Let's Encrypt Renewal Failing "During secondary validation: Invalid response" (AWS Behind Cloudflare)

OS type and version CentOS 6.10
Webmin version 1.984
Virtualmin version 1.834
Related packages SUGGESTED

I am posting this in case someone else runs into this problem. Last December, Let’s Encrypt renewals failed for multiple hosts after working fine for years (with a few minor hiccups). The workaround was to temporarily disable Cloudflare proxy for the affected hosts. The same problem occurred yesterday. The error message implied that https://acme-v02.api.letsencrypt.org/acme/chall-v3/… resolved the hosts to both ipv4 and ipv6 Cloudflare proxy server addresses. Let’s Encrypt prioritizes ipv6 addresses, but AWS does not fully support ipv6. I can access the .well-known/acme-challenge file created by the renewal process, but then my ISP only supports ipv4.

Even if no AAAA records have been defined in the Cloudflare DNS for hosts using Cloudflare’s Flexible SSL proxy services, it appears that the Cloudflare DNS is returning ipv6 addresses There is some information at https://community.weebly.com/t5/Domains/Cloudflare-DNS-is-IPv6-Weebly-Balks-on-AAAA-Record-for-SSL/td-p/107713 along with a bypass - switch to Cloudflare Full SSL. One of my domains is running Full SSL and seems to have automatically renewed.

I can understand that Cloudflare wants to move their proxy servers to ipv6 but am not clear why the mapping the ipv6 proxy to the ipv4 host is not working. I will dig further but expect the first answer is that I should not be using Flexible SSL. Then again, I should be off CentOS 6 as well - just not enough hours in the day.

I have successfully upgraded all my virtualmin servers from Cloudflare “Flexible” to “Full (strict)”. For those not familiar with Cloudflare, “Flexible” secures the connection between users and Cloudflare edge servers, but Cloudflare communicates via http with my servers. With “Full (strict)”, the Cloudflare edge servers connect to my servers using my servers’ Let’s Encrypt SSL certificates.

To migrate, I updated my servers to redirect all http traffic to https except for any traffic coming in from Cloudflare. It turns out one sub-domain had an expired SSL certificate which broke Let’s Encrypt renewal. Steps included:

  • disable the firewall filter that blocked any traffic not arriving via Cloudflare
  • disable Cloudflare proxy for that subdomain
  • disable http to https redirect for the .well-known directory
  • fetch the Let’s Encrypt SSL certificate
  • enable Cloudflare proxy
  • enable the block for all non-Cloudflare traffic

I will probably disable the http to https redirect for .well-known in case a certificate expires before I can correct the issue.

Below are my current .htaccess rules. I am no expert at Rewrite - I am sure they could be improved. I have manually renewed all my Let’s Encrypt SSL certificates - the test is whether the automatic renewals work in two months.

<IfModule mod_rewrite.c>
  RewriteEngine on
# Block access to "hidden" directories whose names begin with a period, except for Let's Encrypt
  RewriteRule "/\.|^\.(?!well-known/)" - [F]
# redirect HTTP to HTTPS unless accessed via Cloudflare Flexible SSL
  RewriteCond %{HTTPS} !=on [NC]
  RewriteCond %{HTTP:CF-Visitor} !^.*"https".*$
# handle condition where SSL certificate does not exist or expired
  RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/.*$
  RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R=301,L]

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.