Cloudflare & LetsEncrypt ACME Challenge Issue

LetsEncrypt ACME Challenge Issue###

We use LetsEncrypt on our server and as you’re probably aware the way in which it validates that you have access to the domain is via a challenge either via DNS-01, HTTP-01 or TLS-ALPN-01.

We use the standard HTTP-01 which works by the servers ACME client uploading an access token to /.well-known/acme-challenge/<TOKEN>

The ACME client then notifies LetsEncrypt that the file is ready, LetsEncrypt tries to retrieves it (multiple times if need be) by accessing the following URL http://DOMAIN.TLD/.well-known/acme-challenge/<TOKEN> and as you can see it does this over HTTP, it does not work over HTTPS.

In Cloudflare, we want to have Always Use HTTPS enabled and this causes a problem with LetsEncrypt returning:

DNS DCV: No local authority: “DOMAIN.TLD”;
HTTP DCV: The system queried for a temporary file at “https://DOMAIN.TLD/.well-known/acme-challenge/XS8UFVVFINEWFSIT_7U-_SOHMASB8OUX”, which was redirected fromhttp://WEBSITE.TLD/.well-known/acme-challenge/ZS2UFDVFINEWFSIT_2A-_SO3MASA8EUZ”. The web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “WEBSITE.TLD” resolved to an IP address “104.21.50.190” that does not exist on this server.

That error is somewhat confusing because it looks like the issue is that the IP mismatches however that’s not true, the issue is that it’s redirecting from HTTP to HTTPS.

The Cloudflare Fix (That used to work!)

  1. Disable “Always Use HTTPS
  2. Add Page Rule 1: “Always Online” with the URL: http://*WEBSITE.TLD/.well-known/acme-challenge/*
  3. Add Page Rule 2: Always use HTTPS with the URL: http://*WEBSITE.TLD/*

Cloudflare worked out this solution with me via Tickets about 3 years ago and it’s worked perfectly for 3 years!

Cloudflares Recent Changes

In the last month or two Cloudflare made a change to the “Always Online” page rule, forcing you to only use domains with SSL/HTTPS.

As a result all of our domains that had this LetsEncrypt bypass working have had the Page Rule removed automatically.

It also appears that since I emailed Cloudflare yesterday another change has been made and now the “Always Online” page rule has been removed completely.

How to resolve this?

The only options I can think of to resolve this would be one of the following:

  1. Rollback the changes
  2. Allow the ability to add these two specific rules
  3. Add an option to Allow LetsEncrypt Certificates (Ignores/Overrides Cloudflares Certificates)
  4. Add an option to Allow LetsEncrypt Challenges (A 1 click option to automatically apply the logic of allowing this URL to be accessed over HTTP, but Cloudflare could probably make this more secure. Unfortunately LetsEncrypt doesn’t use a specific user agent or publish a list of IPs which isn’t helpful so I’m not sure how this could be done)

Temporarily toggling Cloudflares “Cloud” off or Disabling “Always use HTTPS” is not a solution, of course it works but that’s not a viable solution to expect users to do over and over every single time.

For Cloudflares Reference: “Re: [Cloudflare Support] 1734938 - Font Awesome Error 522 + LetsEncrypt Failures”

Hi Ryan.

Some months ago i had to switch myself the letsencrypt verification
from webserver acme-challenge to DNS challenge
and this solution here works perfect with Cloudflare and a additional server behind with letsencrypt.

What you have too add in the Cloudflare dns entrys are this two
DNS rows.

A CAA DNS ENTRY for the subdomain that you want use the letsencrypt certificate.

CAA yourserversubdmainwithletsencrypt 0 issue letsencrypt.org

The TXT DNS Verification Text for the subdomain that you want use the letsencrypt certificate.

TXT _acme-challenge.yourserversubdmainwithletsencrypt XXXXXXXXXXXXX

This is the best working solution and i highly recommend you to switch over from
webserver to dns verification.

Care to explain where/what you are getting the XXXXX value from? If that’s the token, that won’t work… the token changes does it not? I’d have to go and do it every single renewal?

If you are going to move to DNS-01 validation, you definitely want to automate it, although that is a discussion better suited for the Let’s Encrypt Community.

I use a rule to force requests to .well-known/acme-challenge/* to always be sent via HTTP. I have not encountered any issues. I don’t rely on Cloudflare to do any HTTP to HTTPS redirect, though. I handle that at the origin.

I don’t know that I can easily test your scenario right now with any of my current domains, as all of the not so serious candidates are all on Cloudflare Pages. I am interested in seeing how you work this out, though.

1 Like

HTTP-01 validation will follow a redirect. While the RFC makes following the redirects optional, Let’s Encrypt will follow up to 10 redirects.

What ACME client are you using? What command are you using to run the client?

Do you have an existing certificate on the origin?

Do you only have one Origin?

What is your current SSL mode in Cloudflare (Flexible, Full or Strict)

  1. AutoSSL with WHM/cPanel

  2. No Command, automatic

  3. Yes (By turning off Cloudflare’s “Always use HTTPS”

  4. Yes

  5. Full

Yes that is the Token lets ecnrypt tell you to write as a TXT Record in your DNS Configuration.
Its a 30 Second work.
You copy the Token and paste into the Cloudflare DNS page.

After this you tell letsencrypt to verify it.
When done then nothing more need to be done and after each ceritifacte renewal you also
dont need to change this token as you are not asked to modify it.

So this is only a 30 Seconds Manual work and after this everything is renewed without additional extra work aka updating of the token in the dns config.

Only time LetsEncrypt ask you to renew this token is when you buy a domain
and you want for this domain a letsencrypt certificate to run it on the same ip address like the existing domains.

Then this is not anymore a renewal for certificate where the tokens dont need to be changed but
it is a expanding of the sertificate that add a additinal domain to a existing certificate to be run on the same ip adsress.

For such a expanding modifying of a letsenxrpty certifiacte you then need updated all dns entrys.

Luck LetsEncrpyt provide a automation tool for this to be done on Cloudflare.

If you really need to do such expanding and modifying of lets encrypt ceritifactes then
letsencrypt Cloudflare automation dns update tool here can help you !

https://certbot-dns-cloudflare.readthedocs.io/en/stable/

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.