Recently I enabled Cloudflare CDN for a website. At the beginning, everything went fine. Until there is one day, I was trying to renew the Let’s Encrypt certificate for the domain by using the acme_tiny.py program, which I always use. However, this time it fails again and again, on the error: cannot download http://****/.well-known/acme-challenge/**** .
In short, before issuer (Let’s Encrypt) signs the certificate, this program will generate a challenge file in a specified path under the domain. Then issuer will try to fetch the challenge file, to make sure the requester is the real owner of the domain.
I tried use wget to download the challenge file, and got a 404 error. By break down the wget output, I found that, when request the challenge file via http, the request was redirected to https, that is the cause of the error. Because the origin server only have acme-challenge configured on port 80, so when you trying to access it from https the only thing you will get is the 404 error.
Because I always use the program to renew certificates, so this time I wonder if it is the CDN caused the error.
In addition, one thing makes me feel weird is, the origin server not have https rewrite configured for the acme-challenge path, so why the http request is being redirected to https automatically? After some digging around, trying to adjust some Cloudflare options, finally, I found out: the option “Always Use HTTPS” (under the SSL/TLS –> Edge Certificates section) is the root cause of this error. With this option turned on will redirect all http requests to https automatically. That is why the http request to fetch acme-challenge file got redirected to https.
After turned off this option, the acme_tiny.py program worked flawlessly like before and I got the Let’s Encrypt certificate renewed successfully.
Conclusion for this time, when have CDN enabled for a website; the configurations of the CDN might cause some unexpected issues to happen, like this time. When the origin server is not the cause of the problem, should turn to investigating CDN’s configurations, to figure out whether the CDN is the causing the problem.
