Letsencrypt + Cloudflare setup

Question

I work on many side projects and try to set up https for each one. Since I can't afford to pay for certs, I use Letsencrypt. I also use Cloudflare in case I get traffic spikes. I start with getting an SSL cert with Letsencrypt, then put Cloudflare in front of it.

Problem is, when time comes to renew the Letsencrypt cert, I have to turn off Cloudflare in order to do so every time because the IP it sees is now different (Cloudflare's IP instead of my server's IP).

I know Cloudflare provides SSL for free and as long as it has a https connection to my server, it's fine, so technically I don't even have to update my SSL cert at all. But I'd like to keep my server's SSL cert updated so I have the flexibility to turn off Cloudflare at any time and still be up and have a valid cert.

Am I doing something wrong in my process? Is there an option I can use in letsencrypt renew to handle this better, instead of having to log in to Cloudflare to turn it off, wait a few mins, run renew, then turn Cloudflare back on again, every 2 months?

[edit] Getting downvoted for some reasons, maybe because I didn't include my error msg with my setup. Here it is.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/[mydomain].com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for [mydomain].com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/[mydomain].com.conf produced an unexpected error: Failed authorization procedure. [mydomain].com (tls-sni-01): urn:acme:error:tls :: The server experienced a TLS error during domain verification :: Failed to connect to 104.18.55.209:443 for tls-sni-01 challenge. Skipping.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: [mydomain].com
   Type:   tls
   Detail: Failed to connect to 104.18.55.209:443 for tls-sni-01
   challenge

Obviously, 104.18.55.209 is a Cloudflare IP. It's not able to connect to it for the challenge.

[edit 2] Tim said to give the CloudFlare Page rules and my domain. My domain is memechicken.com, and my CF Page Rules is just empty. Everything is default setup pretty much. And finally here are my Crypto tab settings that should be relevant:

Everything is default. I didn't change anything.

LetsEncrypt's renewal process* would go through correctly, irrespective of change in IP. So, you don't need to turn off Cloudflare during the renewal process. — Pothi Kalimuthu, May 26 '17 at 03:32
Well, I am getting downvoted and your comment and the other answer are saying it should work, so I just added the error I'm running into. See error msg. — byl83, May 29 '17 at 03:48
"Since I can't afford to pay for certs, I use Letsencrypt." You should use Let's Encrypt even if you *can* afford certs, IMO. — ceejayoz, May 31 '17 at 23:14

Tim · Answer 1 · 2017-05-31T21:30:56.453

2

I use Let's Encrypt and CloudFlare. My certificates renew automatically with CloudFlare active and working. I use Acmetool, because Certbot didn't work well on Amazon Linux when I tried it in 2015.

As far as I know, the server IP is irrelevant. Let's Encrypt contacts your server by domain name. If you had a traditional certificate that had a 1:1 mapping domain to certificate maybe there would be a problem (I've never tried that so I don't know), but not with LE.

I have an article on setting up Let's Encrypt with CloudFlare which you might find interesting or useful.

Update Here's my Nginx configuration to allow Let's Encrypt to connect over http, forwarding everything else to https. You'll be able to do something similar in Apache, but I don't know how.

# Redirect all variations to https://www domain
server {
  listen 80;
  server_name example.com www.example.com;

  # Let's Encrypt certificates with Acmetool
  location /.well-known/acme-challenge/ {
    alias /var/www/.well-known/acme-challenge/;
  }

  location / {
    return 301 https://www.photographerstechsupport.com$request_uri;
  }
}

edited May 31 '17 at 21:30

answered May 26 '17 at 03:43

Tim

31,888
7
52
78

You need to have your infrastructure setup differently. I have had this issue in the past so to solve it, I ran all of my sites, virtual machines, etc behind nginx and I let nginx handle the SSL connections. Basically is a three layer setup: cloudflare < nginx < website – Michael May 26 '17 at 13:31
@Michael is this a comment on my answer, or an answer? It doesn't seem particularly relevant to what I said, and as an answer it would be incomplete. Nginx is often used as a web server, though it can front other servers. – Tim May 26 '17 at 20:09
Hey, sorry about that, meant for it to be a comment. I was referring to using nginx as reverse proxy – Michael May 26 '17 at 20:11
Well, I am getting downvoted and your answer and the other comment are saying it should work, so I just added the error I'm running into. See error msg. – byl83 May 29 '17 at 03:48
1

When I go to that IP I get the message "104.18.55.209 uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH". That's probably because you need to address it by domain name, not IP. If you want more help you're going to give us the domain name. I'd also like you to edit your question to show your CloudFlare page rules and crypto screen. – Tim May 29 '17 at 04:05
Just added the things you asked for. Tim, 104.18.55.209 is a Cloudflare IP. I don't have control over what SSL cipher suites it uses. I posted the screenshots of my Crypto tab. The only thing that seems relevant is "Require Modern TLS", which I can't enable because I'm on free plan. – byl83 May 30 '17 at 05:49
As I said in my last comment we can't help more without your domain name. – Tim May 30 '17 at 06:48
Tim, I had already edited my question to include my domain, memechicken.com, before you said this. Can you see it or not? Look at where it says "[edit 2]". – byl83 May 31 '17 at 21:11
I see it now thanks. Your server redirects everything to https, whereas I believe the Let's Encrypt process connects over http. Sure LE could use https for renewals, but since it has to cater for the situation where there's no existing certificate I guess it always uses http. I'll edit my answer to provide relevant Nginx configuration. – Tim May 31 '17 at 21:29
I turned off enforcement of https (redirecting everything to https), and right now I can hit http://memechicken.com without being redirected to https, but I am still seeing the same renew failure from Letsencrypt. I really don't think it's because of that, since the error message says ` The server experienced a TLS error during domain verification :: Failed to connect to 104.18.54.209:443 for tls-sni-01 challenge`. I have a feeling it's because of TLS/SSL protocol versions support, and that's a setting I can't change on Cloudfllare without paying. – byl83 Jun 04 '17 at 21:19
No, it's not that. I use CloudFlare free and I renew Let's Encrypt just fine. I use Acmetool, which has good debug logging. I have an [article on how I track down Let's Encrypt problems](https://www.photographerstechsupport.com/tutorials/hosting-wordpress-on-aws-tutorial-part-5-free-https-https2-for-wordpress-using-lets-encrypt-aws/#acme) on my blog. In short though, you're going to have to check the challenge file is being generated and that LE can contact the server to request it. The LE forums might be more useful. – Tim Jun 09 '17 at 04:03

Letsencrypt + Cloudflare setup

1 Answers1