LetsEncrypt CloudFlare acme.sh
I have my server cloaked behind CloudFlare, all was well until I started getting [Let's Encrypt SSL] failure notices. It makes sense: CloudFlare proxies our sites and provides DNS for our domains.
There doesn't seem to be a solution using FleetSSL or AutoSSL, or is there a solution that I didn't find.
I found acme.sh it seems to have everything I need, but requires that I get my hands dirty poking around with bash - I am willing and able, but looking for a better alternative.
Are there updates to FleetSSL or AutoSSL that will resolve this issue, or am I missing something?
Perhaps someone is building a FleetSSL type plugin using acme.sh
Thanks for your help!
-
Hello @John Schmerold cPanel's AutoSSL using the Sectigo provider should work with your sites being behind CloudFlare, the only currently pending issue I'm aware of was an issue with SSL certificates being failed when the server had improperly configured IPv6 IP's. Have you tried using cPanel's provider? If so what are the errors presented in AutoSSL logs? Thanks! 0 -
This seems to be the most important message: The provider "cPanel (powered by Sectigo)" cannot currently accept incoming requests. The system will try again later. Full log: Log for the AutoSSL run for "nossl": Saturday, March 30, 2019 7:35:39 PM GMT-0500 (cPanel (powered by Sectigo)) 7:35:39 PM AutoSSL"s configured provider is "cPanel (powered by Sectigo)". This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log. Checking websites for "nossl" " 7:35:39 PM Analyzing "nossl.com" " 7:35:39 PM ERROR TLS Status: Defective ERROR Defect: NO_SSL: No SSL certificate is installed. 7:35:39 PM Performing DCV (Domain Control Validation) " 7:35:39 PM Local HTTP DCV OK: nossl.com Local HTTP DCV OK: www.nossl.com (via nossl.com) Local HTTP DCV OK: mail.nossl.com (via nossl.com) Local HTTP DCV OK: cpanel.nossl.com (via nossl.com) Local HTTP DCV OK: webdisk.nossl.com (via nossl.com) Local HTTP DCV OK: webmail.nossl.com (via nossl.com) 7:35:39 PM Analyzing "nossl.com""s DCV results " 7:35:39 PM AutoSSL will request a new certificate. 7:35:39 PM The system will attempt to renew the SSL certificate for the website (nossl.com: nossl.com www.nossl.com mail.nossl.com webmail.nossl.com cpanel.nossl.com webdisk.nossl.com). No CAA record added because there is no CAA record from another provider in the DNS for nossl.com. 7:35:40 PM The provider "cPanel (powered by Sectigo)" cannot currently accept incoming requests. The system will try again later. 7:35:40 PM The system has completed the AutoSSL check for "nossl".0 -
Hi @John Schmerold This looks like it may have been bad timing, as it seems to indicate Sectigo was undergoing maintenance. Their status page for these issues can be found here: Sectigo If you run the AutoSSL check again do you continue to receive that same message? Thanks! 0 -
I had support dig into this. We are blocking international traffic. I added this allow rule to facilitate Sectigo's UK servers safe passage to our website: ((cf.client.bot and cf.threat_score lt 15) or (ip.geoip.asnum in {32934 63293 48447}) or (ip.src in {178.255.81.12 178.255.81.13 199.66.201.132})) 0 -
Hi @John Schmerold And did that resolve the issue? 0 -
You and support nailed it -- as always! BTW, I love the fact that support provides us with just enough information so that we can solve these issues ourselves. In this case, we had to open up our website to Sectigo in the UK, support ran: /usr/local/cpanel/bin/autossl_check_cpstore_queue --force This pushed the Sectigo to revisit our site. Now all is well. Thanks again! 0 -
Hi @John Schmerold I'm really glad to hear that your issue was able to get resolved and happy we could help!! Thanks! 0
Please sign in to leave a comment.
Comments
7 comments