Let'sEncrypt with Cloudflare


#1

Hi

Has anyone worked out a workaround to use LetsEncrypt with Cloudflare?


#2

You don’t need let’s encrypt with CloudFlare.

Enable HTTPS on CloudFlare and relax. They offer http/2 support and you don’t even need a certificate on your site (i.e., CloudFlare servers http/2, but you just have to serve plain http to CloudFlare).


#3

Yes I have, after deploy LetsEncrypt, you need to set SSL option at Cloudlare from Flexible to Full or Strict in order to works. Full is recommended in case you forgot to regenerate LetsEncrypt every 90 days.

Yes Cloudflare SSL could work even without certificate on our site (Flexible mode) but having one could help us against (or at least lesser) Man in the Middle Attack between our site and Cloudflare.


#4

Thanks for your input, Gents.

Just to be clear: if I use Letsecncrypt with Full SSL setting, do I need 1 setup per site or just one for the root server?


#5

Since you use Letsencrypt, it is recommended to use 1 setup per site because SSL is about Trust and Letsencrypt is trusted among browsers.

However, since you combine Letsencrypt + Cloudflare Full SSL setting, visitors will get Cloudflare SSL not Letsencrypt SSL. Moreover, since you choose Full SSL setting, Cloudflare may ignore the trustness level of Letsencrypt. So, in this case 1 setup may works for many site on your server (although I never tested it).

I came into this conclusion because I sometime use snakeoil.conf (self signed certificate generated by EasyEngine) for my sites combined with Cloudflare Full SSL setting.


#6

You don’t need a workaround, I use that config with my personal site, you just need to set Cloudflare’s SSL to Full.

I would advise using this kind of config over Flexible as it’s more secure.


#7

Thanks Nicholas, but Cloudflare changes the IP address. How does LetsEncrypt do an auto-update?


#8

It doesn’t because it doesn’t need to, CloudFlare works as a reverse proxy, not a host, so although your user sees a different IP address, they are still accessing your hosts IP address. That means that you basically use two certificates for a Full SSL connection.

To put it basically, when you access a hosted site that has Full SSL and is on CloudFlare you will generally see a CloudFlare hosted certificate, not the hosts however, what Full SSL does is it not only protects the user’s connection to CloudFlare from your site with the CloudFlare cert, but also from CloudFlare to your host with your site’s cert, which is LetEncrypt on this occasion.

You can read up on it here: https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-Off-Flexible-SSL-Full-SSL-Full-SSL-Strict-SSL-Only-mean-


#9

OK, I get that. However when I run:

ee site update xxx.com --letsencrypt

I get an error:

Unable to set up Let’s Encrypt. Please make sure that your site is pointed to the same server on which you are running the Let’s Encrypt client to allow it to verify the site automatically.

In fact they are running on the same server.

Any ideas? Maybe the ee command isn’t appropriate?

TIA


#10

Forget using Let’s Encrypt + CloudFlare SSL.

You already know that LE client demands the domain to resolve exactly to the same IP it is being ran from.


#11

Well that might be because you have already pointed the domain to CloudFlare, so it is resolving to that IP, you would have to do this when your IP is not registered to CloudFlare and then link to CloudFlare after the registration of lets encypt.

That’s just a guess, I did mine when it was linked to CloudFlare so I am unsure.

Edit: I did some looking up and DigitalOcean confirmed in their own tutorial that you would need to disable CloudFlare temporarily in order for it to work, that’s obviously just for the registration, after which Let’s Encypt will know what IP to resolve to.

“Note: If your domain is routing through a DNS service like CloudFlare, you will need to temporarily disable it until you have obtained the certificate.”


#12

That’s actually false, Let’s Encrypt has confirmed that it will work with CloudFlare, in fact, Let’s Encrypt works closely with CloudFlare to implement both technologies.

My own website is proof of it working.


#13

Yes, Nicholas, that’s why I value your input. Did you take Cloudflare offline to set up the site’s let’s encrypt certificate, and if so does it update automatically?


#14

First, make sure the cloudflare cloud icon is grey.

If you are going to set up SSL for ssl.example.com, you must do the two things on cloudflare DNS.

  1. Add ssl.example.com
  2. Add www.ssl.example.com

If you forget #2, you’ll see this error.

Unable to setup, Let’s Encrypt Please make sure that your site is pointed to same server on which you are running Let’s Encrypt Client to allow it to verify the site automatically.

This is the easiest let’s encrypt setup for cloudflare dns hosted domains.


#15

What’s the point of having SSL on the server if users will only see CloudFlare’s SSL at all?


#16

I use cloudflare mostly for DNS.


#17

Reducing man-in-the-middle Attack

If somehow hackers (or NSA) find out your IP, they can sit between your VPS and CloudFlare.

Nice article here


#18

Switch to full SSL (strict) at cloudflare


#19

You can do a webroot authentication. This is where it copies a folder to your webroot and then accesses it so the IP isn’t an issue. I use cloudflare and lets encrypt and this is how I did it.


#20

The cloudflare shared or flexible SSL certificate just protect the connection between your site visitors and CloudFlare, but not from CloudFlare to your server. :smirk:

See the explanation here : https://www.cloudflare.com/ssl/