AWS EC2 / Cloudflare : bncert won't renew SSL cert

There is a site I have more recently been working on. They are hosted on AWS EC2 with Cloudflare active on the primary domain, and there’s a secondary domain not associated with Cloudflare that is pointed directly at the AWS IP address, which is simply redirected to the primary domain, however it is used for email.

In Cloudflare, there is an Edge certificate on the primary domain, and Full encryption mode is enabled and it says it’s active / working:

On the server, there is a Let’s Encrypt SSL cert covering the main domain and the redirected domain. I did not set this up.

I believe that SSL cert was supposed to auto-renew, but it recently expired, and I went to manually renew it using the bncert tool but it’s giving an error that the primary domain “resolves to a different IP address” which I’m sure is due to Cloudflare.

The primary domain has seemingly been unaffected since it expired, but the redirected domain is giving the “Connection Not Private” error.

What is the best solution here, should I override it, or remove the primary domain from the cert?

By overriding I am referring to:

sudo /opt/bitnami/bncert-tool --perform_public_ip_validation 0 --perform_dns_validation 0

If I override it, does the cert still cover the primary domain?

Correct. Since DNS records are proxied and :orange: , we get Cloudflare IP and the LE cannot renew the origin host/server SSL certificate (despite Cloudflare’s Universal SSL is also possibly using LE …).

Quite good question :thinking:

From what I understood by reading, hopefully correct, since you’re using LE’s SSL certificate, I’d suggest you to temporary enable and use the “Pause Cloudflare for this site” option from the bottom right corner at the Cloudflare dashboard. Give it a few minutes. Retry the process of renewing your origin LE’s SSL certificate. Upon success, switch back the option and make sure your DNS records are proxied and :orange: .

Might want to use Full (Strict) SSL if already not :wink:

Thank you for the quick response :slight_smile:

That’s a good idea that I had not considered. It is however a pretty high traffic site, and if I disable Cloudflare then I believe it will show the ‘Connection Not Private’ error to visitors, since the LE cert is expired.

Sure it would be brief, but if it’s possible to avoid it that would be ideal. If it’s not possible then I suppose I’ll choose a low traffic time.

I mentioned overriding the validation during the renewal, is that a feasible option?

Or is there any way to do it without having to temporarily display the site as insecure?

May I ask if you’re using HSTS at Cloudflare dashboard or not? :thinking:

If not, a workaroud for example with cPanel AutoSSL is to disable the Always Use HTTPS option at Cloudflare.

Furthermore, depending on what you can do with your EC2 instance, a good read here:

Other ideas to try out here:

We’re on the Pro plan in Cloudflare. HSTS is not enabled and neither is the Always Use HTTPS option. However it is configured somewhere to force HTTPS as all traffic is currently redirected HTTP → HTTPS.

Thanks for the links, I had a look through those and a lot of other posts as well. It’s not making sense to me how I can use another validation method, because this is pretty unfamiliar to me.

I think I’ll try your original suggestion and use the setting to pause Cloudflare and renew it that way.

Currently Cloudflare shows that the site has Full encryption mode:

Doesn’t that mean that there must be a valid origin cert? The LE cert is expired so shouldn’t this be saying it’s not encrypted end to end?

I guess as per this article ( ) it says that it doesn’t validate the cert, so that is why it’s still working right?

Thank you for feedback information.

Maybe the Automatic HTTPS Rewrites option? :thinking:
Otherwise, might be at the origin host I believe.

For the best case, yes, should be a valid one and for the “Full (Strict)”.

Correct for “Full”, yes.

Thank you so much! That was very helpful.

I successfully renewed the cert during a low traffic time. I used the option to temporarily disable Cloudflare, and it only took 3 minutes for the DNS to update. Then the site was insecure just briefly while I used bncert to do the renewal. Then upon success, both sites were secure and I re-enabled Cloudflare.

Much appreciated :smile:

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.