Renewing LetsEncrypt SSL w/ CloudFlare Proxy Failing

For years we’ve been utilizing Cloudflare’s service, SSL set to FULL. As long as our SSL certificate was issued with proxy off - renewals went through fine with it on.

Within the last month something changed - renewals are no longer being processed. We have to disable cloudflare proxy, renew our SSL cert and then re-enable the cloudflare proxy. Its a PIA - we have over 200 domains.

Our host suggested disabling IPV6 compatibility on Cloudflare, however cloudflare no longer supports disabling it.

We’re using LetsEncrypt SSL certificates that will no longer renew with Cloudflare proxy on.

It’s been working fine for 5+ years.

What’s changed & how can we fix this automated process?

Welcome to the Cloudflare Community. :logodrop:

That is not ideal. You need Full (strict) or you risk using invalid certificates.

Since you mention that your setup used to work, I would start with making sure that you allow unrestricted access to the /.well-known/acme-challenge/ path.

That would not have changed anything, so it is nothing to worry about.

Let’s Encrypt recently added some new locations to their multi-perspective validation. If you have any geo-blocking rules in place on port 80, they could be preventing certificate issuance by blocking secondary validation.

You’re a genius - thank you!!

It was our geo-blocking rules, i added this exception to one of our domains and using https://letsdebug.net, confirmed that its able to now get through regardless of where it comes from.

Do you have any suggestions on how to bulk update our rules or are we looking to do this one by one?

2 Likes

If you have an appropriately skilled developer, you could use the Cloudflare API.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.