We have Wordpress running on Amazon Lightsail, with a Let’s Encrypt SSL. We also have a Cloudflare Pro plan, and our SSL/TLS is set to strict.
I keep running into an issue where the Lighsail Let’s Encrypt SSL can’t auto renew, because once I turn on Cloudflare’s proxying, the Lightsail instance no longer see’s it’s public IP when Let’s Encrypt tries to check for it so I get emails about it expiring.
Also, it doesn’t seem needed to have redundant SSLs. I’m sure there is a better configuration.
Can someone explain to what would be my ideal setup in this scenario? I end up having to turn off Cloudflare proxying, log into the Lightsail instance, renew the SSLs manually, and turn proxying back on to have things work…if I let the Lighsail Let’s Encrypt SSLs lapse, the Wordpress instance starts to have issues, if I don’t run proxying through Cloudflare I miss out on the optimizations and DDOS protection.
They are not redundant. Without certificates everywhere you cannot have end-to-end encryption.
This issue seems to happen with the Bitnami Acme client. You will have the same issue with any proxy server, or if your server has IPv6, so it was not exactly designed for the modern web.
The easiest solution would be to replace the Let’s Encrypt certificate with a Cloudflare Origin CA Certificate. This will work perfectly provided that your server is only being accessed when proxied by Cloudflare. This is a one time process, and does not require periodic updating (not within the expected life of a web server!)
You can configure a Page Rule or, even better, you can create a Cache Rule and a Configuration Rule that will allow Let’s Encrypt HTTP-01 validation to work properly.
The following includes some topics that have more details.
I think the issue is that the Bitnami client does a DNS lookup, and if the public DNS does not match what the local IP it will not work. So once the site is it will always break.
If you are using the HTTP-01 challenge for Let’s Encrypt the following rules should help.
Cache Rules:
ACME Challenge
(starts_with(http.request.uri.path, "/.well-known/acme-challenge/"))
Cache status: Bypass cache
Configuration Rules:
ACME Challenge
(starts_with(http.request.uri.path, "/.well-known/acme-challenge/"))
Automatic HTTPS Rewrites: Off
Browser Integrity Check: Off
Opportunistic Encryption: Off
Security Level Essentially Off
SSL: Off
Be aware that the site level Cloudflare setting to always use HTTPS will interfere with these rules and needs to be disabled. You can use an additional configuration rule to create that redirect. See the configuration rules documentation for more detail. It is also important that your Bitnami server doesn’t redirect HTTP requests to the /.well-known/acme-challenge/ path to HTTPS. It shouldn’t. You can test using Let’s Debug.
The Lego ACME client (mentione d in the Bitnami documentation) has DNS-01 support for Cloudflare. If tyou cnas use that method instead of HTTP-01, it is a better option than using HTTP-01, since you wouldn’t need to adjust your Cloudflare settings. The ALPN-01 method is not an option when using Cloudflare.
I have not been able to pull this off successfully, is this worth a $100 contractor/freelancer fee to help set this up for me. I just don’t touch these components enough to the variables.
Got it, seemed like something that could be knocked out in 30 minutes of screen sharing on Zoom, spin up some other non critical domain eventually to slowly learn the things you’ve suggested. Thank you
by Cloudflare. This is a one time process, and does not require periodic updating (not within the expected life of a web server!)
includes some topics that have more details.