Letsencrypt request returning Cloudflare error?

L

lonea

Verified User
Joined
Jan 3, 2009
Messages
45
Tried to run a request_single on the server's hostname but getting the following return.

What's going on?

Generating RSA private key, 4096 bit long modulus

...........................................................................................................................++

.........................................++

e is 65537 (0x10001)

Nonce is empty. Exiting. dig output of acme-v02.api.letsencrypt.org:

prod.api.letsencrypt.org.

ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.

172.65.32.248

Full nonce request output:

HTTP/2 200

server: nginx

date: Tue, 25 Jan 2022 15:33:07 GMT

cache-control: public, max-age=0, no-cache

link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"

replay-nonce: 0001RA9UZw5qDVMqXkClEs7s84TwjupKgglq2GLxQi4oHAM

x-frame-options: DENY

strict-transport-security: max-age=604800
Click to expand...
 
Not sure if it's related, but we're also experiencing a ton of issues with SSL renewal on domains proxied through Cloudflare, and this is a new problem.
 
Is it related to
community.letsencrypt.org

Questions about Renewing before TLS-ALPN-01 Revocations

UPDATE 08 February 2022: The rate limit adjustments have been reverted to normal conditions. You can read about our rate limits here. UPDATE 29 January 2022: We completed the revocation of approximately 2.7 million certificates validated with the TLS-ALPN-01 method. If a subscriber did not...
community.letsencrypt.org community.letsencrypt.org
 
Unfortunately, no. We've been experiencing this issue for several weeks. It just appeared out of nowhere and we don't know why. All domains on the server, proxied through Cloudflare, cannot renew the root domain. Only the service renewals are successful (pop.{domain}, etc...) which obviously does no good and we're at our wits end trying to figure it out.
 
Are you on the latest updates and fully updated OS? Are you using LEGO with dns providers?

Let's Encrypt For Domains | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com

Lego :: Let’s Encrypt client and ACME library written in Go.

Let’s Encrypt client and ACME library written in Go. Features ACME v2 RFC 8555 Support RFC 8737: TLS Application‑Layer Protocol Negotiation (ALPN) Challenge Extension Support RFC 8738: issues certificates for IP addresses Support draft-ietf-acme-ari-03: Renewal Information (ARI) Extension...
go-acme.github.io go-acme.github.io
 
Actually just before you wrote that, I noticed that yum was listing no updates when I know for a fact there should be some available. Looks like we might not be up to date on the OS.

Let me get that fixed and then we'll see where we're at.
Thanks!
 
That did it. The local ca-store on the server was out of date and not being updated by yum due to a package issue, so the connections weren't even being made to the Let's Encrypt endpoint. Fixed that and all is well.
 
Well, I spoke too soon. Like clockwork, this morning we received an inbox full of failed renewals.

{domain} was skipped due to unreachable http://{domain}/.well-known/acme-challenge/ file.
www.{domain} was skipped due to unreachable http://www.{domain}/.well-known/acme-challenge/ file.
No domains pointing to this server to generate the certificate for.
Click to expand...

And so we manually logged in to each and every one of those domains in DA and issued a Let's Encrypt certificate via the interface and each and every one went through without issue. There is definitely something screwy going on.
 
No. And they're all domains that have been on the server for over a year with LE active on them.

We'll see how the next round of auto renewals goes. If still failing, we'll just open a ticket.
 
You must log in or register to reply here.
Back
Top