Let's Encrypt on Server Side could not renew

My site went down a few days ago and I had to disable the orange clouds for my domain and wildcard and then switch to development mode so Siteground could install a new SSL certificate.

This has never happened before but they are telling me that it does not support IPV6 and IP masking. Cloudfare does not offer masking and IPV6 has been disabled for 2 months (as per the screenshot I just sent them).

They suggested either purchase an outside certificate (?) or settle for having to go through this same process of downtime every month. This rings hollow to me and I shouldn’t have to go out and purchase a pricey certificate because something that worked just fine no longer does on their end.

Can someone provide me some clarity? I’ve never heard of this issue with Let’s Encrypt and Cloudfare.

In your SSL/TLS section for Edge Certificates, do you have Always Use HTTPS turned on?

I find that two things stop Let’s Encrypt from working:

  1. My server blocks access to anything starting with a . (such as the .well-known directory Let’s Encrypt uses for the server.
  2. Always Use HTTPS doesn’t let Let’s Encrypt’s HTTP requests through to the server.

p.s. When I get tired of dealing with this, I install an Origin Certificate on the server and be done with it.

I already have an origin certificate that I created and added to Siteground back in February. This is my point. Here is Siteground’s response to the issue: (Notice the part where the say I have an AAAA record in my DNS when I do not).

That’s not correct, unfortunately. When you enable their CDN (the cloud icon next to the DNS record) from their DNS manager, that also enables IP Masking. It will simply present a CloudFlare IP instead of the server IP.

Please check the following DNS results:

partyfavorz.com. 172800 IN NS anahi.ns.cloudflare.com.
partyfavorz.com. 172800 IN NS wilson.ns.cloudflare.com.

partyfavorz.com. 300 IN A 104.26.4.75
partyfavorz.com. 300 IN A 104.26.5.75

Your account’s IP is not shown anywhere. Additionally, when Let’s Encrypt tries to verify the domain, it will also look for AAAA records and give them a higher priority. When you query the CloudFlare name servers you are using for AAAA records and your domain, the following is shown:

└─▪dig -t AAAA partyfavorz.com +short
2606:4700:20::681a:54b
2606:4700:20::681a:44b

That simply makes the verification fail and causes the issue. Unfortunately, there is nothing more to add to the case as we already provided all the available options.

If you want to continue to use CloudFlare and their CDN and would like to use the Let’s Encrypt SSL we provide, you will have to manually renew it every single time.

Alternatively, you can either purchase a Premium Wildcard SSL certificate or install an alternative certificate on your account.

If you require assistance in the future, please don’t hesitate to open a new support ticket.

Kind Regards,

Arto Simonyan
Senior Technical Support

I guess that’s it then. I turned off the https always on as you suggested. If the issue occurs again next month, I’ll have no choice but to drop Cloudfare because I’m not going to play this cat and mouse game going back and forth every month - especially when this hasn’t been an issue for 4 months until magically all of a sudden.

This topic was automatically closed after 30 days. New replies are no longer allowed.