Let's Encrypt Acme Challenge problem

Here is what Let’s Encrypt says. I replaced my domain with example.com

Domain: www.example.com
Type: connection
Detail: Fetching
http://www.example.com/.well-known/acme-challenge/5p-ZG302PE6PSdYZlkCbwad9dY6phT1j_oa-1ZvEeKA:
Timeout during connect (likely firewall problem)

Domain: example.com
Type: connection
Detail: Fetching
https://www.example.com/.well-known/acme-challenge/bzzpQRA0TxtM1OizthsV-jVvaxV9t-cThSyfDO4mXMA:
Timeout during connect (likely firewall problem)

I wrote a Cloudflare worker that confirms that both of these requests succeeded so I’m scratching my head wondering why Let’s Encrypt is saying they were blocked. The only thing I can think of is that Cloudflare is messing up the response body.

By the way the first request was met with a 301 redirect to https due to it being sent over an unencrypted connection. The second request would also have been redirected if it had been sent to the root domain but it appears it was sent to the www subdomain which is correct.

Maybe this is a Let’s Encrypt problem not a Cloudflare problem but I thought I’d come here first. Let’s Encrypt works when Cloudflare is paused but I don’t want to have to manually renew all my certs every 60 days.

Sometimes this is because Let’s Encrypt is trying to validate over Port 80, but if “Always Use HTTPS” is enabled, it redirects to 443, which Let’s Encrypt doesn’t like. Try disabling “Always Use HTTPS” to see if that works.

I had already had Always Use HTTPS disabled because it interferes with Cloudflare workers. Instead I have two redirect page rules that both 301 to https://www.example.com/$1 which does the same thing without interfering with Cloudflare workers.

I don’t think that redirecting to HTTPS is the problem because Let’s Encrypt surely can handle HTTPS.

In case you have your own Let’s Encrypt SSL certificate generated at your host/origin (via acme or Certbot or any other method), may I ask have you tried putting your domain hostname A www and A yourdomain.com to :grey: cloud and after that run the Let’s Encrypt SSL certification renew process? If, after success, switch back to :orange: to make sure domain is being proxied via Cloudflare.

I just wonder, can it be done with a script?, like using the Cloudflare API to do it automatically rather than two-three clicks with mouse in the Cloudflare dashboard, either run it via cronjob or some other way around to renew before certificates before they expire?

I had enough struggles in the past with Let’s Encrypt when behind Cloudflare that I often just used a Cloudflare Origin Cert. Though I currently have DNS-01 working with the Cloudflare API, so I rarely use the origin cert these days.

1 Like

Do cloudflare certs work when the cloudflare proxy is paused?

No, that would be “direct access” as explained in the article’s warning section.

This topic was automatically closed after 30 days. New replies are no longer allowed.