Hi there, hoping to get some help or understanding. Every year I’m always having an SSL certificate error. I contacted IONOS my registrar who sort the issue by repointing the nameservers back to themselves and update the certificate but they said that as I host and point to Cloudflare that I need to check if there’s an option to have this automatically updated. I have notifications on but never get any update to say the certificate is going to run out.
Is there a way to have the SSL certificate auto updated or at least get notifications that it’s going to expire?
Cloudflare’s proxy certificates are automatically updated (now every 90 days), but Cloudflare can’t update the certificates on your origin. You need to do that yourself.
Across our domains we use certbot with DNS validation and the DNS plugin for Cloudflare. You can automate the update or just run it manually and LetsEncrypt emails you when there are 30 days left on the certificate when you can update it.
If you cannot (or don’t want to) install software on your server, you could also give this a try:
If your host (IONOS) uses HTTP-01 challenges, you need to deactivate Always use HTTPS for the challenge path /.well-known/acme-challenge/*, as well as some other things:
Create a configuration rule with the expression URI Path starts with /.well-known/acme-challenge/ and the following settings: Automatic HTTPS Rewrites - Off Browser Integrity Check - Off Security Level - Essentially Off
This should allow IONOS to renew your certificate without changing the nameservers (IF they are using HTTP-01 challenges, you’d have to ask them).
Alternatively, you could install a Cloudflare Origin certificate. Keep in mind this only work for proxied HTTP(S) connections and cannot be used for anything else, like email or unproxied websites.
Thanks so much for confirming that. I’m not technical at all to this back-end level so any easy steps are helpful. How exactly would I do this myself? I’m also on a basic plan so not sure if that restricts access or anything.
Thanks for that. Yes they always have to repoing to their nameservers and then I usually point them back to Cloudflare. At the moment they’re still pointing to IONOS although the certificate has been updated. They said I could leave it like that, but we’d still have the problem each year.
They said I could use their own CDN platform to avoid it as they’d auto update. Just not sure I want to do that. I’ll speak to them on your suggestion.