I am running nginx and cloudflare. For nginx ssl I use letsencrypt via certbot, which handles the connection from my server to cloudflare. cloudflare itself has an additional certificate, which handles the connections between cloudflare and the website users. The problem is now that I have to pause cloudlfare everytime when I renew letsencrypt:
sudo certbot renew
Else I get an error:
Incorrect validation certificate for tls-sni-01 challenge requested.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Is there another way to auto renew it without pausing cloudflare?
I ran into this before and thought some Cloudflare page rules would help
Rule 1 http://.domain.com/.well-known/acme-challenge/ => cache level = standard
Rule 2 http://*.domain.com/ => Always use HTTPS
This seemed to work fine for all my domains until just today, one of them failed to renew certbot correctly, so I am also interested in anybody else's input.
Log into CloudFlare and go to DNS
You will see an A/AAAA record and if it says Proxied, you need to set it to DNS Only. Then you can go and do certbot renew and it will succeed.
If you go back to Cloudflare you can set it back to Proxied
Related
I have a website for my podcast built with Python / Django that is hosted on Heroku: https://dinpodcast.herokuapp.com/
I have a custom domain parked on GoDaddy, dinpodcast.com, that has a www CNAME directing to my heroku application. This works just fine: https://www.dinpoddcast.com
I wanted dinpodcast.com to redirect to the www website, so I have the following domain forwarding set up on Godaddy:
This also works great, for the most part. Now, when I enter http://dinpodcast.com, or just dinpodcast.com, both will redirect to https://www.dinpodcast.com.
Here's the problem. When I enter the naked domain WITH HTTPS, so when I enter https://dinpodcast.com into a browser's address bar, I get the following response:
Here's what I THINK is happening. My SSL certificate is provided by Heroku under their Automated Certificate Management program. So, I assume that since I don't have an SSL certificate with GoDaddy, it's timing out trying to find one before it can redirect to my www subdomain. Would this be correct? If so, is there any way around this WITHOUT buying an SSL certificate with GoDaddy? If that's not what's happening, then what is and how do I fix it?
When you create an ssl certificate in your domain do you include your root domain? Tried using this tool in your root domain and it seems that there is no ssl certificate. However the subdomain https://dinpodcast.herokuapp.com/ has one. I suggest putting an ssl certificate in all subdomain and root domain that you are using.
I also checked the root domain’s IP address using this tool and checked port 443 using another tool and apparently the port is closed. Double check your firewall and make sure 443 is open.
I am facing a weird issue. I do not know if it is Nginx related or DNS related but here is the problem :
I have a domain that is fine, let's say foobar.com , SSL does not face any issue. Both www. and root domain work with HTTPS.
I have a second domain, let's say foobaz.net, I need to redirect it to foobar.com in every situations (both www. and root domains).
It does actually redirect, but when I try to access https://foobaz.net/ I get a HTTPS error/warning before being redirected to https://foobar.com/ after adding it the the SSL exceptions of Chrome (https://foobar.com/ SSL certificate is OK once I get past https://foobaz.net/ SSL warning).
I do not know if it is Nginx related or DNS related, any clue of what is happening here ?
Thanks in advance.
Any https connection checks the ssl certificate before proceeding to do what it needs to do in the server(in your case, a redirection). You may have a certificate for foobar.com, which is perfectly fine, but if you don't have a valid foobaz.com certificate. That's why the error shows up, foobaz is not "secure".
A https connection is secure if all the points between you and the endpoint are secure, not only the endpoint. If foobaz is not certified, that is a non-secure middle point on your connection, and that's why the warning happens.
Get a SSL certificate for foobaz too, and the whole connection will be secure.
I've problems creating letsencrypt certs with the certbot.
Because I don't know where the problem is, I will just write everything down which can be the root cause:
I do have a domain and one subdomain. There is a Nginx which redirects the subdomain to the domain on a specific port.
Now I run the certbot for my domain without the subdomain at first.
sudo certbot --nginx -d domain.de -d www.domain.de
This leads to the following error:
Domain: domain.de Type: unauthorized Detail: Invalid
response from
http://domain.de/.well-known/acme-challenge/Y_Ka6V9JlHjBqjqanHLthoVL9F2yju_2TczRPwkBD0s:
"\n\n300 Multiple Choices\n\nMultiple C"
Domain: www.domain.de Type: unauthorized Detail: Invalid
response from
http://www.domain.de/.well-known/acme-challenge/Vf234FTDH7zH5TUBbBwVGfPVLK3m5rllc1s3Cu9KK3I:
"\n\n300 Multiple Choices\n\nMultiple C"
I couldn't find much except this thread. Letsencrypt Community
So I guess it is realted to my DNS Settings. I rent the domain via 1&1 and created a subdomain as well. Because I was playing around with Nginx redirects and the DNS settings, I configured the subdomain to have the same IPv4 & IPv6 as the domain. Could this be the problem or do I have to look somewhere else?
Best regards from Berlin!
I checked the IPv6 address with nslookup and this pointed to somewhere else. I do not understand how this can happen because I never touched the IPv6 (AAAA) record. I guess Certbot is checking A and AAAA and because they did not match the authentication failed.
I deleted the AAAA records for the domain and was able to get a cert without a problem.
I have one domain purchased from GoDaddy.
lets say it is www.example.com, I have purchased wild card SSL certificate from GoDaddy for this domain.
This domain is pointing to one of my app on Heroku. When I type http://www.example.com, it is working fine. But when I type https://www.exapmle.com,
It says "web page not available" and error code is:
"ERR_CONNECTION_REFUSED".
So do I need to add SSL certificate on Heroku too? How https will work on my site when it's pointing to Heroku? Thank you in advance.
You need to upload your SSL certificate to Heroku with its CLI command heroku certs:add. Probably you also need to activate an SSL Endpoint addon ($20/month) and set your DNS CNAME pointing to it.
See https://devcenter.heroku.com/articles/ssl-endpoint#provision-the-add-on for details, and subsequent sections.
This is the scenario:
There is a valid SSL certificate configured in Apache for www.example.ac.za.
There is a parked domain of www.example.co.za without a valid SSL certificate.
To avoid having to purchase two certificates the client would like the .co.za to redirect to .ac.za. I understand (and have found) that this can not be done in the .htaccess as the presentation of the SSL certificate is done first.
Can one turn SSL off for .co.za but have it remain on for .ac.za? Would this resolve the problem?
Additional Info
These domains are configure in Apache as VirtualHosts with their own .conf and ssl.conf files.
Redirects are done to make sure the root of these domains end up at https://www.example.ac.za
Would appreciate some insight pls :)
Can one turn SSL off for .co.za but have it remain on for .ac.za? Would this resolve the problem?
You can remove the SSL vhost for .co.za so if someone attempts to go to https://www.example.co.za they'd get a site not found. But if you want anything to appear when they go to the https website for .co.za, then there must be something listening to the SSL port (443) that expects requests for the .co.za domain. And like you understand, in order to do that, you need a valid certificate unless you're ok with the security exception.
The other thing you can do is buy a single cert for both domains. There's nothing else you can do in the server/vhost configs. Doesn't matter if it's htaccess or not, a redirect happens after a successful SSL handshake.