Renewing SSL certificate when existing already with LetsEncrypt

Before using Cloudflare, we have Letsencrypt installed on our Ubuntu Apache server.
We have received notification of letsencrypt certificate expiry in 20 days.
Given that Cloudflare supplies us with its own SSL certificate, will we still need to renew Letsencyrpt certificate, or will it expire, but be secured by Cloudflare instead?
Having attempted to renew the existing LetsEncrypt certificate, I get a handshake failed message
Thanks in advance

I am assuming you are tunnelling your requests through Cloudflare, arent you?

In that case Cloudflare only manages the certificates on their edge servers, not on yours. Even though an expired certificate would still work under “Full” (not under “Full strict” though) you should still ensure you have a valid certificate.

Alternatively you could also create an origin certificate from within your Cloudflare control panel, which can have a validity of up to 15 years.

Thanks, just checked my sites ssl certificate in browser and its protected by Cloudflare

These are the edge servers, arent they? You are talking about the certificate on your own server, right?

The certificate i can see when I click the browser padlock is from Cloudflare, which doesnt expire until late next year
When I attempt to renew the existing certificate on my server which was the one I had before I joined Cloudflare, i get the following error.

My main concern is that when the letsencrypt certificate expires (which I cannot renew because of the below) will I get unsecure error when people visit my website, or will the website continue to be secure through Cloudflare SSL and Letsencrypt become obsolete?


  • The following errors were reported by the server:

    Domain: domainhere
    Type: tls
    Detail: remote error: tls: handshake failure

    Domain: domainhere
    Type: tls
    Detail: remote error: tls: handshake failure

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    you have an up-to-date TLS configuration that allows the server to
    communicate with the Certbot client.

People should not an unsecure warning, however, depending on your settings, Cloudflare might not be able to connect to your site at all.

The certificate on your server is not obsolete, you still have to renew it. Alternatively, you can choose the origin certificate path I mentioned earlier.

Ok thanks Sandro, Ill look at installing a origin certificate when letsencrypt expires

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.