Let's Encrypt / Google Managed Certs Autorenewal

Our google managed and/or let’s encrypt certs are not auto-renewing unless we turn off proxy for our domain, bdtrust.org. The domain is an enterprise account I believe. Why should we need to disable proxy (even temporarily) in order to have a certificate finish provisioning and be validated? The subdomains are not too deep in this case. Just tpi.bdtrust.org among many others.

If you have “Always Use HTTPS” enabled (and/or full SSL maybe), chances are the HTTP challenge (where it accesses http://example.com/.well-known/acme-challenge/...) Google is using is going to fail since Cloudflare will be redirecting the http -> HTTPS.

Unfortunately the only fix for this that I know of is using the DNS challenge (if it’s available, I don’t think it is), or disabling Always use HTTPS globally and either using a page rule to enable it selectively, or redirecting to HTTPS at your origin servers.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.