Mail certificate when DNS is with Cloudflare
I moved the DNS for my sites to Cloudflare last year, and they created the SSL certs. But I recently discovered that the mail servers were still using cPanel's cert.
I discovered that because the certs expired, causing the mail servers to stop working :-O
In the DNS I have an A record for "mail" that points to my server's IP, and it's not proxied through Cloudflare. And the MX record points back to that mail.example.com
Cloudflare explicitly doesn't proxy mail servers:
https://developers.cloudflare.com/dns/troubleshooting/email-issues/
So how do I get a certificate for the mail server?
-
Hey there! Are you getting a specific error from AutoSSL about that certificate? Even if it can't use the DNS verification system it should still try the HTTP verification checks to issue the certificate.
0 -
All of my sites on Cloudflare have the same problem, but this is the error I'm seeing on my main site:
WARN “Let’s Encrypt™” HTTP DCV error (mail.example.com): 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (104.21.79.229: Invalid response from http://mail.example.com/.well-known/acme-challenge/nSIEGR3XpckKwRQxT7sm-a-YGOPVYJSMmMacqrYa0fY: 403)
...
ERROR “Let’s Encrypt™” DNS DCV error (mail.example.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mail.example.com - check that a DNS record exists for this domain)
It looks like it's trying to confirm the acme-challenge DNS record, but it's looking for the record at Cloudflare's DNS instead of on the server. And, of course, it can't change the record on Cloudflare.
I tried copying the acme-challenge record to Cloudflare manually, but then I got this error:
1:33:16 PM ERROR “Let’s Encrypt™” DNS DCV error (mail.example.com): 403 urn:ietf:params:acme:error:unauthorized (The client lacks sufficient authorization) (Incorrect TXT record "MYuFiuo6sL5Q2HUvkSoqvXcv40xfkfhm6APqWJb0rXo" found at _acme-challenge.mail.example.com)
I then tried changing it to Sectigo, which looks like it will work but then it just never gets a certificate:
1:29:38 AM The system will attempt to renew the SSL certificate for (example.com: mail.example.com ...).
...
1:29:41 AM The cPanel Store received “example.com”’s certificate order. (Order Item ID: 2865865769) The system will periodically poll the cPanel Store for the issued certificate and then install it after a successful retrieval.The system has completed “example”’s AutoSSL check.1:31:01 AM Polling for “example”’s new certificate for “example.com” (order item ID “2865865769”) …The certificate is not available. (processing)1:33:01 AM The queue contains a request for a certificate for “example”’s website “example.com” (order item ID “2865865769”). The system last polled for this certificate at Oct 10, 2024, 5:31:01 AM UTC. The next poll will happen no earlier than Oct 10, 2024, 5:33:01 AM UTC.and then that just repeats for 4 days until the system stops trying.
0 -
I should include that I have this in my Apache configuration to ensure that no Apache rules accidentally block the request:
RewriteCond %{REQUEST_URI} ^/[0-9]+\..+\.cpaneldcv$ [OR]
RewriteCond %{REQUEST_URI} ^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^ - [L]RewriteRule ^/(?:\.well-known|40[34]\.php|(?:ad|robot)s\.txt) - [L]
Also, /home/example/public_html/.well-known/acme-challenge is empty every time I look.
Looking at the 403 error, I'm assuming that something is blocking AutoSSL from creating the acme-challenge file. So I disabled CSF and put Cloudflare in development mode, but it still failed with the same errors.
I also see that I have 60 files in /.well-known/pki-validation/, with the most recent being created on 10/10/24. So it's not that /.well-known/ is being blocked, at least.
0 -
You wouldn't be able to manually copy the DNS record to another location, as that isn't how the system works.
It's normal for the acme-challenge directory to be empty - the file is only present there during the time the check happens, and then the system cleans that up.
If you just plain a plain text file in the acme-challenge directory, can you access that normally in a browser?
0 -
Good news, cPRex! I found the problem, it was with an Apache configuration rule after all.
I don't really know why the rule was causing a problem, but when I removed this the cert was installed:
RewriteCond %{QUERY_STRING} (?:^|&|=)(?:information|table)_schema|union.(?:all.)?select|sp_executesql|updatexml|concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} /self/|cPath=http://|(?:<|%3C)(?:iframe|php|script)|base64_(?:en|de)code|proc/self/environ [NC,OR]
RewriteCond %{QUERY_STRING} (?:GLOBALS|_REQUEST)(?:=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} (?:NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} \./(?:motd|etc|bin) [NC,OR]
RewriteCond %{HTTP_REFERER} service.dropdowndeals.com [NC,OR]
RewriteCond %{HTTP_USER_AGENT} libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader|<|>|'|%27|%3C|%3E|%00|(?:[;<>'"()]|%22|%28).*(HTTrack|archiver|email|harvest|extract|grab|miner) [NC]
RewriteRule ^ - [F]0 -
Oh nice! I'm glad you found it and that things are working well now!
0
Please sign in to leave a comment.
Comments
6 comments