Help needed on Origin Cloudflare CA + SSL Full Strict

Hello, security community,

Cloudflare has for us 1 main problem for Origin Cloudflare CA certificates which you install on your host and then set SSL full strict.

The problem is when you need to have developments and go to development mode or disable CF, Chrome or also Anti-Virus Software will block website because of the CF certificate.

It means for development we always have to delete CF certificate, install Let’s Encrypt certificate, do development and after development finished install again Cloudflare CA certificate and set to SSL full strict.

That’s very annoying imho and I did not see any solution in forum of Cloudflare.

Some might argue: What about free Let’s Encrypt SSL? It is available on many hosting and it is automatically renewed after 6 months. So once you enable it, it will continue to work free. without manual renewal.

Unfortunately, it does not work.

Let’s Encrypt only allow automatic renewal, when the DNS Lookup will reveal the host IP.
Since Cloudflare does not reveal the host IP Let’s Encrypt will not automatically renew when Cloudflare is active.

Moreover you cannot renew manually when Cloudflare is active. In addition when you do a CSR, it will not help. For all options above you will land in redirect loops (ERR_TOO_MANY_REDIRECTS) because of HTTPS > HTTP loops once a certificate is expired (on SSL mode full)

So - has anyone faced this problem? And how could it be solved?
I would like to keep the Origin Cloudflare CA certificate and Full Strict SSL, but once Dev mode is needed this solution fails because Chrome and other browsers as well as Anti-Virus Software will block access to the websites using Origin Cloudflare CA.

Thank you for reading this long description and hope you have an idea.

I use the origin certificate, but I can sympathize with the issue when you need to bypass Cloudflare.

Let’s Encrypt also offers DNS-01, which can tie into the Cloudflare API to add a verification DNS record.

The ideal solution for you sounds like getting LE to renew when the hostname is :orange:. I have seen people on the forums talking about disabling the CF proxy during the renewal, and that is both unwise, and unnecessary.

Assuming you want to get to the following setup:
:orange:
SSL Mode Full (Strict)
Always Use HTTPS On

The only issue you will have with LE certs is on the first cert issue. As you will not (yet) have a valid cert on the origin, the connection from CF to the Origin will be broken.

In your case, it sounds like you have a LE cert on the origin, so the first cert issue will not happen.

As a test can you create a file on your webserver, something like ~/webroot/.well-known/acme-authentication/communitytest, and then request it using the following command

curl http://www.example.com/.well-known/acme-authentication/communitytest -L --silent -w "%{url_effective}"

You should end up with the content of your file, and the url_effective should be https://. This test attempts to make sure that a validation request by LE will actually end up on your server in the place you expect.

Recommended every 60 days, with a maximum of 90 days. After that the old cert will have expired.

I prefer DNS-01, it eliminates any issues with LB clusters, private servers etc.

1 Like

Does that mean,

that I could register LE in a way that I can use it for SSL strict?
How to solve the problem that LE will not automatically renew because of the hidden host IP by Cloudflare?

Hi Michael,

I had LE on origin, but expired and did not renew because the host IP is hidden by CF. This will lead the page to be inaccessible (ERR_TOO_MANY _REDIRECTS). The only solution is to disable manually CF and renew LE and enable CF. This will also ensure that the website will be working during developments and CF disabled.

For me it is to complicated, that’s why I used now 15 year CF origin CA. But this leads to the other problem that when I switch to development mode and disable CF, all browsers and anti-virus software will also make it inaccessible (ERR_CERT_AUTHORITY_INVALID).

So currently I do not know what are the solutions out there to prevent these issues.

Michael mentioned the “Always Use HTTPS” option, which you’ve probably enabled. You could try disabling that to avoid the HTTP/S redirect loop.

Perhaps he can just create a page rule to disable Always use HTTPS for URLs starting with www.example.com/.well-known?

1 Like

It looks like Page Rules only lets you enable Always Use HTTPS. There’s no bypass for that one. This makes me think that Always Use HTTPS triggers before Page Rules.

2 Likes

You are correct. I almost forgot about the limitations.

Tried that, it did not help, but could be influenced by other settings on server / cms.

This does not matter. Let’s Encrypt really don’t care what the host IP address is (they might care once they support issuing certs for IP addresses, but not yet).

Let’s Encrypt starts the HTTP-01 validation by making a HTTP request to http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>. They will follow up to 10 standard redirects until they get the file. So you can redirect to https://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN> using Always Use HTTPS, followed by a further redirect to https://www.<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN> if you have a page rule to do that.

I suggested a test earlier. Are you able to try that test? I’m assuming you have Always Use HTTPS enabled, SSL Mode is Full or Full Strict, and the hostname is :orange: .

2 Likes

I checked back with my hoster about this:

https://www.flynsarmy.com/2020/10/renewing-ssl-certificates-behind-cloudflare/

https://support.cloudways.com/fix-issue-of-lets-encrypt-ssl-certificate-not-renewing-automatically/

I’m just unlucky. The hoster is doing the renewal of LE with their own system, so I cannot fix the problem with the workaround mentioned above.

Any other ideas?

This topic was automatically closed after 30 days. New replies are no longer allowed.