Skip to main content

Mail certificate when DNS is with Cloudflare

Comments

6 comments

  • cPRex Jurassic Moderator

    Hey there!  Are you getting a specific error from AutoSSL about that certificate?  Even if it can't use the DNS verification system it should still try the HTTP verification checks to issue the certificate.

    0
  • GoWilkes

    All of my sites on Cloudflare have the same problem, but this is the error I'm seeing on my main site:

    WARN “Let’s Encrypt™” HTTP DCV error (mail.example.com): 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (104.21.79.229: Invalid response from http://mail.example.com/.well-known/acme-challenge/nSIEGR3XpckKwRQxT7sm-a-YGOPVYJSMmMacqrYa0fY: 403)

    ...

    ERROR “Let’s Encrypt™” DNS DCV error (mail.example.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mail.example.com - check that a DNS record exists for this domain)

    It looks like it's trying to confirm the acme-challenge DNS record, but it's looking for the record at Cloudflare's DNS instead of on the server. And, of course, it can't change the record on Cloudflare.

    I tried copying the acme-challenge record to Cloudflare manually, but then I got this error:

    1:33:16 PM ERROR “Let’s Encrypt™” DNS DCV error (mail.example.com): 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (Incorrect TXT record "MYuFiuo6sL5Q2HUvkSoqvXcv40xfkfhm6APqWJb0rXo" found at _acme-challenge.mail.example.com)

     

    I then tried changing it to Sectigo, which looks like it will work but then it just never gets a certificate:

    1:29:38 AM The system will attempt to renew the SSL certificate for (example.com: mail.example.com ...).

    ...

    1:29:41 AM The cPanel Store received “example.com”’s certificate order. (Order Item ID: 2865865769) The system will periodically poll the cPanel Store for the issued certificate and then install it after a successful retrieval.
     The system has completed “example”’s AutoSSL check.
     1:31:01 AM Polling for “example”’s new certificate for “example.com” (order item ID “2865865769”) …
     The certificate is not available. (processing)
     1:33:01 AM The queue contains a request for a certificate for “example”’s website “example.com” (order item ID “2865865769”). The system last polled for this certificate at Oct 10, 2024, 5:31:01 AM UTC. The next poll will happen no earlier than Oct 10, 2024, 5:33:01 AM UTC.

    and then that just repeats for 4 days until the system stops trying.

    0
  • GoWilkes

    I should include that I have this in my Apache configuration to ensure that no Apache rules accidentally block the request:

    RewriteCond %{REQUEST_URI} ^/[0-9]+\..+\.cpaneldcv$ [OR]
    RewriteCond %{REQUEST_URI} ^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^ - [L]

    RewriteRule ^/(?:\.well-known|40[34]\.php|(?:ad|robot)s\.txt) - [L]

    Also, /home/example/public_html/.well-known/acme-challenge is empty every time I look.

    Looking at the 403 error, I'm assuming that something is blocking AutoSSL from creating the acme-challenge file. So I disabled CSF and put Cloudflare in development mode, but it still failed with the same errors.

    I also see that I have 60 files in /.well-known/pki-validation/, with the most recent being created on 10/10/24. So it's not that /.well-known/ is being blocked, at least.

    0
  • cPRex Jurassic Moderator

    You wouldn't be able to manually copy the DNS record to another location, as that isn't how the system works.

    It's normal for the acme-challenge directory to be empty - the file is only present there during the time the check happens, and then the system cleans that up.

    If you just plain a plain text file in the acme-challenge directory, can you access that normally in a browser?

    0
  • GoWilkes

    Good news, cPRex! I found the problem, it was with an Apache configuration rule after all.

    I don't really know why the rule was causing a problem, but when I removed this the cert was installed:

    RewriteCond %{QUERY_STRING} (?:^|&|=)(?:information|table)_schema|union.(?:all.)?select|sp_executesql|updatexml|concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} /self/|cPath=http://|(?:<|%3C)(?:iframe|php|script)|base64_(?:en|de)code|proc/self/environ [NC,OR]
    RewriteCond %{QUERY_STRING} (?:GLOBALS|_REQUEST)(?:=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} (?:NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} \./(?:motd|etc|bin) [NC,OR]

    RewriteCond %{HTTP_REFERER} service.dropdowndeals.com [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader|<|>|'|%27|%3C|%3E|%00|(?:[;<>'"()]|%22|%28).*(HTTrack|archiver|email|harvest|extract|grab|miner) [NC]
    RewriteRule ^ - [F]

     

    0
  • cPRex Jurassic Moderator

    Oh nice!  I'm glad you found it and that things are working well now!

    0

Please sign in to leave a comment.