When proxying traffic through Cloudflare, there are two certificates to consider, the edge certificate and the certificate on the origin server.
For edge certificates, Cloudflare uses 3-month LetsEncrypt certificates as the default. In the past they used 1-year DigiCert certificates but they’re in the process of phasing these out. You may still see them on some sites but when they expire they should get switched to LetsEncrypt. Fortunately, regardless of the issuer, Cloudflare handles renewal of the edge certificate automatically so you should never need to worry about it.
For the certificate on your origin server, if you can’t get LetsEncrypt automatic renewal working (why not?) you can generate a 15-year “origin certificate” through the Cloudflare dashboard and load it on your server. These certificates are ONLY valid for traffic proxied through Cloudflare, so if you ever need to bypass Cloudflare you will have a problem. Thus I regard them as kind of a last resort. But it’s an option.
I’ve never used WPengine but have you taken a look at this? It says that LetsEncrypt certificates should automatically renew It’s Time to Secure Your WordPress Site with HTTPS
(unless having the traffic proxied through Cloudflare breaks the renewal process, which I have seen with certain hosting providers)
That makes sense. The “pain” is that every 90 days I have to go to Cloudflare, switch it from proxied to DNS only, then goto WPE and request cert. It takes 10 minutes to validate and then I go back to CF and switch it back to Proxied.
The automatic renew gets stuck and errors out when it sees Proxied on CF
I could use the Wordpress platform optimization there on WPE but I would need to switch CF to DNS only. I tried that but pretty much zilch for traffic metrics on WPE
Problem is it is 20 or so sites with all different 90 day expirations so it seems like every two weeks I get an “Oops, it didn’t work”. I’ll check with WPE and see if there isn’t a nice “set it and forget it” setting somewhere.
Do they allow you to upload your own certificate? If so, you could just get one of the 15-year Cloudflare origin certificates, with the caveat that you’ll always have to have your traffic proxied through Cloudflare.
That makes sense too. Nice having smart people that I can ask questions of. I wondered if some filter/rule to act differently for that request.
If I did the 15-year origin I would need to do one for each site on WPE (15 or so) right?
I’m testing your page rule with one of my Github Pages sites, not testing actual certificate renewal yet, just testing curl requests to ./well-known/acme-challenge/ to see if it even behaves as expected, it it seems like it creates an infinite HTTP → HTTPS → HTTP redirect loop unless “Always Use HTTPS” is turned off for the entire domain. It seems like you can turn ON “Always Use HTTPS” via a page rule but you can’t turn it off via a rule? Basically HTTP forwards to HTTPS because of “Always Use HTTPS”, but then HTTPS forwards back to HTTP, because the page rule is using SSL mode Off.
It only “works” if I turn off Always Use HTTPS for the entire domain which I really don’t want to do
I’ve migrated about half of my Github Pages sites to Cloudflare Pages, very easy process and some good features like the _redirects file and the automatic stripping of “.html” from URLs (unpopular opinion apparently but I like it). I might migrate the rest eventually but I’m leery of putting too many eggs in one basket.
Good point. I handle all of my HTTP → HTTPS redirection at the origin and have an exception for the .well-known/acme-challenge/ path in my origin configs, too. If that won’t work for you, @craig.keefner, you may wind up needing to take the Cloudflare origin certificate route.
Yes, I just confirmed need to turn off always https. But if I want no brainer then the CF cert seems the way to go for me. I’m guessing I need a separate certificate for each site (I have 12 or so sites). I’m sure there is some sort of FAQ explaining procedure.
Thanks so much Epic for removing a bit of the mystery as to why things like this do work and don’t work.
Yes with Cloudflare’s “Origin Certificates” you’ll need one for each domain. If you have multiple sites per domain using subdomains, they can use the same certificate because it should include a *.example.com wildcard