[Cloudflare] Fix errors when renewing Let’s encrypt cert

Last updated on February 23, 2022 Hadrianus Loading... One comment

If you’re using both Cloudflare and Let’s Encrypt for your website, you may face an error when renewing your cert. The error message is similar to this:

http-01 challenge for your-domain.com
http-01 challenge for www.your-domain.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (your-domain.com) from /etc/letsencrypt/renewal/your-domain.com.conf produced an unexpected error: Failed authorization procedure. your-domain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.your-domain.com/.well-known/acme-challenge/...

Don’t be panic. This article will walk you through 3 different ways to solve the problem.

Manually Renew your Certs

This approach is quick and easy.

Firstly, just log in to your Cloudflare account, select the site your want to work with, then navigate to “SSL/TLS”:

After that, check the radio box next to “Of (not secure)” or “Flexible”. I personally think the second choice is better.

Now, connect to your server using an SSH client and run the following command:

sudo certbot renew --dry-run

It works. The output should look like this:

** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/your-domain.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)

The last thing to do is go back to your Cloudflare account and change the SSL/TLS settings to normal.

Using certbot-dns-cloudflare

This approach is a little bit risky and complicated if you are not familiar with deploying stuff. If you are a DevOps developer you can follow these detailed instructions:

Remove Let’s Encrypt cert on your server

Another way to get rid of the error is to remove the Let’s Encrypt cert of your domain on your original server and only the cert from Cloudflare. For more details, see: Completely remove Let’s Encrypt SSL cert(s) of a domain.

It’s important to backup your server before making any changes because unexpected situations always happen in the world of software development.

Final Words

We’ve covered 3 methods to solve a problem related to auto-renewing Let’s Encrypt on a website that uses Cloudflare. Continue exploring more interesting stuff about network and deployment by taking a look at the following articles:

I have made every effort to ensure that every piece of code in this article works properly, but I may have made some mistakes or omissions. If so, please send me an email: [email protected] or leave a comment to report errors.

Notify of
1 Comment
Inline Feedbacks
View all comments
2 years ago

So what’s wrong with using the built in plugin provided by certbot: certbot-dns-cloudflare

Last edited 2 years ago by Tim

Related Articles