For some reason auto SSL renewal fails when my site is on Cloudflare Full.
Error when trying to renew manually from panel:
Error: Let’s Encrypt validation status 400 (sub.domain.com ). Details: 403:“During secondary validation: 2606:4700:3035::ac43:ddda: Invalid response from http://sub.domain.com/.well-known/acme-challenge/6FszQ0kGlB-UV89Y_-DW0oNBdkPnhTTElM-UOehGhe4: 403”
I tried disabling Cloudflare from the subdomain temporarily and it renewed successfully.
Is Hestia unable to fetch a LetsEncrypt SSL if Cloudflare FULL is enabled?
linkp
August 1, 2025, 2:53pm
2
Welcome to the HestiaCP forum.
First, please use Full (strict) instead of simply Full. More than likely you have configured Cloudflare in a way that disturbs the ACME HTTP-01 challenge. You may want to consider reviewing the following settings that I use with Cloudflare and Let’s Encrypt.
I moved away from Page Rules for ACME challenge configs in Cloudflare. I use the Configuration and Cache Rules now. I don’t make any specific WAF changes, only the following:
Configuration Rules:
Name: ACME Challenge
Expression: (starts_with(http.request.uri.path, "/.well-known/acme-challenge/"))
Automatic HTTPS Rewrites: Off
Browser Integrity Check: Off
Opportunistic Encryption: Off
Security Level Essentially Off
SSL: Off
Cache Rules:
Name: ACME Challenge
Expression: (starts_with(htt…
1 Like