uk
[Tue Jul 23 11:32:53 UTC 2024] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-230724-113238.log
LECHECK = 1

log files saved at /root/centminlogs
-rw-r--r--  1 root root   39K Jul 23 11:32 acmetool.sh-debug-log-230724-113238.log
-rw-r--r--  1 root root  3.5K Jul 23 11:32 acmesh-reissue-only_230724-113238.log

Have added the cf tokens and api and restarted ninx

eva2000 · Jul 23, 2024

Can you private message me the contents of /root/centminlogs/acmetool.sh-debug-log-230724-113238.log ie. Google/Dropbox shared link etc

eva2000 · Jul 25, 2024

cloud9 said: ↑

Site running Letsencrypt behind cloudflare on full strict mode
Click to expand...

From your private message logs, that might have been part of the problem from testing your site on Let's Debug it says Cloudflare WAF blocking webroot authentication requests to /.well-known/* with 403 permission denied and you have CF Full Strict SSL mode so Cloudflare checks validity of your origin Centmin Mod Nginx HTTPS site's SSL certificate. But as CF WAF blocks Letsencrypt domain validation requests, you fail to renew Centmin Mod Nginx origin site's SSL certificate and so CF in Full Strict SSL mode complains with 526 error that origin site's SSL certificate is no longer valid. I'd switch CF from Full Strict to Full non-strict SSL mode for now and sort out Cloudflare WAF security rules you have in place blocking Letsencrypt domain validation. Though you said you switched to Cloudflare DNS API, so web root authentication issues shouldn't have been an issue but the log you provided shows that web root authentication failed.

eva2000 · Jul 29, 2024

eva2000 said: ↑

Though you said you switched to Cloudflare DNS API, so web root authentication issues shouldn't have been an issue but the log you provided shows that web root authentication failed.
Click to expand...

@cloud9 seems it's a new bug in addons/acmetool.sh as something changed in it's underlying acme.sh client when using Cloudflare DNS API domain validation method for issuing Letsencrypt SSL it recently started to try to verify the domain with DNS API + webroot instead of just DNS API as as your webroot method is blocked by your Cloudflare WAF, it fails to verify domain. I've updated Centmin Mod 131.00stable and 140.00beta01 with a fix for addons/acmetool.sh, which is used by centmin.sh menu option 2, 22 and nv command line for Nginx vhost HTTPS creation and Letsencrypt issuance. So you can run cmupdate to update your local code and then try reissue again
Code (Text):
./acmetool.sh reissue-only MYDOMAIN.co.uk live

cloud9 · Jul 30, 2024

Just read this after sending you a pm - my apologies - I cleared all the WAF rules and still the same

Will update cmm and try again

cloud9 · Jul 30, 2024

Ok, still got a txt error problem

Code:

The root paths match. Proceeding with the acme.sh operation.
[Mon Jul 29 15:51:14 UTC 2024] Multi domain='DNS:MYDOMAIN.co.uk,DNS:www.MYDOMAIN.co.uk'
[Mon Jul 29 15:51:17 UTC 2024] Getting webroot for domain='MYDOMAIN.co.uk'
[Mon Jul 29 15:51:17 UTC 2024] Getting webroot for domain='www.MYDOMAIN.co.uk'
[Mon Jul 29 15:51:17 UTC 2024] Adding TXT value: Y9ACCl8OOrtvR-WwX6RyxBLAHBLAHgNRl991ADVM for domain: _acme-challenge.MYDOMAIN.co.uk
[Mon Jul 29 15:51:21 UTC 2024] invalid domain
[Mon Jul 29 15:51:21 UTC 2024] Error adding TXT record to domain: _acme-challenge.jgsolar.co.uk
[Mon Jul 29 15:51:21 UTC 2024] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-290724-155108.log
LECHECK = 1

cloud9 · Jul 30, 2024

Just check the custom config at /etc/centminmod/custom_config.inc and this is definitely there
Code:
# enable letsencrypt ssl certificate + dual RSA+ECDSA ssl certs https://centminmod.com/acmetool/
# https://community.centminmod.com/threads/official-acmetool-sh-testing-thread-for-centmin-mod-123-09beta01.8290/
LETSENCRYPT_DETECT='y'
DUALCERTS='y'
# Add CLOUDFLARE July 2024 - see - https://centminmod.com/letsencrypt-freessl.html#dns
CF_DNSAPI_GLOBAL='y'
CF_Token="6be7d901XXXXXXXXXXXX583f658cc95"
CF_Account_ID="a0427aXXXXXXXXXXXX3b2fa1241332"
The Token is from the CF page API and is the Global API key which I presume is correct
The Account ID is correct as it says account id in CF

Have disabled CF WAF rules
Have changed to Full from Full Strict

In API have

Still get the same txt error and no IPV6 only IPV4 in dns records A no AAAA

eva2000 · Jul 30, 2024

cloud9 said: ↑

The Token is from the CF page API and is the Global API key
Click to expand...

No not Global API key but create a API Token Letsencrypt Free SSL Certificates Integration For Centmin Mod LEMP Stack

Probably why Cloudflare DNS API text record is failing

cloud9 · Jul 30, 2024

I did that but dont understand what value do I put in
CF_Token="YOUR_CF_TOKEN"

Whats Your CF Token ? If it's not the api key is it the name of my API ?

cant see anywhere in the api that specifies an CF TOKEN

At present have my global api in it as stated above

Run the acme update new ssl for the domain this morning and today it works - yesterday constant txt errors

So all good but would like to get the CF Token correct if possible.

Thankyou for all your help - much appreciated

eva2000 · Jul 30, 2024

cloud9 said: ↑

CF_Token="YOUR_CF_TOKEN"

Whats Your CF Token ? If it's not the api key is it the name of my API ?
Click to expand...

as per Letsencrypt Free SSL Certificates Integration For Centmin Mod LEMP Stack you create a custom API token. You don't want to use Globle API Key in case of server compromise, they'd have full access to your Cloudflare account.

Log in / Register

Forums

Learn about Centmin Mod LEMP Stack today

SSL Letsencrypt Cloudflare SSL Failed

cloud9 Premium Member Premium Member

Jon Snow Active Member

eva2000 Administrator Staff Member

cloud9 Premium Member Premium Member

cloud9 Premium Member Premium Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

cloud9 Premium Member Premium Member

cloud9 Premium Member Premium Member

cloud9 Premium Member Premium Member

eva2000 Administrator Staff Member

cloud9 Premium Member Premium Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Learn about Centmin Mod LEMP Stack today

SSL Letsencrypt Cloudflare SSL Failed

cloud9 Premium Member Premium Member

Jon Snow Active Member

eva2000 Administrator Staff Member

cloud9 Premium Member Premium Member

cloud9 Premium Member Premium Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

cloud9 Premium Member Premium Member

cloud9 Premium Member Premium Member

cloud9 Premium Member Premium Member

eva2000 Administrator Staff Member

cloud9 Premium Member Premium Member

eva2000 Administrator Staff Member

.