[Cloudflare] Fix errors when renewing Let’s encrypt cert
( 17 Articles)
If you’re using both Cloudflare and Let’s Encrypt for your website, you may face an error when renewing your cert. The error message is similar to this:
http-01 challenge for your-domain.com
http-01 challenge for www.your-domain.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (your-domain.com) from /etc/letsencrypt/renewal/your-domain.com.conf produced an unexpected error: Failed authorization procedure. your-domain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.your-domain.com/.well-known/acme-challenge/...Don’t be panic. This article will walk you through 3 different ways to solve the problem.
Manually Renew your Certs
This approach is quick and easy.
Firstly, just log in to your Cloudflare account, select the site your want to work with, then navigate to “SSL/TLS”:
After that, check the radio box next to “Of (not secure)” or “Flexible”. I personally think the second choice is better.
Now, connect to your server using an SSH client and run the following command:
sudo certbot renew --dry-runIt works. The output should look like this:
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/your-domain.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)The last thing to do is go back to your Cloudflare account and change the SSL/TLS settings to normal.
Using certbot-dns-cloudflare
This approach is a little bit risky and complicated if you are not familiar with deploying stuff. If you are a DevOps developer you can follow these detailed instructions:
Remove Let’s Encrypt cert on your server
Another way to get rid of the error is to remove the Let’s Encrypt cert of your domain on your original server and only the cert from Cloudflare. For more details, see: Completely remove Let’s Encrypt SSL cert(s) of a domain.
It’s important to backup your server before making any changes because unexpected situations always happen in the world of software development.
Final Words
We’ve covered 3 methods to solve a problem related to auto-renewing Let’s Encrypt on a website that uses Cloudflare. Continue exploring more interesting stuff about network and deployment by taking a look at the following articles:
- AWS Lightsail: Let’s Encrypt error
- How to Install Docker Compose on Ubuntu 21.04 and 21.10
- How to install Redis on macOS, Windows, and Ubuntu
- How to Install Node.js on Ubuntu 21.04 and 21.10
- How to enable HTTP/3 for a website on Cloudflare
I have made every effort to ensure that every piece of code in this article works properly, but I may have made some mistakes or omissions. If so, please send me an email: [email protected] or leave a comment to report errors.
Related Articles
So what’s wrong with using the built in plugin provided by certbot: certbot-dns-cloudflare