Hardware: VPS bought online / YunoHost version: 3.6.4.3 I have access to my server : Through SSH | through the webadmin Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no
Description of my issue
I’m using Cloudflare for DNS and CDN purposes and I’ve noticed just recently that my SSL certs on Let’s Encrypt are not renewing. I tried manually renewing them and realized the issue was that because of the CDN feature being enabled, it would look for Cloudflare’s IP instead of mine and because of that the certs were not automatically renewed.
Info: Now attempting install of certificate for domain foo.com!
Warning: Debug information:
- domain ip from DNS 104.31.86.40
- domain ip from local DNS 185.xxx.xxx.xxx
- public ip of the server 185.xxx.xxx.xxx
Is there a way to do that? Just tried with --no-checks but it didn’t work.
I don’t think there’s any obvious fix … the way Lets Encrypt works rely on your DNS record poiting to the right IP. If that not the case then it can’t work. Though there are alternative “challenges” in LetsEncrypt which allow to deliver a certificate through different methods, e.g. a DNS challenge. But it’s not integrated in YunoHost so it’s up to you to tweak whatever needs to be tweaked to make it work …
under DNS
add a record type CAA
under tag you have to choose if you allow let’s encrypt to delivery * (wildcards) certificate or for specific hostname (which I prefer)
allow Valueletsencrypt.org
you will end with something like this: CAA domain.tld 0 issue "letsencrypt.org" Automatic
but at the end Let’s Encrypt or the Self-signed Certificate already generated by yunohost will change nothing everything will be encrypted from
user to cloudflare than to cloudflare to your yunohost which means you and your user have to trust cloudflare because they act as a man in the middle.
