to dirprocess: Site is using cloudflare IP num and not getting SSL cert                                rev 1 apr 2022


⇒  On this page: the problem↓  note title↓   links↓

✶ the problem:

  Some websites are not getting SSL cert renewed, because
  cPanel reports "The domain “” resolved to an IP address 
  “” that does not exist on this server."
  This happened on iwebfusion, and later after move, on reclaimhosting, 
  but not to all sites, just a few.

  Sites are all set up on Cloudflare, and configured the same.

  I have had that happen a few months ago, and it eventually resolved itself,
    i don't remember doing anything.

  "Web hosts and Cloudflare don’t document this aspect of SSL at all," (
     so we are only getting info and solutions from other parties  :/
     Luckily people are writing very good info and solutions (below).

* good summary explanations

  "cPanel's AutoSSL functionality does not work for any domains 
   utilizing CloudFlare and/or any CDN/proxy type services.
   For SSL Domain Control Validation to succeed, the domain must resolve 
   to an IP address located on your cPanel server.
   At this time there is no known workaround, other than disabling CloudFlare."

  "Under Cloudflare ... the domain name will resolve to a Cloudflare IP address, 
   and so the AutoSSL renewal fails.
   There’s no way around this. It’s a fundamentally incompatible situation."

✶ solutions:

  * Web search for   cpanel autossl cloudflare
      gets a lot of relevant results.
  * The answers seem to be:
        - Disable proxy in cloudflare (which defeats the purpose of having cloudflare)
        - Use a cert on cloudflare, not on your web server. 
        - Use a Cloudflare Origin Cert in cPanel (see wp-tweaks resources below).
        - lower Cloudflare's SSL/TLS setting to 'Full' instead of 'Full (strict)'.
  * My solution currently [apr 2022]:
        - lower Cloudflare's SSL/TLS setting to 'Full' instead of 'Full (strict)'.
            This is ok for me because it's still encrypted to server,
            and our sites aren't so crucial to need 'strict'.
        - and wait for cPanel/Cloudflare to sort this out.

➽  links and resources: 

  * Good explanation - with detailed instructions to install
      Cloudflare Origin Cert on cPanel:
      [undated, retr 1 apr 2022]

  * Good explanation and suggested solutions - none of which are optimal:
      [12 dec 2017, retr 1 apr 2022]

  * Good explanation and discussion of other cases:
      [undated, retr 1 apr 2022]

  * Troubleshooting and discussion - on Cloudflare forum:
      [aug 2019, retr 1 apr 2022]

  * Sites resolving to
      9 sep 2021
      This just reports
        "There appears to be some issues with some random sites
          that use cloudflare name servers when resolving them through google
          dns or root hints. They all return Any ideas?"
      And answered with dns returns Cloudflare IP as expected.
      But no discussion of why it's random or how can cause problems.

begin 1 apr 2022
-- 0 --