Let's Encrypt

ian2 · 2017-10-09 23:16:26 UTC

Hi,
Our “Let’s Encrypt” cert is up for renewal soon but it’s proving hard to do because we have the subdomain going through cloudflare.

My question is: do we need “Let’s Encrypt” if we have the subdomain as a CNAME on cloudflare?

This is the redout from .sslshopper.com:
"
Server Type: cloudflare-nginx

The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).

The certificate was issued by Comodo. Write review of Comodo

The certificate will expire in 180 days. Remind me

The hostname (our subdomain ) is correctly listed in the certificate.
"
Thanks for any help you can give.

mnordhoff · 2017-10-10 00:53:07 UTC

It depends.

The Comodo certificate (well, Cloudflare uses other CAs too) protects the connection between visitors to your website and Cloudflare.

You should also use a certificate to protect the connection between Cloudflare and your origin server. (You don’t have to, but it’s insecure not to.)

Let’s Encrypt is a good choice for that, but you could use any other normal trusted CA, or the Cloudflare Origin CA, which issues certificates that are trusted by Cloudflare but not by browsers.

Let’s Encrypt TLS-SNI-01 validation won’t work for sites, but DNS-01 and HTTP-01 will.

I guess the question is whether it’s easier to fix Let’s Encrypt renewal, or to switch to the Cloudflare Origin CA, and what you’d prefer to do.

What’s going wrong with Let’s Encrypt?

ian2 · 2017-10-10 01:13:41 UTC

Hi mnordhoff and thanks for the reply,

Nothing is going wrong it’s just that we have been told that the “let’s Encrypt” cert is due to finish but when we try to renew we get an error right at the end.

“There was a problem installing the certificate. Please contact support for more information”

Support tells us that the cert will still work because we have Cloudflare SSL but I have to make sure.

Let’s Encrypt runs out in 3 days

mnordhoff · 2017-10-10 01:34:09 UTC

It depends. If you visit the website over HTTPS and Cloudflare is configured with the “Full (Strict)” security setting, when your origin certificate ceases to be valid, the site will stop working, and Cloudflare will start returning an error page. If Cloudflare is configured with one of the less secure settings, it ought to continue working, i think.

andy · 2017-10-10 01:40:02 UTC

In addition to the articles @mnordhoff linked, I think this image illustrates the differences between the SSL options pretty well.

Basically if you want SSL all the way to your origin server, and you’re utilizing Cloudflare, you will need to install the on your origin server.

ian2 · 2017-10-10 09:32:12 UTC

We have the setting on Full but not strict. Do you think that the site will work like that?

mnordhoff · 2017-10-10 10:04:59 UTC

I believe so.

But you should switch to “Full (strict)” so that the connection is secure from an active attacker. (Which would prevent your site from loading with an expired or otherwise invalid certificate.)

ian2 · 2017-10-10 11:47:45 UTC

Cheers but that’s the problem… we can’t get the “Let’s encrypt” to renew. Even support couldn’t do it.

We have the subdomain CNAME set as an alias of kajabi url.

I am sure we need to pause Cloudflare then set the nameservers from cloudflares to out hosts and then the certificate will renew. Then set everything back as it was .

Does that look like a reasonable course of action?

mnordhoff · 2017-10-10 12:34:29 UTC

It’s getting off-topic for this forum, but why can’t it renew? It’s perfectly possible to use DNS-01 or HTTP-01 validation on an site.

If you want to go forward with figuring out the Let’s Encrypt problem, try posting on https://community.letsencrypt.org/. (Disclosure: I’m a moderator there.)

But you can also switch to the Cloudflare Origin CA, as mentioned above, or continue using the “Full” (non-strict) security setting with your soon-to-be-expired certificate.

Depending on what the problem is, pausing and switching the site to , or totally switching DNS providers, might solve it, but pausing Cloudflare may or may not be acceptable to you, and switching DNS providers is a lengthy and probably inconvenient process. Especially doing it every 2-3 months. There are sure to be far simpler options.

ian2 · 2017-10-10 12:38:22 UTC

Hi mnordhoff,
Thank for the reply. I’ll post on the link you provide.

Just found out we need the Full setting to use Kajabi.

Cheers.
See you on the other post.

ryan · 2017-10-10 18:52:23 UTC

Great thread and super helpful. Kudos to @mnordhoff and @andy for their assistance.