My YunoHost server
Hardware: VPS bought online /
YunoHost version: 18.104.22.168
I have access to my server : Through SSH | through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no
Description of my issue
I’m using Cloudflare for DNS and CDN purposes and I’ve noticed just recently that my SSL certs on Let’s Encrypt are not renewing. I tried manually renewing them and realized the issue was that because of the CDN feature being enabled, it would look for Cloudflare’s IP instead of mine and because of that the certs were not automatically renewed.
Info: Now attempting install of certificate for domain foo.com!
Warning: Debug information:
- domain ip from DNS 22.214.171.124
- domain ip from local DNS 185.xxx.xxx.xxx
- public ip of the server 185.xxx.xxx.xxx
Is there a way to do that? Just tried with
--no-checks but it didn’t work.
I know I could disable CF, but I wanna use it.
I don’t think there’s any obvious fix … the way Lets Encrypt works rely on your DNS record poiting to the right IP. If that not the case then it can’t work. Though there are alternative “challenges” in LetsEncrypt which allow to deliver a certificate through different methods, e.g. a DNS challenge. But it’s not integrated in YunoHost so it’s up to you to tweak whatever needs to be tweaked to make it work …
the solution is on the Cloudflare side
under Page Rules
Create Page rule as the first rule
add the setting
SSL and set it to
add a record type CAA
under tag you have to choose if you allow let’s encrypt to delivery * (wildcards) certificate or for specific hostname (which I prefer)
you will end with something like this:
CAA domain.tld 0 issue "letsencrypt.org" Automatic
but at the end Let’s Encrypt or the Self-signed Certificate already generated by yunohost will change nothing everything will be encrypted from
user to cloudflare than to cloudflare to your yunohost which means you and your user have to trust cloudflare because they act as a man in the middle.
if it still not working
try to reduce the Max Age Header (max-age) to a 2 months
under Crypto and HSTS
Would that work with Full SSL (Strict) config from Cloudflare?
According to Cloudflare, this means that your traffic is encrypted in all stages, if I understood correctly
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.