Automatic renewal of Dreamhost Let's Encrypt Certificate fails

What is the name of the domain?

stpeters-sw.org

What is the error message?

renewal of let’s encrypt certificate fails

What is the issue you’re encountering

automatic renewal of Dreamhost Let’s Encrypt certificate fails.

What steps have you taken to resolve the issue?

Spoke with Dreamhost support. They indicate that auto-renewal of certificate should work if properly configured at Cloudflare. Read Dreamhost documentation on Cloudflare setup and all seems satisfactory.

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full (strict)

What are the steps to reproduce the issue?

Full Strict SSL is working. The problem only occurs when the auto-renewal of the Let’s Encrypt certificate fails and our website becomes unsecured until I manually renew the certificate after pausing Cloudflare. Am I missing something in the Cloudflare settings or DNS records to enable auto-renewal to work?

That’s the way how I usually go with cPanel, except sometimes I forget and I just change and leave it on Full (not strict), despite it’s not advised (especially if the certificate is also related to the email functioning).

Not really. However, there could be a trick with the “Always Use HTTPS” option to disable it to make sure DCV HTTP requests would pass from Dreamhost to renew the SSL despite Full (Strict) and proxied :orange: hostname.

Thank you for your response. I am a volunteer for this website and a retired software engineer. Although it is easy for me to manually renew the certificate after pausing Cloudflare, there is no one else who could do this when I no longer support this site. To try to automate the renewal process, I have taken the following steps.

On the origin server, I added the following line to the .htaccess file.

RewriteRule ^.well-known/(.*)$ - [L]

I have also read about the Cloudflare Origin CA Certificate that can be installed on the origin server but I don’t know if this is possible in our situation because we are on a Shared Hosting (many websites share the same server) plan at Dreamhost and the certificate files have to be installed on the origin web server.

Has anyone resolved the auto-renewal of certificates by another method or using the Cloudflare Origin CA Certificate?

Thank you.