Cloudflare proxied not working with certbot installed on server

I’m using few subdomains to point to my EC2 server.

The server is using nginx and hosted few other domains as well which are not on Cloudflare.

To enable SSL on the domains not serving via cloudflare, I’m using let's encrypt for those domain and SSL certificate is configured in each nginx config file for each domain.

The domain proxied via cloudflare has no SSL installed using let's encrypt but the same is not working and gives 522 response.

Removing from proxy of Cloudflare, it’s working fine (without SSL).

This depends on the SSL mode, defined in the “SSL/TLS” tab of your CF dashboard. If SSL mode is set to Full or Full Strict, CF will connect to your origin servers via HTTPS/ port 443. If it’s set to Flexible, it connects over plain HTTP or port 80.

If you need to have one domain connect over HTTPS and one on HTTP, you can set up a page rule (matching sub.example.com/*) with a option to change the SSL mode.

I want all domains to be on HTTPS.

In my case, It is not working (HTTP & HTTPS both) if domain is proxied via Cloudflare. Removing from cloudflare proxy works on HTTP because no SSL is installed on server as well, and even works on HTTPS with SSL warning in the browser.

If your server does not support HTTPS, You’ll need to set the SSL mode to flexible in the dashboard.

May be I’m not able to communicate this properly.

My server supports HTTPS and HTTP both. I want to use HTTPS only.

My server (AWS EC2) has let's encrypt installed to add SSL to other domains which are not proxied through cloudflare.

Say I have two domains

example.com
exmp.le

example.com is not setup on Cloudflare hence using lets encrypt to generate SSL for that domain.
exmp.le is setup on Cloudflare hence want to use SSL provided by the Cloudflare and for that, I have proxied the exmp.le A record.

But https://exmp.le and http://exmp.le both are not working and gives Cloudflare error page with 522 error.

  1. When I remove proxy, it works fine.
  2. When I remove lets encrypt from server, it works fine with Cloudflare proxied SSL.

Cloudflare is not working when lets encrypt is installed on the server and DNS is proxied.

I tried in the SSL/TLS config with proxy enabled.

  1. Turn off SSL completely
  2. Set to Flexible mode
  3. Set to Full mode

None of them is loading the address when domain is proxied.

In general Let’s Encrypt uses HTTP to start the verification process (assuming you are using HTTP-01, obviously if you are using DNS or some other option then this doesn’t apply at all).

You shouldn’t have any issues passing the request through Cloudflare, and your TLS mode/settings don’t much matter. However, Cloudflare’s “Always use HTTPS” should be turned off (either site-wide, or maybe a page rule applying to /.well-known/acme-challenge/*) or you can configure your webserver to answer the challenge on ports 80 and 443 (in which case Always Use HTTPS won’t hurt you as the Let’s Encrypt validation will follow redirections from HTTP to HTTPS)

Also consider if you have any additional security settings that could be a factor. Under Attack mode? Stronger filtering or anything attempting to block bots? Anything on your server that could be confused by IPv6 addresses in the header fields.

But there is no particular reason these requests can’t pass through Cloudflare, I use this configuration myself with Let’s Encrypt on my servers.