Browse Source

Add blog post for fixing certbot challenges behind Cloudflare

Devin Dooley 1 year ago
3 changed files with 67 additions and 5 deletions
  1. +5
  2. +62
  3. BIN

+ 5
- 5
content/blog/ View File

@ -44,8 +44,8 @@ So at this point when I tried to update nginx-mainline, I would get a dependency
nginx-mainline-mod-vts depended on a prior version, and if I attempted to update
nginx-mainline-mod-vts, I would get a dependency conflict for the same reason (if I remember
correctly, dropping the -s flag did not help). If I wanted to get an
update through without downtime, it seemed to me that I would have to update these at the same time
update through without downtime and without removing the packages dependency specification,
it seemed to me that I would have to update these at the same time somehow.
Eventually I stumbled into
[this Reddit thread](
@ -53,17 +53,17 @@ that led me to
[this Arch wiki page](
describing how to build packages with a clean chroot.
What I ran:
Here's what I ended up running to get this package built and installed:
{{< highlight bash >}}
# Create the clean chroot, which will be stored in ~/chroot
mkdir ~/chroot
mkarchroot $CHROOT/root base-devel
# Verify chroot has updated packages, will be necessary for future runs
# Verify chroot has updated packages, which will be necessary for future runs with the same chroot
arch-nspawn $CHROOT/root pacman -Syu
# Run in directory with broken packages PKGBUILD
# Make sure to run this in the directory with the broken packages PKGBUILD
makechrootpkg -c -r $CHROOT
# Installs the recently built AUR package and its dependencies at the same time

+ 62
- 0
content/blog/ View File

@ -0,0 +1,62 @@
title: "Certbot Challenges Failing Behind Cloudflare DNS"
date: "2020-06-12"
A couple months ago, I switched over from Google Domains for DNS management to Cloudflare, largely
for access to their CDN. I didn't realize their free services were so expansive, and I've been happy
to get access to all that they give me. However, the transition has not been without its pains.
All of the sites on my server (along with this site) are served using an nginx reverse proxy, with
SSL certificates managed through Let's Encrypt's certbot tool. Today, as I went to add a new
nginx server block for a gitea server, I ran into failures updating my certificate for the new
`` route. After some digging, it looked like my automatic renewals had been
failing with the same errors:
{{< highlight plaintext >}}
Performing the following challenges:
http-01 challenge for
Challenge failed for domain
Type: unauthorized
Detail: Invalid response from
{{< / highlight >}}
The problem ended up being that these http-01 challenges need HTTP (not HTTPS) access to the domains
being issued the challenge, but Cloudflare was configured to automatically redirect all HTTP
traffic to HTTPS. Answers across a few different forums provided a few solutions:
1. Switch to Cloudflare's certificates from Let's Encrypt
2. Switch to DNS challenges instead of http-01
3. Disable HTTP->HTTPS redirects for my domains
I ended up going with option 3, as it was easier than issuing DNS challenges, and I stubbornly
wanted to use Let's Encrypt certificates because of how much time I had already invested into
troubleshooting them and automating their renewals.
I found a post in the Cloudflare forum that suggested you can do this through disabling SSL
and HTTPS Rewrites through page rules in the Cloudflare UI. This was a good attempt, but did not
quite work, as certbot began erroring claiming there were `Too many redirects`. After trying a
number of solutions, I ended up disabling Cloudflare's HTTP->HTTPS redirects across all my domains
through their SSL/TLS Edge Certificates menu:
![Redircts Off](/images/certbot-challenges-failing-cloudflare/redirects-off.png)
I was willing to make this change because I redirect all HTTP requests to HTTPS through nginx (this
configuration is offered when configuring certificates through certbot). You may not wish to make
this change for your own domains if you are not confident in your server's ability to redirect
traffic without Cloudflare's help.
That should be enough to fix this error on your certificate expansions/renewals. Keep in mind if you
are troubleshooting that Let's Encrypt has rate limiting around failed authorizations that will
prevent you from attempting certificate updates if they have failed 5 times in the past hour, as I ran
into this quite a bit towards the end.

static/images/certbot-challenges-failing-cloudflare/redirects-off.png View File

Before After
Width: 1151  |  Height: 235  |  Size: 14 KiB