Ken's picture

Hi everyone,

Few days ago i joined my site to Cloudflare .On Cloudflare, i set SSL/TLS encryption mode is Full (strict)

Today i got an email about cronjob daily

/etc/cron.daily/confconsole-dehydrated:
Certificate will expire
[2020-07-16 06:34:02] dehydrated-wrapper: INFO: started
[2020-07-16 06:34:02] dehydrated-wrapper: INFO: found apache2 listening on port 80
[2020-07-16 06:34:02] dehydrated-wrapper: INFO: stopping apache2
[2020-07-16 06:34:03] dehydrated-wrapper: INFO: running dehydrated
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Invalid response from https://vidtubeworld.com/.well-known/acme-challenge/f_jS-NWkSIGaUECFDiEnMOBWq2HBlEPQEn3jwrlbqAc [2606:4700:3035::ac43:d353]: \"\u003c!DOCTYPE html\u003e\\n\u003c!--[if lt IE 7]\u003e \u003chtml class=\\\"no-js ie6 oldie\\\" lang=\\\"en-US\\\"\u003e \u003c![endif]--\u003e\\n\u003c!--[if IE 7]\u003e    \u003chtml class=\\\"no-js \"",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/5911802422/6Di2Ig",
  "token": "f_jS-NWkSIGaUECFDiEnMOBWq2HBlEPQEn3jwrlbqAc",
  "validationRecord": [
    {
      "url": "http://vidtubeworld.com/.well-known/acme-challenge/f_jS-NWkSIGaUECFDiEnMOBWq2HBlEPQEn3jwrlbqAc",
      "hostname": "vidtubeworld.com",
      "port": "80",
      "addressesResolved": [
        "172.67.211.83",
        "104.31.71.53",
        "104.31.70.53",
        "2606:4700:3036::681f:4735",
        "2606:4700:3035::ac43:d353",
        "2606:4700:3030::681f:4635"
      ],
      "addressUsed": "2606:4700:3036::681f:4735"
    },
    {
      "url": "https://vidtubeworld.com/.well-known/acme-challenge/f_jS-NWkSIGaUECFDiEnMOBWq2HBlEPQEn3jwrlbqAc",
      "hostname": "vidtubeworld.com",
      "port": "443",
      "addressesResolved": [
        "172.67.211.83",
        "104.31.70.53",
        "104.31.71.53",
        "2606:4700:3035::ac43:d353",
        "2606:4700:3036::681f:4735",
        "2606:4700:3030::681f:4635"
      ],
      "addressUsed": "2606:4700:3035::ac43:d353"
    }
  ]
})
[2020-07-16 06:34:10] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2020-07-16 06:34:10] dehydrated-wrapper: WARNING: Python is still listening on port 80
[2020-07-16 06:34:10] dehydrated-wrapper: INFO: attempting to kill add-water server
[2020-07-16 06:34:10] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert & key.
[2020-07-16 06:34:10] dehydrated-wrapper: INFO: starting apache2
[2020-07-16 06:34:11] dehydrated-wrapper: INFO: starting stunnel4
[2020-07-16 06:34:11] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.

Have someone any advice for this issue ?

Thank you guys

Forum: 
Jeremy Davis's picture

I'm not super familiar with use of Cloudflare (at least not pragmatically) myself. But FWIW Let's Encrypt themselves recommend using Cloudflare SSL certs (i.e. from Cloudflare CA) rather than Let's Encrypt.

Having said that, a little bit of googling suggests that it is quite possible to use Let's Encrypt certs with Cloudflare. But I don't think it lends itself nicely to usage of the automation via "HTTP-01" challenge method that we currently provide.

Essentially, the problems are two-fold. Firstly it appears that your current Cloudflare config is redirecting HTTP to HTTPS (and HTTP-01 challenge requires plain HTTP access). Secondly, it appears that the Cloudflare config is blocking Let's Encrypt servers from accessing the required "well known" URL to complete the challenge (returning a 403 error).

I suspect that there are ways that you can workaround both of these issues, but I'm not 100% sure of that. And even if you can, I suspect that there are better ways...

If you do wish to persevere with Let's Encrypt certs, most likely a better approach would be to use an alternate authorisation method. DNS-01 challenges probably lend themselves much more easily to this end. Instead of requiring your server to serve a specific token via a specific HTTP URL, a DNS-01 challenge requires you to set a specific token value for a specific DNS record (related to your domain).

For Let's Encrypt certs, we leverage software called Dehydrated (we use a custom wrapper with a custom hook script to respond to HTTP-01 challenges). Dehydrated also support DNS-01 challenges and there are a number of user contributed "DNS hook scripts" . The wiki notes 2 Cloudflare specific DNS hooks; a python one and a bash one. I can't vouch for either, but both appear to have relatively recent commits so probably both work.

If you go that way, you can use the version of Dehydrated that is pre-installed in TurnKey, but you won't want to use our wrapper script and you'll also need to configure ti to use the desired hook script (rather than ours). So you'll need to generate your own config file (/etc/dehydrated/conf) and change the cron job (or create a new one). You'll also need to do whatever config is required of your chosen hook (I assume that at least it will need some sort of API key or credentials to update the Cloudflare DNS).

Alternatively, you could go a completely different direction and disable our set up altogether and install an alternative Let's Encrypt client. E.g. "certbot" (apparently it has a "cloudflare DNS" plugin too).

Regardless of which way you go, I'd be interested to hear what you decide and how easy/hard/etc it was.

Richard van Dijk's picture

You can probably configure a page rule in Cloudflare to bypass the HTTP to HTTPS redirect for the challenge URLs. Then serve the challenge over HTTP on port 80 of your webserver. However, I agree with Jeremy that this is not the best solution.

I use Cloudflare Origin CA Certificates on my webservers that are behind Cloudflare, and that has always worked very well for me. More info: https://support.cloudflare.com/hc/en-us/articles/115000479507-Managing-C...

Add new comment