There is a site I have more recently been working on. They are hosted on AWS EC2 with Cloudflare active on the primary domain, and there’s a secondary domain not associated with Cloudflare that is pointed directly at the AWS IP address, which is simply redirected to the primary domain, however it is used for email.
In Cloudflare, there is an Edge certificate on the primary domain, and Full encryption mode is enabled and it says it’s active / working: https://cln.sh/TvfQNLjq
On the server, there is a Let’s Encrypt SSL cert covering the main domain and the redirected domain. I did not set this up.
I believe that SSL cert was supposed to auto-renew, but it recently expired, and I went to manually renew it using the bncert tool but it’s giving an error that the primary domain “resolves to a different IP address” which I’m sure is due to Cloudflare.
The primary domain has seemingly been unaffected since it expired, but the redirected domain is giving the “Connection Not Private” error.
What is the best solution here, should I override it, or remove the primary domain from the cert?
Correct. Since DNS records are proxied and , we get Cloudflare IP and the LE cannot renew the origin host/server SSL certificate (despite Cloudflare’s Universal SSL is also possibly using LE …).
Quite good question
From what I understood by reading, hopefully correct, since you’re using LE’s SSL certificate, I’d suggest you to temporary enable and use the “Pause Cloudflare for this site” option from the bottom right corner at the Cloudflare dashboard. Give it a few minutes. Retry the process of renewing your origin LE’s SSL certificate. Upon success, switch back the option and make sure your DNS records are proxied and .
Might want to use Full (Strict) SSL if already not
That’s a good idea that I had not considered. It is however a pretty high traffic site, and if I disable Cloudflare then I believe it will show the ‘Connection Not Private’ error to visitors, since the LE cert is expired.
Sure it would be brief, but if it’s possible to avoid it that would be ideal. If it’s not possible then I suppose I’ll choose a low traffic time.
I mentioned overriding the validation during the renewal, is that a feasible option?
Or is there any way to do it without having to temporarily display the site as insecure?
We’re on the Pro plan in Cloudflare. HSTS is not enabled and neither is the Always Use HTTPS option. However it is configured somewhere to force HTTPS as all traffic is currently redirected HTTP → HTTPS.
Thanks for the links, I had a look through those and a lot of other posts as well. It’s not making sense to me how I can use another validation method, because this is pretty unfamiliar to me.
I think I’ll try your original suggestion and use the setting to pause Cloudflare and renew it that way.
Currently Cloudflare shows that the site has Full encryption mode: https://cln.sh/TvfQNLjq
Doesn’t that mean that there must be a valid origin cert? The LE cert is expired so shouldn’t this be saying it’s not encrypted end to end?
I guess as per this article ( https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full/ ) it says that it doesn’t validate the cert, so that is why it’s still working right?
I successfully renewed the cert during a low traffic time. I used the option to temporarily disable Cloudflare, and it only took 3 minutes for the DNS to update. Then the site was insecure just briefly while I used bncert to do the renewal. Then upon success, both sites were secure and I re-enabled Cloudflare.
, we get Cloudflare IP and the LE cannot renew the origin host/server SSL certificate (despite Cloudflare’s Universal SSL is also possibly using LE …).
