Renew Letsencrypt certificate does not work with Cloudflare proxied on

I have set up Letsencrypt in a way that it automatically renew my certificate. I found out today that the renewal of my certificates was not possible. After i did some research i found out that the problem was Cloudflare and the domain name that was being proxied. When i disable proxied and set it at DNS only i was able to renew the certificate. Is there a way or a solution for this? I want to keep using the proxy option but i don’t want to manually renew my certificates.

There are a ton of posts on this:

https://community.cloudflare.com/search?q=renew%20let%27s%20encrypt

1 Like

I notice that, but none of them provide an adequate solution.
If so many people are complaining about the same thing, that should be a sign to Cloudflare to work on a proper solution.

There are several methods that LE uses to validate domain control before issuing a Certificate.

DNS-01 requires you to create DNS records. The most common ACME tools can use the Cloudflare API to create these records, and this is the method you must use to issue a wildcard ACME certificate.

HTTP-01 requires you to place a file in a particular place on your webserver, and then LE will request the file to confirm domain control. This works fine with Cloudflare provided your origin web server is able to serve the required file, and the ACME tool you are using is actually putting the challenge file in the correct place. I just set one up now to test, and you can see the result below for a test file. The test site has Always Use HTTPS enabled with SSL Mode Full (Strict), and a Page Rule to redirect from the root domain to www. (HTTP-01 might not work with Super Bot Fight Mode.)

% curl -vL http://communitymvp.cf/.well-known/acme-challenge/community-acme-test
< HTTP/1.1 301 Moved Permanently
< Location: https://communitymvp.cf/.well-known/acme-challenge/community-acme-test
* Issue another request to this URL: 'https://communitymvp.cf/.well-known/acme-challenge/community-acme-test'
< HTTP/2 301
< location: https://www.communitymvp.cf/.well-known/acme-challenge/community-acme-test
* Issue another request to this URL: 'https://www.communitymvp.cf/.well-known/acme-challenge/community-acme-test'
< HTTP/2 200
<
Hello World!

TLS-ALPN-01 requires you to run a web server accessible to LE, and this will not work with the Cloudflare proxy. It is extremely uncommon in any case.

2 Likes

Thanks but i don’t think this will work for me. I forget to mention that i use a Synology NAS. Synology DSM has a built in nginx server which you can do reverse proxy and issue a certificate from letsencrypt. It works good but it has one disadvantage. Synology reserve port 80 and 443 for itself. therefor i can’t use other tools to get a certificate from letsencrypt since LE needs port 80 and 443 to be open. In this particular case both ports were open accept for the DNS part. One solution from Cloudflare could be that you can schedule a certain domain name to be open on a certain day (say DNSonly) and close on a certain date (being proxied again). That would solve the problem.

I doubt that such a ‘feature’ will ever be implemented, but you could use the API to switch from :orange: to :grey:. Personally, that sounds like a poor solution.

It is possible to use the Cloudflare API with DSM to do certificate renewals (Google turned up this.)

You could also put a worker on https://example.com/.well-known/acme-challenge/* that proxies requests to your origin on a different port. This is a starting point:

3 Likes

Thanks for your advice so far.
As for the Cloudlflare API with DSM. I don’t know if that will work since i NAS is not directly attached to the internet, but behind 2 routers. Besides the solution was a very long one with detailed knowledge about Linux which i don’t have.

This topic was automatically closed after 29 days. New replies are no longer allowed.