Incorrect DNS A/AAAA record(s)

I’m attempting to set up certbot and when using the $ certbot certonly -d example.com command it says " To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address." and I looked into it and I may be incorrect as I am very new to this but the IPv4 on your dns page are not the ones that are on your device they are after your ip has been proxied (if i am wrong I know my issue). But I don’t know why or how my IPs would be incorrect other than that. Please help.

As a Proxy server, Cloudflare doesn’t allow direct access to your IP addresses. Visitors are proxied through Cloudflare’s IP addresses first.

I know @floripare uses certbot and probably knows the correct flags to get this to work.

Hmm… no, I don’t. All my LetsEncrypt certs are renewed by Siteground automatically, so perhaps they use certbot, but I’ve never used it directly on a command-line interface.

If that helps, here’s the Cloudflare/origin server configuration that I have set in order to allow SG’s bot to work:

On Cloudflare:

Always Use HTTPS: OFF

If the domain or the cert location is under Cloudflare Access/Teams protection, you should also add a bypass there.

Also, if you have a Firewall Rule that applies broadly to many countries, ASNs not in a list etc, you should add an exception to the cert location URL:

At the origin server’s .htaccess/config file:

Exception to the location of certificates added to the redirect to HTTPS/canonical block:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^/\.well-known/acme-challenge/sg-hosted$
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP:X-Forwarded-Proto} !https [OR]
RewriteCond %{HTTP_HOST} ^example\.com [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]
</IfModule>

I hope that helps somehow.

1 Like

Darn it. someone was using Certbot during my Qualys SSL test. Maybe it was @michael.

1 Like

Not guilty either.

I do not believe that ACME has a requirement to connect to your server over http, following a redirect is supported by the protocol (see https://letsencrypt.org/docs/challenge-types/).

Ah, it was your post about using acme.sh

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.