Lets Encrypt Acme challenge with Cloudflare

This issue seems to crop up repeatedly, but I have yet to see a concrete answer and cannot get this to work for me. When I check the SSL status for my sites in cPanel all of them are fine with the exception of three that are all on Cloudflare, which all fail the auto SSL renewal for mail.

After looking around on the forum and elsewhere I have set a page rule like the attachment here:

30

This should allow communication from the origin server and stop the certificate renewal from being blocked.

Elsewhere I saw mention of adding DNS TXT entries, which I have also done and applied the code that appears in cPanel.

15

Does anybody know the way to fix this problem so it goes away and works normally? It makes me wonder about the security of the email on these domains.

I am using HSTS if that makes any difference. SSL is set to full strict here on Cloudlfare.

Which challenge are you doing? The HTTP or DNS?

In cPanel it says:

“The system failed to send an HTTP (Hypertext Transfer Protocol) “GET” request to “http://example.net/.well-known/acme-challenge/longcode” because of an error: Could not connect to ‘mail.example:80’: No route to host. The domain “example.net” resolved to an IP address “example IP” that does not exist on this server.”

Looks like an http challenge.

That may cause issues when set to :orange: in Cloudflare as it does not return the IP it expects. You would probably either need to have the challenge on a :grey: hostname or use the DNS verification.

I’ve just a thought on what could be going wrong here. My email goes through a different IP from the server. My web host uses spamexperts for email. It’s all worked fine for SPF, DKIM and DMARC in the DNS settings though. Mail is grey clouded in the DNS settings.

You’ll need to disable HSTS and Always Use HTTPS in your CF dashboard.
A page rule like below should then work.

LE-Page-Rule

Alternatively perform the DNS challenge, as the HTTP challenge needs port 80 open.

The email is used for expiration reminders and to prevent abuse. It doesn’t affect the ACME process.

I cannot realistically turn off HSTS because nobody could then reach my sites. They are all on the HSTS preload list. It may be a dumb question, but how do I perform the DNS challenge?

I haven’t used LE with cPanel but it seems like you need to request a wildcard certificate for it to do the DNS challenge.
https://letsencrypt-for-cpanel.com/docs/for-users/wildcards/

If you’re on a HSTS preload list, disabling it on CF shouldn’t affect anything.

OK thank you, I’ll look into this further. I just tried issuing a wildcard SSL in cPanel and it has this problem once again tied to the acme challenge. It I include a txt record at Cloudflare it is declared incorrect and if I delete it the message says none was found. I am guessing the new issue of an SSL certificate changes the txt verification code, so I end up going round in circles.

This topic was automatically closed after 30 days. New replies are no longer allowed.