I have tried all modes, removed the domain from Cloudflare and added it back in and nothing works. If I pause Cloudflare, the site comes back up.
My Edge certificate still shows as Pending. Its been few hours since I added the domain and I cannot see how to speed it up. But this will affect what’s going on? https://snipboard.io/ksSxE1.jpg - See image for details. I can’t see anything obviously wrong, except it has been saying Pending validation since I added the domain few hours ago.
My hosting support team are telling me that Cloudflare is somehow still referring to an expired Let’s Encrypt certificate. Not sure how I can verify this. They are also suggesting I switch the nameservers to their servers for 24 hours and switch it back. Will this make a difference?
I came across a detail that might shed some light on what is happening here, @isifiso.clothing.
Can you look in your Cloudflare DNS to see if you have NS records created for _acme-challenge.theisifiso.com.?
It appears there is some Greengeeks documentation that suggests delegating _acme-challenge records to their nameservers. They may have written it with good intentions before Cloudflare was using Let’s Encrypt and DNS-01 challenges in their Universal SSL issuance, but following those guidelines will break your Cloudflare Universal SSL with absolute certainty.
I did have the Cloudflare’s nameservers in place before Greengeek’s support team instructed me to change it. They also asked me to disable proxy for the A record, which I did. And as you say, its a wasted exercise as I knew the website works if you remove Cloudflare servers from the registry and disabling the proxy makes no visible difference. Anyway, I am the mercy of people who know better - so have to jump through their hoops.
Within Cloudflare, these are my DNS settings:
I have repointed my Cloudflare nameservers now.
And I do have NS records for _acme-challenge in my DNS entries - see image above. Should I delete these? And yes, I can install the origin server certificate on my server.
But good news is that my website is up and running! Not sure how!
Now that my website is up, I realised I had a plugin on my wordpress website called Super Page Cache for Cloudflare. I have disabled this as I am worried it was clashes with Cloudflare’s settings. I had added this to increase performance on the website a while ago.
I understand how it could feel that way when you have been trying random actions in the hope of finding one that worked.
The NS records that delegate your _acme-challenge record to the Greengeeks nameservers are at the heart of this specific issue. Greegeeks suggests that configuration so they can use a DNS-01 challenge to issue Let’s Encrypt certificates for your origin. This conflicts with Cloudflare needing to do the same thing for your edge certificates.
Issuing a Cloudflare Origin CA origin certificate will prevent you from needing Let’s Encrypt on your origin. It will require you to keep the Cloudflare proxy active since it is only trusted by Cloudflare.
You have some other DNS entries that could stand some adjustment, but they are outside the scope of the topic at hand.