Overview
This article provides steps to help you fix various issues that may occur when installing a new Let's Encrypt SSL certificate.
Hosting and DNS
There are various reasons why a new Let's Encrypt SSL certificate does not install properly. The following sections provide solutions to the most common hosting and DNS issues that you may encounter.
Hosting not configured
If your domain is set to DNS Only, or a hosting plan has not been added yet, Let's Encrypt won't be able to validate your domain, and the SSL installation will fail. Make sure a hosting plan has been added and properly configured before attempting to install the certificate again. See this article for more information.
Your domain is hosted elsewhere
In order to install a new Let's Encrypt SSL certificate, your domain must be fully hosted, redirected, or parked at DreamHost. If your domain is registered at another company, make sure that your domain's DNS is currently pointing to DreamHost. See this article for more information.
DNS has not propagated yet
After you point your domain's DNS to DreamHost, it may take more time to fully propagate, and you may see an Order Processing message in your panel. When your DNS fully propagates, DreamHost will continue to install the new certificate. See this article for more information.
Checking the CAA records
Certification Authority Authorization (CAA) records control which certificate providers can issue SSL certificates for your domain. If a CAA record exists but doesn't include Let's Encrypt, the certificate request will fail.
- If your DNS is managed by DreamHost and Let's Encrypt is not listed on the record, a CAA record with the following values will be automatically created for you:
Host: @ | Flag: 0 | Tag: issue | Value: "letsencrypt.org"
- If your DNS is hosted elsewhere, you'll need to add this record manually using your DNS provider's control panel. See this article to learn more.
Cloudflare
Cloudflare is a third-party Content Delivery Network (CDN) and security service. Though DreamHost does not offer or support Cloudflare, you can set it up for free on your own through Cloudflare’s website. For additional CDN acceleration services, DreamHost offers Bunny CDN.
When your domain is proxied through Cloudflare, installing or renewing a Let's Encrypt certificate may fail if Cloudflare's security features block the validation request.
This is because the Let's Encrypt validation bot may be affected by either Bot Fight Mode or Under Attack Mode, which may cause intermittent or consistent SSL issuance failures. This occurs even if Bot Fight Mode is disabled.
Creating a Cloudflare rule
To create a Cloudflare firewall rule to allow Let's Encrypt validation requests to pass through without interference:
- Open the Cloudflare dashboard and navigate to Security > WAF > Custom Rules.
- Click Create rule.
- Set the following:
- Rule name: Let's Encrypt Bypass
- Field: User Agent
- Operator: contains
- Value: Let's Encrypt validation server
- Under Then take action, choose Skip.
- Enable Log matching requests.
- Under WAF components to skip, make sure the following options are checked:
- All remaining custom rules
- All rate-limiting rules
- All managed rules
- All Super Bot Fight Mode Rules
- Under More components to skip, make sure the following options are checked:
- Zone Lockdown
- User Agent Blocking
- Browser Integrity Check
- Hotlink Protection
- Security Level
- Set Place at: First
- Save the rule.
The rule ensures that the Let's Encrypt validation traffic isn't blocked by Cloudflare's protection layers while keeping your site secure for normal visitors.
Configuring the Cloudflare SSL/TLS setting
When using Cloudflare with a valid SSL certificate such as Let’s Encrypt, it’s recommended to set the SSL/TLS mode to Full (Strict). This ensures:
- The connection between the visitor and Cloudflare is encrypted.
- The connection between Cloudflare and DreamHost is both encrypted and authenticated, meaning Cloudflare verifies the certificate rather than simply accepting it.
Using Full (Strict) provides the highest level of security and helps avoid issues that can occur with weaker modes, such as Flexible or Full. See this article to learn more about how to modify this setting.