I have a linux install on Vultr, running ubuntu 18.04. I setup a Let’s Encrypt cert on both my main (www) address, as well as my Cockpit ( :9080 ) address. It was working fine before I enabled cloudflare. But now I cannot seem to access my cockpit address. It just spins and spins, and eventually times out.
From the results you link, it seems as though custom ports (such as 9080) aren’t supported by cloudflare, unless you upgrade to the PRO plan. Is this correct?
More or less. Custom ports actually are only available on Spectrum under Enterprise plans.
- create a new subdomain (example.domain.tld)
- set it to DNS only ()
- point it to the same IP.
- call the new DNS only Subdomain with Port now (example.domain.tld:9080)
This bypasses CloudFlare what gives you back ALL Ports but you will not benefit from all the CloudFlare Features on this subdomain.
WARNING: this exposes your origin IP.
I personally do this quite a lot. But with really different generic Domains.
Also ordering Let’s Encrypt SSL Certs will expose your Origin IP btw… so better use CloudFlare ones on Domains/Subdomain which are getting routed through CloudFlare ()
Sorry for the really noob question, but how do I use CloudFlare SSL certs instead of the Let’s Encrypt ones that I installed on my linux deployment?
Your question is not clear and does not seem to be related to ports.
If you stop proxying, you will be using your own certificates anyhow and if you dont, you will still need both certificates.
What is it you want to achieve? You wont get that port over Cloudflare. Do you want to use the proxies at all?
A new Thread for this different topic would be good to not mix up things.
If you bypass CloudFlare () you anyway will need a different “real” SSL Cert as the ones created by CloudFlare will just work if you use CloudFlare on that Domain/Subdomain.
Ah @sandro already mentioned that
yeah I realized, I won’t get that port over cloudflare. So now I was just asking, how do I get the SSL cert on cloudflare instead of using Let’s Encrypt
You cant “instead”, you still need the LE certificate on your server.
Well, that was confusing… M4rt1n just stated, “Also ordering Let’s Encrypt SSL Certs will expose your Origin IP btw… so better use CloudFlare ones on Domains/Subdomain which are getting routed through CloudFlare”
This made it seem like I would be using CloudFlare certs instead of Let’s Encrypt certs. So I went to delete the Let’s Encrypt certs on my server, and now my site doesn’t load. Guess I have to reinstall Let’s Encrypt…
Please use the search, that topic is discussed five to ten times a day and - sorry but - I dont want to rehash this for the eleventh time today.
You need a certificate on the server, thats it.
I did my research on my SSL certs, and I thought I understood it to mean that I need a cert (such as Let’s Encrypt), regardless of if I use CloudFlare or not… But M4rt1n’s comment confused me, in the way he worded it. I was just asking for clarification. No need to rehash anything
He was seemingly referring to Cloudflare’s Origin certificates. These are proper certificates and also allow for a secure connection, however only work in a proxied context and not outside.
I am not sure why he mentioned that an LE certificate would expose your address, as that is not necessarily the case (unless you use HTTP verification, but even then only LE gets the address, or actually any other configured address).
Anyhow, you need a certificate which is trusted by Cloudflare, that can be an Origin certificate or any publicly trusted one.
Thanks for the clarification. Yeah, I think I acted too fast. I deleted that cert, and now when I try to re-install it, I’m getting a bunch of nginx errors on my deployment. smh
Sorry for this, I thought I was clear enough with this:
For Domains with are just using DNS () you can NOT use CloudFlares Certs as they will not work if not proxied through CloudFlare. But you dont need to remove anything now. Just go with Let’s Encrypt for now.
LE Certs can and most probably will expose your origin IP. But using CloudFlare as just DNS () also does this. So this is “not excellent” but also not the worst thing on earth. Hiding the origin IP is just a nice feature which CloudFlare (due to its proxy Feature) gives for free.
My nginx deployment is all messed up now. I’ve tried searching, but how do I completely wipe certbot and start fresh? I’m running nginx on ubuntu 18.04. It won’t let me issue a new certificate, it keeps erroring out.
At this point this is a question for community.letsencrypt.org
If you plan to proxy, an Origin certificate might be easier to handle.
Let me explain this (even if OffTopic)
You can use https://crt.sh/ to lookup any LE Cert and see its raw infos. Just enter any Domain/Subdomain and you will get all Certs related to this. (also if not used HTTP Verification as it uses a global public DB for this infos)
Sometimes (older Certs) also include sinsible infomations like public IP. Nowadays they are not exposed by “crt.sh” anymore. But they are still mostly publicly available.
Use https://censys.io/ipv4 or https://censys.io/certificates to search for a Domain and chose what it should show (Certs / IPv4 / Websites)
2.1 now enter any random Domain like v2ondemand.com --> https://censys.io/certificates?q=v2ondemand.com
2.2 it shows you a bunch of IPv4 and certs. Go for the Main Cert --> https://censys.io/certificates/f0084e82461e553703071bb2087964a33e5be56f63ab63a296830d227187d6f6
Notice: this is LE Cert
2.3 Click on the right site on the dropdown with the label “Explore” and click “IPv4”
2.4 Check it out --> https://censys.io/ipv4?q=f0084e82461e553703071bb2087964a33e5be56f63ab63a296830d227187d6f6
2.5 write down IP -->
nslookup on same Domain:
3.1 Have a look:
3.2 write down IP -->
compare these IPs
This works on every LE Cert if you find the right one… also behind CloudFlare. So yes, Let’s Encrypt can exposes your origin IP. Also worked for my Domains (which never had been exposed by CloudFlare) and never hosted any Mail (yes this also plays a big role) but still got exposed by LE Certs. I for security and anonymity reasons changed my IP.
Hope this answered your question @sandro
That is not LE leaking the certificate, however, but rather the server itself. If one doesnt configure their servers properly and instead leaks that information, then of course that will be out in the public.
My point was that having an LE certificate issued does not leak that IP address per se.