For those using the LetsEncrypt contribution and use Cloudflare as your domain name provider I thought I should post a warning note for those who might encounter the same situation.
Yesterday I noticed a Cron email that informed me that Dehydrated had attempted to renew the security certificate and failed. Since SSL is important to our web site I immediately looked into the problem. I was puzzled since none of the LetsEncrypt settings had been changed since the last automatic certificate renewal which had worked just fine. After much puzzlement and fiddling with settings on the server I suddenly realized that during a DDOS attack I had gone to our Cloudflare settings for the domain and turned on Under Attack Mode. Since this injects a javascript "prove you are human" into the connection to the domain it interferes with the LetsEncrypt certificate renewal process.
Once I turned off Under Attack Mode at Cloudflare I could run dehydrated -c -x on the server and the SSL certificate renewal completed just fine.
The lesson here is if you use Cloudflare, or any other domain registrar that provides an Under Attack Mode, to counter a DDOS attack, make sure you turn Under Attack Mode off for the domain when you need to renew your LetsEncrypt security certificate.
1 Replies
553 Views