Cloudflare DNS Proxy with Letsencrypt error.  [SOLVED]

Locked
User avatar
Victor
Posts: 17
Joined: Sun 21. Jun 2020, 20:23

Cloudflare DNS Proxy with Letsencrypt error.

Post by Victor »

Hello,

I have the following problem, fresh install Debian 10 with KeyHelp, setup domains, emails etc. I use the enforce SSL & HSTS for all my domains with a Letsencrypt certificate. DNS for the domain is run trough Cloudflare to protect the server IP (no mx host needed). When the toggle in Cloudflare is set to "proxied" and the IP of the domain in dig is a cloudflare IP, the Letsencrypt manual generation with keyhelp-toolbox/maintenance tasks/ssl FAILS, saying that the domain is not locally resolvable. If i deactivate the proxied setting in Cloudflare (and with a dig you can see the real server IP) the generation of certificates works without a problem. First time I thought maybe I've done something wrong while setting the domains up so I re-installed the server but the same error appears. This is very frustrating, one of the main reasons I use cloudflare is for protecting the servers real IP with their services. I know that this is somewhat not the KeyHelp Developers problem since the panel works great without Cloudflare, however maybe somebody knows a solution to make it work behind the Cloudflare proxy.
I tried setting the cloudflare servers as NS servers in the DNS settings of each domain - it doesn't work.
I also tried to completely disable the DNS Zone for the domain, also doesn't work.
No idea what to try next, any help would be appreciated.

Code: Select all

[24-Aug-2021 01:48:04] INFO  --> Sending signed request to "https://acme-v02.api.letsencrypt.org/acme/new-acct".
[24-Aug-2021 01:48:05] INFO  --> Start certificate generation.
[24-Aug-2021 01:48:05] INFO  --> Token stored at: /home/keyhelp/www/.well-known/acme-challenge/local-check-612425a5863c23.10016847
[24-Aug-2021 01:48:05] INFO  --> URL: http://www.domain.com/.well-known/acme-challenge/local-check-612425a5863c23.10016847 | HTTP code: 404 | HTTP body (first 100 chars): <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title><script
[24-Aug-2021 01:48:05] ERROR --> a Let's Encrypt error occurred: Local resolving checks failed for domain "www.domain.com". Please ensure that your domain is locally resolvable!
Thank you!

PS: The domain name has been redacted for privacy.
Something something, dark side.
User avatar
latifolia
Posts: 42
Joined: Wed 18. Aug 2021, 09:08

Re: Cloudflare DNS Proxy with Letsencrypt error.

Post by latifolia »

Lets Encrypt need real IP address matching to your domain. This is reflected on original DNS A records.

If you use Proxy from Cloudflare the IP Address submitted to Lets Encrypt is the IP from Cloudflare and cause mismatches.

Take a look at this article to have different --preferred-challenges to get certificate behind proxy.

https://www.digitalocean.com/community/ ... untu-18-04

You can later put custom script into scheduled task or via cron jobs.
User avatar
Victor
Posts: 17
Joined: Sun 21. Jun 2020, 20:23

Re: Cloudflare DNS Proxy with Letsencrypt error.

Post by Victor »

Thank you for the suggestion, I've installed & configured certbot and issued a certificate with wildcard.
My only problem is, how exactly do I integrate it with KeyHelp ?
Would a small hack like, deleting the complete.pem & chain.pem files and crating symbolic links to /etc/letsencrypt/live work or would they be re-generated again when the certificate is renewed ?
Or maybe just make /etc/ssl/keyhelp/letsencrypt/ a symbolic link to /etc/letsencrypt ?

Code: Select all

  # ssl
  SSLEngine On
  SSLCertificateFile /etc/ssl/keyhelp/letsencrypt/user/xxxxxxxxxxxxx.com/complete.pem
  SSLCertificateChainFile /etc/ssl/keyhelp/letsencrypt/user/xxxxxxxx.com/chain.pem
  
I don't have a problem editing each vhost manually and setting the path of the new certificates to /etc/letsencrypt/live/user/chain.pem , however I think that most likely whenever I make a change to the domain, or the original KeyHelp-generated letsencrypt certificate will expire, KeyHelp will overwrite the apache config files again with the default certificates, which is not ideal.
I want a permanent solution to generate letsencrypt wildcard certificates for each domain using DNS Validation as a default option for all the domains, I think it's a much more practical solution than issuing a separate certificate for each subdomain. + it would help with the webmail subdomain problem which KeyHelp has.

Any idea how to make this happen without breaking KeyHelp configurations ?

Thanks!
Something something, dark side.
User avatar
latifolia
Posts: 42
Joined: Wed 18. Aug 2021, 09:08

Re: Cloudflare DNS Proxy with Letsencrypt error.  [SOLVED]

Post by latifolia »

Hey there,

If you follow what the article above suggests :
You use the --manual argument to disable all of the automated integration features of Certbot. In this case you’re just issuing a raw certificate, rather than automatically installing it on a service as well.
There you are treating generated certificate as different entity vs KeyHelp suite. You now have 2 different system generating LetSEncrypt inside your server which will be no problem if you take things carefully.

Because the generated certificate is unknown to KeyHelp you can add them manually into each domain/ you created.

You then need to uncover behind the scene where those certificate saved by KeyHelp, then make symbolic link to a place where you can AutoUpdate it via a script on Cron job.
Attachments
A.png
B.png
User avatar
Victor
Posts: 17
Joined: Sun 21. Jun 2020, 20:23

Re: Cloudflare DNS Proxy with Letsencrypt error.

Post by Victor »

Thank you latifolia for the suggestion,

I've managed to get it to work, it's a bit of a long procedure to convert every domain on the server, but it's worth it.
On a side note, after you upload the generated wildcard certificates you must activate them on each domain before making the symbolic links to /etc/lentsencrypt/live/ or else you won't be able to choose them later from the dropdown list. Also, the details about the certificate and expiration date disappear from the panel interface after you delete them and create symbolic links but they do still work after you restart apache.
For now it works, I even installed the wildcard certificate for the panel domain without problems. I just hope nothing gets overwritten in a KeyHelp future update and that there won't be any problems when the certificates will be auto-renewed with certbot.

Still, it would be a nice idea if the Developers would consider integrating this in KeyHelp with future releases, i don't think it's hard to do, but it would save a lot of time for users who want to generate letsencrypt certificates behind a proxy / local lan, etc.
Something something, dark side.
Locked