How do you enter info for DNS challenge in cloudflare?

I have a server in my house, my ISP blocks port 80 so I have to do DNS challenge to get SSL to work. I got it to work before but I followed so many tutorials I have no idea which one worked or what I followed to make that ssl work. I got to the part where certbot says to enter info as a CNAME record like this screenshot shows:

And this is the screenshot for Cloudflare’s DNS where you add a CNAME

How do you add the info from screenshot 1 into cloudflare? Target is the IPv4 address

I can’t figure out how to enter this information with CNAME. I looked at my other sites dns records and that validation was done using TXT and that gave me a field for name and content as opposed to name and target.

This looks like it’s super easy if your ISP doesn’t block port 80, but since mine does, I just can’t figure out what I’m doing wrong with certbot and for the life of me I can’t even remember how I got the other ssl validated, but I clearly used a different method.

The “Name” field gets that _acme-challenge.yourdomain part, and the Target is that long string of numbers/letters with acme-dns

Oh, and set it to :grey: DNS Only (not :orange: Proxied).

Thank you for your fast reply. I tried that, but I messed something up. This is the string I was entering to do this:

sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/ --preferred-challenges -d * -d

The first time I ran this command it gave the above screenshot showing acme.challenge and all those numbers. When I ran it again, it never shows that info so I don’t know what it’s doing, it runs just the same but never presents the info, then when I hit enter it says that it found the string but it’s the wrong info. Does it change the numbers everytime you run the command? But apparently I’ve run it too many times now and it says I’ve done too many requests and it refers to a rate limit page that I don’t understand because i says something about a limit of 300 and I certainly didn’t do that many tries.

Is there an easy way to get dns to verify? I find certbot to be a pain. Is certbot only tied to letsencrypt? I don’t care who I get it from, who is the easiest to just get to work being able to verify dns records with a simple command? This seems unnecessarily difficult.

I’ve not had tremendous success trying to wiggle my around Let’s Encrypt to manually provision a certificate. So I use Cloudflare origin certs instead. They’re just as good for a :orange: Proxied hostname:

Thank you, I followed that guide and I now have the PEM file and the Key file on the server, but now I don’t know how to validate the DNS record, there are no instructions for that and when I try to go to my site I get an error 526; Invalid SSL cert. But it never did the confirmation to make sure I’m in control of the server which is probably why it is invalid. How do I have it do a verification on my dns records to see I have control since my ISP blocks port 80? Do I run some command and copy a string somewhere? I think that’s how I got it to work before. Maybe I’lll go back to the network chuck videos, I know it was on one of those, I think it was for a load balancer. This stuff is so difficult at first, there’s just so much information and I have no real guides since I’m just learning as I go. What makes this so hard are there are a thousand steps and within those steps something never works and I have to branch out on 5 more tutorials to fix something that didn’t work in a previous tutorial, now that I have this complete I have to find yet another tutorial, then I can go back to the original tutorial and continue. It’s very very frustrating.

You shouldn’t need to verify anything. The origin certificate is standalone for a hostname that’s set to :orange: Proxied. Cloudflare will accept it for a Full (Strict) connection.

If you test against the origin, you should see the Cloudflare origin certificate as not accepted by the browser.

Thank you for the help. I’m confused with all of this. I followed the directions on that link I provided above, I get the 526 error saying invalid SSL. The site I want to get working is The SSL that is functioning properly is a wildcard SSL and that is installed and functioning on my other site I don’t want the new site to look like, I want it to have it’s own domain

I paused cloudflare and went to an ssl checking site to see what the ssl shows. The one I created for shows the wrong domain under “SANs” it shows - Is this why it’s coming back as invalid? Are we only allowed to use one SSL tied into a domain or did I do something wrong? I typed in the new domain when creating that cert and key. Am I not able to have a wildcard SSL for one domain and a regular SSL for another without paying? Is that what’s happening?

Either your hosting is goofed up, or you uploaded the incorrect cert. You can delete and regenerate to try again.

You can also paste it here to check to see if it matches:

I’m sure the hosting is goofed up since I set everything up. The problem area is certainly isolated somewhere between the chair and the keyboard that’s for sure. I sent an email to [email protected] I need to walk away from this or two monitors and a tower are going to get thrown against a wall…

I used that decoder link. When I take the text I put on the server that was generated by cloudflare I get this:

I can clearly see cloudflare and the correct domain listed there.

However if I use that exact same site to check the ssl on the server I get this screen

The issuer and serial numbers do not match. This has to be a configuration issue on my side. I tried using certbot to get an SSL before and it failed. I checked my conf file for the site and the ssl cert and key are pointing at the certs I just made from cloudflare, not from letsencrypt. If I completely remove the letsencrypt directory will it fix this? Why is it trying to use letsencrypt? Is there a config file somewhere? Is the website.conf file the only place within apache that you tell it where the ssl files are?

This looks configured correctly right?

I don’t understand why it’s trying to use letsencrypt unless certbot did stuff in the background before it failed so it’s always looking in a particular place for the cert and key…

Cloudflare also uses Let’s Encrypt, so that would be the certificate on the proxy.

But it looks like your origin cert now matches the domain name.

So it’s not a config issue on my end that was caused by the failure of certbot when I was attempting to get an ssl through them? The reason I find this so extremely confusing, is I already have a functioning SSL on my one site and that cert shows it is issued by Cloudflare not Letsencrypt.

But if I look at the certificate in the browser on the one that gets the “invalid ssl” error shows “Verified by letsencrypt” and doesn’t mention cloudflare at all.

And if you click on View Certificate it brings up a screen where you can download the Cert (PEM) so I did that and plugged it into that SSL decoder and it comes back as letsencrypt with a serial number that does not match what the cert generated by cloudflare produced.


Is this a configuration issue on my end with letsencrypt? My functioning website certs don’t mention them, the one that’s giving invalid SSL mentions them and I attempted with them and failed. Are you sure this is not certbot messing things up and a config file is pointing to the wrong spot for these files?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.