to dir<![CDATA[process: Site is using cloudflare IP num and not getting SSL cert rev 1 apr 2022
Category: FILENAME AS SUBCATEGORIES
⇒ On this page: the problem↓ note title↓ links↓
.........................
✶ the problem:
Some websites are not getting SSL cert renewed, because
cPanel reports "The domain “www.DOMAIN.com” resolved to an IP address
“172.64.80.1” that does not exist on this server."
This happened on iwebfusion, and later after move, on reclaimhosting,
but not to all sites, just a few.
Sites are all set up on Cloudflare, and configured the same.
I have had that happen a few months ago, and it eventually resolved itself,
i don't remember doing anything.
"Web hosts and Cloudflare don’t document this aspect of SSL at all," (wp-tweaks.com)
so we are only getting info and solutions from other parties :/
Luckily people are writing very good info and solutions (below).
.........................
* good summary explanations
"cPanel's AutoSSL functionality does not work for any domains
utilizing CloudFlare and/or any CDN/proxy type services.
For SSL Domain Control Validation to succeed, the domain must resolve
to an IP address located on your cPanel server.
At this time there is no known workaround, other than disabling CloudFlare."
-- webhostingmagic.com
"Under Cloudflare ... the domain name will resolve to a Cloudflare IP address,
and so the AutoSSL renewal fails.
There’s no way around this. It’s a fundamentally incompatible situation."
-- wp-tweaks.com
.........................
✶ solutions:
* Web search for cpanel autossl cloudflare
gets a lot of relevant results.
* The answers seem to be:
- Disable proxy in cloudflare (which defeats the purpose of having cloudflare)
or
- Use a cert on cloudflare, not on your web server.
or
- Use a Cloudflare Origin Cert in cPanel (see wp-tweaks resources below).
or
- lower Cloudflare's SSL/TLS setting to 'Full' instead of 'Full (strict)'.
* My solution currently [apr 2022]:
- lower Cloudflare's SSL/TLS setting to 'Full' instead of 'Full (strict)'.
This is ok for me because it's still encrypted to server,
and our sites aren't so crucial to need 'strict'.
- and wait for cPanel/Cloudflare to sort this out.
.......................................................
➽ links and resources:
* Good explanation - with detailed instructions to install
Cloudflare Origin Cert on cPanel:
https://www.wp-tweaks.com/how-to-fix-cpanel-autossl-errors-cloudflare-proxy/#permanent-fix-use-a-cloudflare-origin-certificate-for-15years
[undated, retr 1 apr 2022]
* Good explanation and suggested solutions - none of which are optimal:
https://caveenasolutions.com/2017/12/cpanel-autossl-cloudflare-causing-problems/
[12 dec 2017, retr 1 apr 2022]
* Good explanation and discussion of other cases:
https://dashboard.webhostingmagic.com/knowledgebase/288/How-To-Resolve-Cloudflare-SSL-Issues.html
[undated, retr 1 apr 2022]
* Troubleshooting and discussion - on Cloudflare forum:
https://community.cloudflare.com/t/configuring-cloudflare-https-with-auto-ssl-issued-to-domain-by-cpanel/103309
[aug 2019, retr 1 apr 2022]
* Sites resolving to 172.64.80.1
9 sep 2021
https://community.cloudflare.com/t/sites-resolving-to-172-64-80-1/303459
This just reports
"There appears to be some issues with some random sites
that use cloudflare name servers when resolving them through google
dns or root hints. They all return 172.64.80.1. Any ideas?"
And answered with dns returns Cloudflare IP as expected.
But no discussion of why it's random or how can cause problems.
_______________________________________________________
begin 1 apr 2022
-- 0 --
]]>