Issues with Letsencrypt and DNS verification

I have docker services running on my host at home and I have subdomains configured for each service. I have nginx and letsencrypt configured as a reverse proxy for most of these services. My problem is when I transitioned over to DNS verification and wildcard subdomain I am getting intermittent connection issues. On some browsers I connect fine. On others I don’t and I get a 522 “host error” from Cloudflare. Normally I would see this if the docker container wasn’t online. But it is online and as I mentioned earlier the results are intermittent where it works sometimes but not other times. So I am starting to think that this is a Cloudflare issue and I don’t know where to begin troubleshooting here. All I know is that if I revert back to http domain verification EVERYTHING works fine again and the intermittent issue is gone. Something tells me that DNS domain verification is causing some problems. Has anyone had similar issues?

v/r
BrunoV

Greetings,

Thank you for asking.

DNS TXT verification or web root?

Hm, if I understand correctly, I could suggest you to try below.

When it’s the time to renew them you can try to disable Always Use HTTPS.

Or else, you would have to:

a)
Take one day lately at evening/night, temporary switch the DNS records at Cloudflare from :orange: to :grey: (DNS-only) - remember which one you did, wait for a few minutes, then start the process of renewing the SSL certificate. Upon success, switch them back.

b)

  1. Use the “Pause Cloudflare on Site” option from the Overview tab for your domain at dash.cloudflare.com .
  2. The link is in the lower right corner of that page.
  3. Give it five minutes to take effect, then make sure site is working as expected with HTTPS without any error
  4. Check with your hosting provider / cPanel AutoSSL / Let’s Encrypt / ACME / Certbot and renew it
  5. Only then, when your website responds over HTTPS, you should un-pause Cloudflare and double-check your SSL/TLS setting to make sure it’s Full (Strict) → Why you should choose Full Strict, and only Full Strict

Before moving to Cloudflare, was your Website working over HTTPS connection?
Is the SSL certificate still a valid one?
May I ask what SSL option have you got selected under the SSL/TLS tab at Cloudflare dashboard for your domain ( Flexible, Full, Full Strict … )?

Regarding 522 error, may I suggest below article:

Furthermore, kindly double-check if Cloudflare is allowed to connect to your origin host to as follows in the below article - your firewall, etc.:

Nevertheless, Cloudflare IP addresses list can be found here:

Before moving to Cloudflare, was your Website working over HTTPS connection?
Is the SSL certificate still a valid one?

My site was working with HTTPS on Cloudflare before. I used HTTP as the method of subdomain verification. Now I have switched to DNS verification using Cloudflares API key and a wildcard subdomain. Since then I have been having intermittent issues where sometimes I am able to access my site and other times I cannot. I know the service is working fine because I can check it from the back end. Thing is when I revert back to HTTP verification everything starts working again. So I am trying to figure out why I keep getting 522 errors when I use DNS verification.

May I ask which level the sub-domain is?
Is the sub-domain like sub.example.com or www.sub.example.com?

It is sub.example.com.

Just wanted to bump this topic here. I am still having intermittent issues. My phone load the subdomain just fine but my desktop gives me a 522 error. Why is this inconsistent?

Hello I’ve looked at and tried the two suggestions above. Those suggestions didn’t work. I am still having intermittent 522 error issues for my subdomain. Are there any logs I can look at on Cloudflare to get a better idea what’s going on?

Is anyone familiar with my problem?

Ok so I did an experiment. I think I know why the 522 is intermittent. That’s because the web request are going to port 80. In an attempt to minimize the amount of ports open on my firewall I’ve closed port 80 since all web request should be going to port 443. Because I am entering subdomain.example.com instead of https://subdomain.example.com it keeps timing out. Is there a way to have it where any web request on the subdomain automatically go to 443?

I’m not sure I follow - how does DNS verification require a HTTP request?

In the event you’re using HTTP verification, it has to go over 80.

I’d just use a Cloudflare Origin certificate that lasts for 15 years on your host and call it a day.

Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443. It does not accept redirects to IP addresses. When redirected to an HTTPS URL, it does not validate certificates (since this challenge is intended to bootstrap valid certificates, it may encounter self-signed or expired certificates along the way).

The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.