Users should always have a valid SSL certificate on their origin server. There are advantages to using a certificate from a valid certificate authority (vs. a self signed certificate of their own create or one from ).
When Cloudflare added the
Always Use HTTPS option it was an ‘easy button’ for advancing the use of TLS everywhere. It also had the added benefit of saving the use of a page rule.
As the web has evolved the process for automating/ordering a TLS certificate has evolved along with it. Given the new more powerful rules engine Cloudflare has implemented for edge processing I’d like to suggest that the easy button evolve as well.
Almost Always Use HTTPS
This function would be an extension to the existing functionality (obviously some code logic would need to change) and would allow a customer to choose to allow HTTP requests for
http://example.com/.well-known/acme-challenge/* and any other common paths that require HTTP vs. HTTPS to function (if they exist).
From the Let’s Encrypt challenge types page:
Most of the time, this validation is handled automatically by your ACME client, but if you need to make some more complex configuration decisions, it’s useful to know more about them. If you’re unsure, go with your client’s defaults or with HTTP-01.
This is the most common challenge type today. Let’s Encrypt gives a token to your ACME client, and your ACME client puts a file on your web server at http://<YOUR_DOMAIN>/.well-known/acme-challenge/
In the community forums it is a fairly common issue that customers can’t issue certificates with their hosting provider because they utilize this mechanism by default to issue valid origin certificates. In order to work around this the customer either needs to their record to allow the request direct to the origin or they need to create a redirect rule with an appropriate exception pattern. Both cause friction, introduce the opportunity for misconfiguration or other security risks to the sites.
The Easy Button has value for an average user and this minor enhancement would allow a straightforward mechanism for bypass where the risk to the origin is likely exceptionally low.