Disabling DNS Proxy in order to resolve SSL certificate issue

Hi there,

We had one of our sites go down due to SSL. The only way we could resolve this was to change the A record and CNAME from “Proxied” to “DNS Only”

The site has been configured on “Proxied” for several years now without issues. Why do I now have to change to “DNS only”.

My Hosting provider creates the SSL cert and they told me the fix was to change CF to “DNS only”.

It’s great that it’s fixed, but I’m not confident it will last or that the same issue won’t affect another of our sites (that use “Proxied”) down the line.

Also, doesn’t moving to “DNS only” mean that there will be a performance hit?

Many thanks

Greetings,

Thank you for asking.

I am afraid this happens due to the reason as we on hosting provider’s interface, have either cPanel, or Certbot, or Let’s Encrypt, etc.

However, Cloudflare’s Universal SSL also uses Let’s Encrypt and has got the “hidden” TXT records to validate the request once it’s time to re-issue and renew it.

Some users have issue with renewing their origin SSL certificate with AutoSSL on cPanel, as that wasn’t possible due to the “Always Use HTTPS” option being enabled at Cloudflare.

Nevertheless, the quick fix and the best case scenario when renewing your SSL certificate is to temporary either switch the proxied :orange: DNS records to the unproxied :grey: (DNS-only), or use “Pause Cloudflare for this site” option. Once successfully completed, switch them back or un-pause.

It might be that the “Always Use HTTPS” option could be the trick even with proxied :orange: DNS record :thinking: because the renewing process (ACME, LE, Certbot…) work over HTTP request (and with that option being enabled, it just cannot go to HTTP to the origin via HTTP-DNS validation process).

I am using Acme and www-root method for that.
Here is a useful article about it:

To conclude, to resolve this error, you would need to disable “Always Use HTTPS” in Cloudflare. This option is in the Edge Certificates tab of the Cloudflare SSL/TLS tab. Once disabled, you can then renew your certificate. After you have replaced the SSL certificate, you may re-enable the option if you wish.

Additionally, you may need to disable the “Automatic HTTPS Rewrites” on this same page.

Otherwise, I’d suggest you to use Cloudflare Origin CA Certificate:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.