Using Let’s Encrypt SSL, got message from hosting cant extend SSL

urantv · August 27, 2019, 9:11am

I have Wordpress site, and set up free Let’s Encrypt certificate from hosting.
Site has been working for 1.5 years, all this time Let’s Encrypt certificate has been re-issuing and applying automatically every 3 month.

I set up Cloudflare free account and few days ago got this message from my hosting:

“Error reissuing Let’s Encrypt free certificate
Unfortunately, there was an error when issuing your free Let’s Encrypt certificate.
To try again, you will need to point the A-entries to the following domains:
87.236.16.100 for techbear.ru.
Certificate will expire 29.08.2019. In case it will not be reissued, HTTPS connection to the domains will not be accessible.”

This is my settings on DNS page,
And Crypto page:
(sorry, new users can post only 1 picture)

I want to have Let’s Encrypt certificate to be automatically re-issued and applied every 3 month to my domain without manual actions same as before.

Could you please help me to set it up?

totally_not_a_bot · August 27, 2019, 9:16am

I’ve had Cloudflare’s proxy mess with our LetsEncrypt verifications before.

The first thing I would try is disabling the force HTTPS/SSL option for your domain. If that doesn’t work then disabling the orange cloud should take care of things.

domjh · August 27, 2019, 9:22am

Hi @urantv,

The issue here is that when you add Cloudflare, their IP addresses show, not the IP of your server. Ideally, your host may be able to offer some alternative way to get the certificate issues, like DNS validation.

Alternatively, you may have to switch from to while the cert renews.

urantv · August 28, 2019, 3:29pm

Thanks for reply!

I found out thats true.
Hosting recommended me to stop using Lets Encrypt certificate, and start using Cloudflare SSL certificate instead.
Switching orange cloud to grey cloud means doing it constantly every 3 month during certificate re-issuances.

Could you suggest me please how to order SSL certificate on Cloudflare correctly?

Is this right:

SSL/TLS - SSL - Flexible.
After issuinf certificate check the checkbox SSL/TLS - Always Use HTTPS is on.

domjh · August 28, 2019, 3:31pm

No problem!

Flexible isn’t fully secure. What you should ideally do is install a Cloudflare Origin Certificate on your server (which can be valid for up to 15 years) and set this to Full (strict).

https://support.cloudflare.com/hc/en-us/articles/115000479507-Managing-Cloudflare-Origin-CA-certificates

urantv · August 28, 2019, 4:12pm

Thank you!
Finally I understand how it works.
The thing is my website is on shared hosting, and hosting company probably wont install CF certificate on server.
So I have only the last option left, which is Flexible.

domjh · August 28, 2019, 4:36pm

I also use shared hosting and they have been happy to let me install Cloudflare’s SSL - they should be if they can’t provide an alternative way to get Let’s Encrypt certs automatically.

Cyb3r-Jak3 · August 28, 2019, 5:30pm

Cloudflare has a certbot bot plugin which needs API creds to work.

https://certbot-dns-cloudflare.readthedocs.io/en/stable/

system · September 26, 2019, 9:11am

This topic was automatically closed after 30 days. New replies are no longer allowed.

Topic		Replies	Views
Validating Let's Encrypt SSL certificate through nameservers Security	4	3108	June 15, 2020
LetsEncrypt SSL Certificate won't renew, but do I need it? Security	3	2181	September 8, 2021
Renewing SSL certificate when existing already with LetsEncrypt Security ssl , dns , dash-ssl-tls	7	3730	November 7, 2018
[Let's Encrypt SSL] FAILURE of renewal of mutiaradakwah.com Security	9	2295	December 9, 2020
SSL/TLS Full Strict Security	4	3276	December 11, 2021

Using Let’s Encrypt SSL, got message from hosting cant extend SSL

Related topics