SSL cert not issuing on a partial (CNAME) setup
The zone is teamlex.com and it is proxied and CNAME'd to Cloudflare:
dig +short CNAME www.teamlex.com
www.teamlex.com.cdn.cloudflare.net.
The www universal certificate has been pending for over a day now.
I've opened a ticket and have tried to escalate it with our engineering rep but still haven't heard back
17 Replies
You have some overly aggressive firewall rules look like, I'd bet they could be blocking the http validation request, might want to turn them down or exclude paths starting with
/.well-known/acme-challenge/Thansk Chaika, I did open all of them up based on the host to "skip"
hmm, so they shouldn't be blocking right now?
What did you input for the host?
teamlex.com
if host contains teamlex.com
ahh those are probably IP Access Rules which are blocking, which you can't skip with a custom rule
ahh the hierarchy
well it's not the hierachy or flow, you can skip a lot of things with Custom Rules, just not IP Access Rules
i am seeing requests coming in for well-known
Let's Encrypt uses a few different ASN's as secondary validation for the http token, their own, AWS, and a few others, I don't think they have a list since it's done to try to avoid bgp hijacking and get multiple "views of the internet"
Other acme providers like Google do something similar afaik
there might be a few blocked then
yea, if one fails it wouldn't issue
i am seeing a lot of requests for well-known
probably because it keeps trying lol
if you have Advanced Cert Manager you could just create a cert covering www validated via DNS and create the DNS records manually for it
agreed, thanks, I think that's what i'll have to do
appreciate the help
The recommended would indeed be Advanced certificates with DCV Delegation https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/
That way you only need one DNS record in place and then the certs will renew forever
thank you Erisa, the advanced cert with http verification doesn't seem to be issuing and there are no blocks