sdayman
December 30, 2021, 4:38am
2
For ACM, you have to specify the hostnames, which may include a wildcard. You can also choose the CA for it: Either Let’s Encrypt, or DigiCert (the CA for “Cloudflare” certs).
I’ve had cases where legacy TLS has become active. A support ticket indicated to drop the minimum TLS and raise it again to redeploy if this happens. (Turn it off and on again!)
Even with minimum TLS set to TLS v1.2 there are some ciphers that would be considered weak. I use ACM with this API call to disable ciphers I don’t need:
curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/${zoneid}/settings/ciphers" -H "X-Auth-Email: ${auth_email}" -H "X-Auth-Key: ${auth_key}" -H "Content-Ty…