Cloudflare Flexible SSL Interferes with Let's Encrypt Renewal

I have multiple domains managed using Virtualmin. Some have been migrated to Full (strict) but some are still using Flexible SSL. I noticed that renewals of Let’s Encrypt certificates started failing December 2021. I got the renewals working by temporarily disabling Cloudflare proxy for the affected domains. When the problem reoccurred in March, I had a closer look at the error messages.

The virtualmin acme-challenge code creates a file in ./well-known/acme-challenge/ and then calls https://acme-v02.api.letsencrypt.org/acme/chall-v3/ passing a token. The API resolves the domain name to two ipv4 addresses and two ipv6 addresses. Let’s Encrypt now prefers ipv6 to access the ./well-known/acme-challenge/ file. It looks like Let’s Encrypt gets back error 403 and an error message (all I see are the HTML headers). I do not have any AAAA records defined for my domains since they are hosted on AWS which does not fully support ipv6.

The domains using Full (strict) renewed fine. I converted all the Flexible SSL domains to Full (strict) and am no longer seeing any Let’s Encrypt renewal issues.

I found several posts about Cloudflare wanting to use proxy servers on their ipv6 network and no longer allowing Cloudflare users to turn off IPv6 Compatibility. I did not enable Pseudo IPv4 since I was using the defaults on all domains. What is puzzling is that https://ready.chair6.net/ returned ipv4 and ipv6 for all my domains, yet Let’s Encrypt appeared to prefer ipv4 for the Full (strict) servers. Also, I assumed that the Cloudflare ipv6 proxies would do the necessary translation for ipv4 origin servers.

At the moment, everything is working, but I am concerned that there might be something else underlying the original problem that will cause issues in the future. Can anyone shed any light on what I am seeing?

Thanks, Norbert

I should have added that I could access the .well-known/acme-challenge files that Let’s Encrypt could not access, but then my ISP is still handing out ipv4 addresses.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.