I use LetsEncrypt certificates at WPengine for my sites and run them all thru Cloudflare with proxy DNS. I like the CF stats better than WPEs.
The pain is the 90 day cycle to renew. Can I just get that cert from Cloudflare and let it autorenew once a year?
Any drawbacks?
Thanks
When proxying traffic through Cloudflare, there are two certificates to consider, the edge certificate and the certificate on the origin server.
For edge certificates, Cloudflare uses 3-month LetsEncrypt certificates as the default. In the past they used 1-year DigiCert certificates but they’re in the process of phasing these out. You may still see them on some sites but when they expire they should get switched to LetsEncrypt. Fortunately, regardless of the issuer, Cloudflare handles renewal of the edge certificate automatically so you should never need to worry about it.
For the certificate on your origin server, if you can’t get LetsEncrypt automatic renewal working (why not?) you can generate a 15-year “origin certificate” through the Cloudflare dashboard and load it on your server. These certificates are ONLY valid for traffic proxied through Cloudflare, so if you ever need to bypass Cloudflare you will have a problem. Thus I regard them as kind of a last resort. But it’s an option.
I’ve never used WPengine but have you taken a look at this? It says that LetsEncrypt certificates should automatically renew https://wpengine.com/blog/its-time-to-secure-your-wordpress-site-with-https/
(unless having the traffic proxied through Cloudflare breaks the renewal process, which I have seen with certain hosting providers)
That makes sense. The “pain” is that every 90 days I have to go to Cloudflare, switch it from proxied to DNS only, then goto WPE and request cert. It takes 10 minutes to validate and then I go back to CF and switch it back to Proxied.
The automatic renew gets stuck and errors out when it sees Proxied on CF
I could use the Wordpress platform optimization there on WPE but I would need to switch CF to DNS only. I tried that but pretty much zilch for traffic metrics on WPE
Problem is it is 20 or so sites with all different 90 day expirations so it seems like every two weeks I get an “Oops, it didn’t work”. I’ll check with WPE and see if there isn’t a nice “set it and forget it” setting somewhere.
Do they allow you to upload your own certificate? If so, you could just get one of the 15-year Cloudflare origin certificates, with the caveat that you’ll always have to have your traffic proxied through Cloudflare.
I’m sure they do and that CF origin 15 year looks pretty attractive. I have about 2-4 years before I retire and I see myself only getting deeper in with Cloudflare. Low overhead and great performance
As long as you will be proxying your traffic through Cloudlfare, the Origin certificate is certainly a feasible option that gives you a “one and done” solution.
I use a page rule to accommodate Let’s Encrypt automated renewals using HTTP-01 validation.
Allow ACME challenge
*example.com/.well-known/acme-challenge/*
Disable Security
SSL: Off
Cache Level: Bypass
Disable Performance
That makes sense too. Nice having smart people that I can ask questions of. I wondered if some filter/rule to act differently for that request.
If I did the 15-year origin I would need to do one for each site on WPE (15 or so) right?
Yes, you would need a Cloudflare origin certificate for origin each site.
The Page Rule method is also a “one and done” solution, since it should make your Let’s Encrypt HTTP-01 validation work as expected with the automated renewals.
That page rule is cool, I wonder if it would work with Github Pages too? Gonna try it…
You could just remove the extra step and use Cloudflare Pages 
So the .well-known and acme-challenge is “standard” language for LetsEncrypt. Example site https://touch-screen.us – I could insert rule on that site in Cloudflare
Allow ACME challenge
touch-screen.us/.well-known/acme-challenge/
Disable Security
SSL: Off
Cache Level: Bypass
Disable Performance
nevermind. I am trying it out on one site. Many thanks!
If you need Let’s Encrypt certificate to vaildate any subdomains, such as www, you will want to prepend an * to the pattern.
Yep. I added full string to cover www as well.
I’m not very familiar with rules (except cache everything) but I think I got it. I’m trying on low traffic site to verify.
Many thanks
Craig K.
720.324.1837
pixel4a mobile text
https://kioskindustry.org
I’m testing your page rule with one of my Github Pages sites, not testing actual certificate renewal yet, just testing curl requests to ./well-known/acme-challenge/ to see if it even behaves as expected, it it seems like it creates an infinite HTTP → HTTPS → HTTP redirect loop unless “Always Use HTTPS” is turned off for the entire domain. It seems like you can turn ON “Always Use HTTPS” via a page rule but you can’t turn it off via a rule? Basically HTTP forwards to HTTPS because of “Always Use HTTPS”, but then HTTPS forwards back to HTTP, because the page rule is using SSL mode Off.
Current rule:
It only “works” if I turn off Always Use HTTPS for the entire domain which I really don’t want to do
I’ve migrated about half of my Github Pages sites to Cloudflare Pages, very easy process and some good features like the _redirects file and the automatic stripping of “.html” from URLs (unpopular opinion apparently but I like it). I might migrate the rest eventually but I’m leery of putting too many eggs in one basket.
Good point. I handle all of my HTTP → HTTPS redirection at the origin and have an exception for the .well-known/acme-challenge/ path in my origin configs, too. If that won’t work for you, @craig.keefner, you may wind up needing to take the Cloudflare origin certificate route.
Yes, I just confirmed need to turn off always https. But if I want no brainer then the CF cert seems the way to go for me. I’m guessing I need a separate certificate for each site (I have 12 or so sites). I’m sure there is some sort of FAQ explaining procedure.
Thanks so much Epic for removing a bit of the mystery as to why things like this do work and don’t work.
Craig
Yes with Cloudflare’s “Origin Certificates” you’ll need one for each domain. If you have multiple sites per domain using subdomains, they can use the same certificate because it should include a *.example.com wildcard
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.
