WebCP

Using LetsEncrypt with Cloudflare

So, you want to run your site through Cloudflare, but then you have problems when your LetsEncrypt SSL certificate won’t renew.

The problem is that the LetsEncrypt clients run over http (port 80), and if you’ve set Cloudflare up to be secure you’ll be using Full SSL which encrypts comms from the browser to Cloudflare and from Cloudflare to your (origin) server.

You have one of two options here:

1. The manual way

You’ll need to keep track of your own certificate expiry dates. When the certificate is due for renewal you can log into Cloudflare and disable the protection for a short while.

Then, log into WebCP and click on Domains->Free SSL and renew the certificate with Cloudflare disabled.

Once the certificate has been reissued you can re-enable Cloudflare.

2. The automatic way

WebCP will automatically attempt to run the renewal client to renew certificates. In order for that to work your server needs to accept regular http traffic to /.well-known/acme-challenge/* for LetsEncrypt to run their domain verification challenge.

To do this, log into Cloudflare and add a rule.

The rule should be *yourdomain.com/.well-known/acme-challenge/*

For “Then the settings are”, select SSL and then set it to OFF.