Certbot Challenges Failing Behind Cloudflare DNSJune 12, 2020
A couple months ago, I switched over from Google Domains for DNS management to Cloudflare, largely for access to their CDN. I didn’t realize their free services were so expansive, and I’ve been happy to get access to all that they give me. However, the transition has not been without its pains.
All of the sites on my server (along with this site) are served using an nginx reverse proxy, with
SSL certificates managed through Let’s Encrypt’s certbot tool. Today, as I went to add a new
nginx server block for a gitea server, I ran into failures updating my certificate for the new
git.devinadooley.com route. After some digging, it looked like my automatic renewals had been
failing with the same errors:
Performing the following challenges: http-01 challenge for devinadooley.com ... Challenge failed for domain devinadooley.com ... Domain: devinadooley.com Type: unauthorized Detail: Invalid response from https://devinadooley.com/.well-known/acme-challenge/za5wVLKv90bpB-A8bcQp7ilTdlG0Z9_hp9bCTVIY8vA ...
The problem ended up being that these http-01 challenges need HTTP (not HTTPS) access to the domains being issued the challenge, but Cloudflare was configured to automatically redirect all HTTP traffic to HTTPS. Answers across a few different forums provided a few solutions:
- Switch to Cloudflare’s certificates from Let’s Encrypt
- Switch to DNS challenges instead of http-01
- Disable HTTP->HTTPS redirects for my domains
I ended up going with option 3, as it was easier than issuing DNS challenges, and I stubbornly wanted to use Let’s Encrypt certificates because of how much time I had already invested into troubleshooting them and automating their renewals.
I found a post in the Cloudflare forum that suggested you can do this through disabling SSL
and HTTPS Rewrites through page rules in the Cloudflare UI. This was a good attempt, but did not
quite work, as certbot began errorring claiming there were
Too many redirects. After trying a
number of solutions, I ended up disabling Cloudflare’s HTTP->HTTPS redirects across all my domains
through their SSL/TLS Edge Certificates menu:
I was willing to make this change because I redirect all HTTP requests to HTTPS through nginx (this configuration is offered when configuring certificates through certbot). You may not wish to make this change for your own domains if you are not confident in your server’s ability to redirect traffic without Cloudflare’s help.
That should be enough to fix this error on your certificate expansions/renewals. Keep in mind if you are troubleshooting that Let’s Encrypt has rate limiting around failed authorizations that will prevent you from attempting certificate updates if they have failed 5 times in the past hour, as I ran into this quite a bit towards the end.