Felixible SSL Certificate for thegourmettraveller.co.uk not automatically renewing

user9373 · December 5, 2024, 9:36am

What is the name of the domain?

What is the issue you’re encountering

Cloudflare has stopped automatically renewing the Universal SSL Certificate and asked us to manually add the required TXT records

What steps have you taken to resolve the issue?

I have not yet tried manually adding the requested TXT records as I want to determine what the cause of the fault is.

What is the current SSL/TLS setting?

Flexible

What are the steps to reproduce the issue?

This domain has been with Cloudflare for over 3 years and has had Flexible SSL in operations since being set up. The Universal SSL Certificate has renewed automatically since the domain was first added to Cloudflare.

Looking at https://dash.cloudflare.com/0f6a7a9d5f0effe679873e8827bf4e3d/thegourmettraveller.co.uk/ssl-tls it says:

SSL/TLS encryption
Current encryption mode: Flexible
The encryption mode was last changed 3 years ago.
Automatic mode enabled 15 days ago.
Next automatic scan on: 12/27.
thegourmettraveller.co.uk is using automatic SSL/TLS
Your encryption mode is set to Cloudflare’s recommendation. Override this by switching to custom.

Looking at https://dash.cloudflare.com/0f6a7a9d5f0effe679873e8827bf4e3d/thegourmettraveller.co.uk/ssl-tls/edge-certificates, for the Active certificate is says that it expires on 2024-12-12, but for the pending SSL certificate it says:

Cloudflare will validate the certificate on your behalf. No action is required.
Certificate validation TXT name: _acme-challenge.thegourmettraveller.co.uk
Certificate validation TXT value: PRiy_M78_p_0WCzRQ_dU5CEhX-JGKWF4VHJFyFVMhzw
Certificate validation TXT name: _acme-challenge.thegourmettraveller.co.uk
Certificate validation TXT value: 8SDFY7ByERJtAXUvV06Y94KyPE45s2_WuFdptJYYq5g
Certificate Validity Period: 3 months
Certificate validation method: TXT
Certificate Authority: Google Trust Services

NB is says Cloudflare will validate the certificate on our behald and we don’t need to do anything. I assume that this means that Cloudflare will actually add those TXT records automatically, complete the issuance of the new certificate with Google Trust Services, and then install the new certificates.

However, we have recieved and email that starts with the following wording:

“As part of the Cloudflare SSL certificate renewal process, we need you to re-approve the domain thegourmettraveller.co.uk so that we can re-issue SSL certificates for use on our network.”

It then proceeds to tell us to “Add the following TXT entries to your authoritative DNS provider” (which is of course Cloudflare), and then lists the same TXT records that are shown in the Cloudflare control panel.

So, why isn’t Cloudflare doing this automatically for us?

sjr · December 5, 2024, 10:35am

Make sure your origin is configured with a valid SSL certificate and use only “Full (strict)” or “Strict” SSL/TLS modes. Flexible means traffic between Cloudflare and your origin is not encrypted.

Assuming the domain is thegourmettraveller.co.uk and not the one at the top of the page (the forum follows redirects), your problem is that DNSSEC is enabled for your domain but you have not set the DS records generated by Cloudflare at your registrar. Either do that, or disable DNSSEC at the registrar…
https://cf.sjr.dev/tools/check?49b537bc9c8c430099938ffee9daa71b#dns

This will be why your SSL certificate is not renewing (and also your domain unreachable to anyone using a DNSSEC-validating DNS server).

user9373 · December 5, 2024, 10:59am

Hi sjr,

Thanks for the reply which is greatly appreciated. Yes the domain with the problem is thegourmettravaller.co.uk (which has a redirect set up on our webserver to a page on travelfox.co.uk).

I will get our Support team to check with the Registrar regarding the DNSSEC records that appears to have been set up as DNSSEC is not enabled within our Cloudflare account for this domain.

user9373 · December 5, 2024, 1:27pm

Hi again sjr,

OK, our support team have sorted out the DNSSEC issue and I can see from https://cf.sjr.dev/tools/check?50ad75dbdc894e649384e6a5c7722bb5#dns-other that the TXT records created by Cloudflare are now visible!

Looking in the Control panel on Cloudflare I note that there does not appear to be a retry button or anything there that I can click on so I’m not sure if Cloudflare is supposed to automatically retry itself or not. I am therefore going to click the “certvalidate.cloudflare.com” link in the email to see if that completes the process.

user9373 · December 5, 2024, 1:53pm

And the new certificate has been issued.

Thanks again for your help sjr.

system · December 10, 2024, 8:39pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SSL renewal 1 General	2	13	December 26, 2024
SSL Auto-renew is not working Security	7	2698	February 5, 2020
SSL certificate auto renew Website, Application, Performance	4	1079	March 20, 2023
Universal ssl doesnt renew and Site Goes See Error Security	4	1205	October 21, 2022
Will my ssl certificate automatically renew? Security	6	3438	July 24, 2022