Error while renewing Certbot certificates with standalone plugin

Hi,
I’m trying to renew the certificates of my server using certbot standalone plugin (https://certbot.eff.org/docs/using.html#standalone). I’m using a pretty basic setup with only a single machine behind Cloudflare proxy.

When I disable the Cloudflare proxy the challenge is successful and the certificates are renewed. Otherwise this is the kind of errors i get (domain obfuscated):

Domain: example.com
Type:   unauthorized
Detail: Invalid response from
https://u15225622.ct.sendgrid.net/ls/click?upn=*random code here*
[2607:4701:3027::6g1c:11bd]: "<!DOCTYPE html>\n<!--[if lt IE 7]>
<html class=\"no-js ie6 oldie\" lang=\"en-US\">
<![endif]-->\n<!--[if IE 7]>    <html class=\"no-js "

This is strange.
Do you have any suggestion?
Thanks.

That is very strange. Is your domain using sendgrid for anything?

Actually yes, I’m using SendGrid for server mail notifications.
I’ve tried stopping postfix, and the error changed slightly:

Domain: www.example.com
Type:   unauthorized
Detail: Invalid response from
https://www.example.com/.well-known/acme-challenge/*code here*
[2607:4701:3027::6g1c:11bd]: "<!DOCTYPE html>\n<!--[if lt IE 7]>
<html class=\"no-js ie6 oldie\" lang=\"en-US\">
<![endif]-->\n<!--[if IE 7]>    <html class=\"no-js "

Do you have under attack mode enabled, or any additional page rules or security settings?

No, I don’t have under attack mode and I have not set up any rule.
I have set Full(strict) on the SSL/TLS encryption setting. I don’t think that’s the default.
Regarding anything else, I have pretty much the default settings.
Thank you.

In the SSL/TLS Edge Certificates section, do you have “Always Use HTTPS” enabled? If so, try turning it off. I’m reading through the Standalone documentation and it says it needs to bind to Port 80 (HTTP).

1 Like

That was it!
I just performed a renewal with the --dry-run flag for multiple domains/subdomains and all went smoothly.
Good spot!
Thanks man.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.