Welcome to Centmin Mod Community
Register Now

SSL Letsencrypt Unable To Get Lets Encrypt To Work With Cloudflare

Discussion in 'Domains, DNS, Email & SSL Certificates' started by TempusOwl, Apr 17, 2018 at 2:03 PM.

  1. TempusOwl

    TempusOwl New Member

    3
    1
    3
    Tuesday
    United States
    Ratings:
    +1
    Local Time:
    9:18 AM
    Please fill in any relevant information that applies to you:
    • CentOS Version: iCentOS 6 64bit
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: current
    • PHP Version Installed: current
    • MariaDB MySQL Version Installed: current
    • When was last time updated Centmin Mod code base ? : last hour
    • Persistent Config: LETSENCRYPT_DETECT='y'
    So I have put about 6 hours or so looking through documentation and reinstalling centOS and centminmod to try to get this to work but I keep having issues so I a have feeling I am missing something.

    So all my troubleshooting was done with mutliple fresh installs installs to remove any variance.

    Goal:I intend to use Lets Encrypt + Cloudflare DNS w/ Full SLL without having to disable cloudflare and support automatically renewal. There will be more than 1 domain running in this server.

    The documentation on cloudflare and lets encrypt using CentminMod is detailed but not working for me as it shows. There is multiple methods and I have used most of them. To get up and running I paste in the install command for beta then type centmin run the email stuff exit out and then do the steps as follow.

    I have followed the "Cloudflare API Support in DNS Mode" posted in Letsencrypt - Official acmetool.sh testing thread for Centmin Mod 123.09beta01 I successfully go through setup the path using nano and write with ^o then press enter for the name and ^x to exit. Then modify the config file to allow Lets Encrypt Detect - Y which works fine. The problem is when I say "Y" to Lets Encrypt when running Option 2 (the option after Self Signed SSL) it runs through and says "there is no cloudflare API key or email". This confused me because I know it was there as per the documention bit more reading there is also /root/.acme.sh/dnsapi/dns_cf.sh which contains commented space for CF_Email and CF_API I removed the # and entered in my details. Upon running the command as before it removes my changes despite being saved and returns the same "there is no cloudflare API key or email". The closest forum I found that had this problem was Cloudflare - SSL - letsencrypt and cloudflare

    I feel like I am going in a circle can someone point me to where I am going wrong on this.
     
  2. eva2000

    eva2000 Administrator Staff Member

    33,668
    7,456
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,461
    Local Time:
    11:18 PM
    Nginx 1.13.x
    MariaDB 5.5
    For Cloudflare API key setup where are you entering the key ? You add the Cloudflare API key config to either /etc/centminmod/acmetool-config.ini or /etc/centminmod/custom_config.inc BEFORE running addons/acmetool.sh NOT during or after running addons/acmetool.sh. But put Cloudflare DNS API method aside for the moment as preferred methods are outlined below.

    Now as to HTTPS setup, there's generally 3 ways of setting up HTTPS SSL certificate for Centmin Mod Nginx HTTP/2 based HTTPS. Method 3 would be the least problematic method to use - which has one method for existing Nginx vhost sites created on Centmin Mod server and other method if for intended new Nginx vhost sites. Both methods do not use DNS API method but uses web root authentication method for file based domain verification which is the preferred method.

    Method 1. The traditional way via centmin.sh menu option 2, 22 and selecting yes to self-signed ssl certificates first. Then converting the self-signed ssl certificate to paid or free (Letsencrypt) web browser trusted SSL certificates outlined at How to switch self-signed SSL certificate to paid SSL certificate ? You would still need to follow the same steps outlined at Nginx SPDY SSL Configuration for obtaining and purchasing the paid SSL certificate and most important part is the concatenation of the SSL provider provided filesto create the mentioned /usr/local/nginx/conf/ssl/domaincom/ssl-unified.crt and /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crtfiles referenced in your Nginx SSL vhost config file.

    You may need to also decide if you want to enable HTTP to HTTPS redirect outlined at How to force redirect from HTTP:// to HTTPS:// ?

    If you didn't answer yes at time of initial nginx vhost creation to self-signed ssl certificates, you can manually setup the self-signed ssl certificate via the vhost generator by checking self-signed ssl box and enter a domain name. This will outline instructions for manually creating and setting up self-signed ssl certificate and nginx vhost settings. Then for web browser trusted ssl certificates you switch follow - How to switch self-signed SSL certificate to paid SSL certificate ?.

    Method 2. Using and testing Centmin Mod 123.09beta01's new addons/acmetool.sh addon which is still in beta testing only for integrating Letsencrypt SSL certificates. And has both auto and manual methods.

    Method 3. Fully manual method for free Letsencrypt SSL certificates.
    Note:
    • For wordpress auto installer, you actually need a read method 2 to enable LETSENCRYPT_DETECT='y' then run centmin.sh menu option 22 which will detect letsencrypt support and display the additional letsencrypt prompts required to issue free letsencrypt ssl certificates for wordpress auto installer
     
  3. TempusOwl

    TempusOwl New Member

    3
    1
    3
    Tuesday
    United States
    Ratings:
    +1
    Local Time:
    9:18 AM
    Alright it appears to be working although not 100% and I was able to use this to it narrow on down what I believe was the issue. I had Cloudflare SSL set to “off” which I thought would give me the ability to see if “Lets Encrypt” was being used instead of being overwritten by cloudflares comodo SSL. In CF documentation it says “No visitors will be able to view your site over HTTPS; **they will be redirected to HTTP.**” This made it appear that SSL was not working and it kept going to HTTP and was some kind of issue but it was Cloudflare.



    I did have some unknowns with the documentation for method 3 and not sure if it’s a problem with how I ended up setting it up. In the first area for “Valid DNS A Record Requirement” it said to type

    dig http2.website.com +short = Didn’t work

    dig website.com +short = Did work but returned cloudflare IP and not my servers which seems to go against the “would need DNS A record to server IP address”. Not sure if this is a problem or not.

    Also is it a problem I did website.com instead of http2.website.com
     
  4. eva2000

    eva2000 Administrator Staff Member

    33,668
    7,456
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,461
    Local Time:
    11:18 PM
    Nginx 1.13.x
    MariaDB 5.5
    yes that can be confusing if you disable Cloudflare SSL all HTTPS requests get redirected to non-HTTPS HTTP urls

    what was the domain intended for letsencrypt HTTPS Nginx site ? yourdomain.com or http.yourdomain.com ?

    If both yourdomain.com and http.yourdomain.com are on same server then dig command should return the server's public IP address. If one of the domains didn't return server's IP address or in Cloudflare's case is blank, then that means that domain's DNS A record hasn't been setup with DNS provider - which in your case is Cloudflare which would return Cloudflare IP is is valid and expected (I should add that to instructions).

    Or you maybe confused the example at Using Centmin Mod acmetool.sh addon for Nginx HTTP/2 based HTTPS with free Letsencrypt SSL certificates is for a domain named = http2.centminmod.com, so you would replace that with your domain i.e. yourdomain.com or subdomain.yourdomain.com
     
..