LetsEncrypt http validation for origin on domain using strict ssl


I am having some issues with our http-01 validation on the origin server. The http url gets redirected to https and because of that the validation is failing for the rotation of our certificate on the origin server.

We have set the SSL encryption mode to full and have a valid SSL cert on the origin, which is working.

I’ve already disabled the “Always use HTTPS” option on the Edge Certificates page, which was suggested on this forum. However we do need this option and it has also been suggested on this forum to use PageRules to achieve the same result.

I am now trying to create PageRules that redirect http to https for all urls except the urls used by the http-01 validation. However, I have not been able to pull this off.

I have the following rules at the moment

1. http://my-domain/.well-known/acme-challenge/*

SSL: Off

2 http:// *.mydomain/*

Always Use HTTPS

I’ve tried using the full acme-challenge url instead of the wildcard, tried changing the order, tried to disable apps on the acme-challenge endpoints but I haven’t been successful yet.

There is always an option to go towards DNS validation, but we really have a preference in keeping the http validation.

How should I solve this?

Have you tried to switch from :orange: to :grey: cloud for A record @ and WWW of your domain and enabled the “Development mode” and just in case, Purge cache at Cloudflare dashboard?

And hopefully not having the security blocking for “dot” files and “deny options” at your origin, or at least turn it off temporarly, because I believe it would also fail to renew certificate if so (was at least by me an issue with security setup in Nginx vhost file - got 403/404 errors due to custom security rules and blocking added at origin).

As far as I use LE certificate (via acme.sh) for my Website, I always do that way so I could renew my LE certificate.

Other wise, it cannot be renewd for a Website proxied via Cloudflare.

There were some posts where people suggested to bypass the part /.well-known/acme-challenge/* with Page rules somehow.

1 Like

Thanks for the reply @fritex . We don’t want to move away from the proxied version.
The other solution you present is exactly what I want to achieve but I can’t get it to work.

I can’t get it to work either, which is why I use DNS-01. And when I can’t do either, I install a Cloudflare Origin cert.

1 Like

I am sorry if misunderstood, I meant temporarily … just for the renewal process. Then get back to :orange: of course :wink:

Or go just like @sdayman written :slight_smile:

This topic was automatically closed after 30 days. New replies are no longer allowed.