Cloudflare + Let's encrypt HTTP-01 challenge issue with Directadmin

[kam]

Latest Update:

In my case, I just want to use the most simple HTTP-01 challenge method to get the verification done for the non-wildcard domain, but I can't get it working at all. I knew other people may get around with this problem by using lego + setting dnsprovider to Cloudflare. But I prefer use the most simple way to get the job done.

I think the current version of letsencrypt.sh (2.0.19) have bugs and therefore HTTP-01 challenge verification method is unusable. I hope this problems will be fixed soon.

By the way, I think it's better the separate [Pre-Check functions] for HTTP-01 challenge method and DNS-01 challenge method. (For letsencrypt.sh script)




-------------------------------
Hello,

I am using Cloudflare with proxy enabled for below domain and I want to generate a let's encrypt cert for it. But I keep receiving domainname.cc was skipped due to unreachable error.

So, I decided to create the path /.well-known/acme-challenge/ manually and put a test file in it to see if I can access it.

I create a test.htm file, I put it under /.well-known folder, I confirmed that I can access it with http://domainname.cc /.well-known/test.htm
But when I put the same file into /.well-known/acme-challenge/ folder, I unable to access such file with http://domainname.cc /.well-known/acme-challenge/test.htm

I don't understand why DA implement this and block the direct access for "acme-challenge" folder?

I also found that the only way to get rid of the 'unreachable' error is to disable the proxy on Cloudflare.
I don't understand why the proxy have to be disabled?
The verification supposed to be check for an auto generated file located under acme-challenge folder. Cloudflare proxy should not affect this at all.

 

[cjd]

This is a Cloudflare issue as it's caching the response.

I add a page rule in Cloudflare which solves it for me for the domain:

*yourdomain.com/.well-known/acme-challenge/*

Cache Level: Bypass, Automatic HTTPS Rewrites: Off, Disable Performance

 

[kam]

This is a Cloudflare issue as it's caching the response.

I add a page rule in Cloudflare which solves it for me for the domain:

*yourdomain.com/.well-known/acme-challenge/*

Cache Level: Bypass, Automatic HTTPS Rewrites: Off, Disable Performance

Thanks, I am not new to Cloudflare and Let's encrypt.

I already have those rules to make sure that /.well-known/acme-challenge/ is accessed via HTTP.
I have no problems to get SSL certs for Cloudflare proxied domains when using other Control panel such as Virtualmin. But I just can't get the same things working on DA.

Moreover, I don't understand why DA block the direct access to "acme-challenge" folder?

I create the path /.well-known/acme-challenge/ manually and put a test file in it to see if I can access it.


Failed to read back if test.htm put into following path.

/.well-known/acme-challenge/test.htm
/.well-known/acme-challenge2/test.htm

Success to read back if test.htm put into following path.

/.well-known/acme-challeng/test.htm
/.well-known/acme-challeng1/test.htm

===============
Updated #1

I finally just come across this

Version 1.50.0 | Directadmin Docs

DirectAdmin Knowledge Base

www.directadmin.com

By setting letsencrypt=2
I can access the /.well-known/acme-challenge/test.htm result page via web browser directly.
But I still get the "skipped due to unreachable" error when the domain is Cloudflare proxied.



===============
Updated #2

I also try to set back letsencrypt=1
Then I put a test file to the path

/var/www/html/.well-known/acme-challenge/test

I confirmed that I can access the file via

mydomain.com/.well-known/acme-challenge/test

This time when I try to generate a Let's encrypt cert with DA,
I keep checking the /var/www/html/.well-known/acme-challenge/ to see if there is any new files created .
I don't see any new files auto generated and then I received below error message.

Even I turn off the Cloudflare proxy and let the let's encrypt cert to be created.
I found that no new files is created in /var/www/html/.well-known/acme-challenge/ during the verification process.

It seems that DA currently only able to use DNS-01 challenge to do the verify.
And for some unknown reasons, the HTTP-01 challenge verify method is currently not working at all.

 

[kam]

I just check the letsencrypt.sh,

I found that under the challenge_check() function, many condition will triggering the following code

rm -f ${WELLKNOWN_PATH}/${TEMP_FILENAME}

May be it's the reason why I never saw new files generated in /var/www/html/.well-known/acme-challenge/

I think the current version of letsencrypt.sh (2.0.19) have bugs and therefore HTTP-01 challenge verification method is unusable.

By the way, I think it's better the separate Pre-Check functions for HTTP-01 challenge method and DNS-01 challenge method. I hope this problems will be fixed soon.