Let’s Encrypt is a good choice for that, but you could use any other normal trusted CA, or the Cloudflare Origin CA, which issues certificates that are trusted by Cloudflare but not by browsers.
Nothing is going wrong it’s just that we have been told that the “let’s Encrypt” cert is due to finish but when we try to renew we get an error right at the end.
“There was a problem installing the certificate. Please contact support for more information”
Support tells us that the cert will still work because we have Cloudflare SSL but I have to make sure.
It depends. If you visit the website over HTTPS and Cloudflare is configured with the “Full (Strict)” security setting, when your origin certificate ceases to be valid, the site will stop working, and Cloudflare will start returning an error page. If Cloudflare is configured with one of the less secure settings, it ought to continue working, i think.
But you should switch to “Full (strict)” so that the connection is secure from an active attacker. (Which would prevent your site from loading with an expired or otherwise invalid certificate.)
Cheers but that’s the problem… we can’t get the “Let’s encrypt” to renew. Even support couldn’t do it.
We have the subdomain CNAME set as an alias of kajabi url.
I am sure we need to pause Cloudflare then set the nameservers from Cloudflares to out hosts and then the certificate will renew. Then set everything back as it was .
Does that look like a reasonable course of action?
It’s getting off-topic for this forum, but why can’t it renew? It’s perfectly possible to use DNS-01 or HTTP-01 validation on an site.
If you want to go forward with figuring out the Let’s Encrypt problem, try posting on https://community.letsencrypt.org/. (Disclosure: I’m a moderator there.)
But you can also switch to the Cloudflare Origin CA, as mentioned above, or continue using the “Full” (non-strict) security setting with your soon-to-be-expired certificate.
Depending on what the problem is, pausing and switching the site to , or totally switching DNS providers, might solve it, but pausing Cloudflare may or may not be acceptable to you, and switching DNS providers is a lengthy and probably inconvenient process. Especially doing it every 2-3 months. There are sure to be far simpler options.