Unproxied A records + Cloudflare Origin SSL + Redirects?

All DNS records for my domain are :orange: except the following:

ns1.example.com :grey: (private nameserver’s A record)
ns2.example.com :grey: (private nameserver’s A record)
mail.example.com :grey: (MX hostname’s A record)

These NEED to be :grey: in order to resolve correctly for their intended purpose. As a consequence, they are not covered by the Universal SSL so the browser loads Cloudflare Origin SSL and displays the warning NET::ERR_CERT_AUTHORITY_INVALID.

Is there any way around this error other than adding the valid CA-issued certificate? I’ve tried creating redirects on my web host for these URLs to redirect them to the domain’s apex example.com :orange:. Redirect works for the HTTP version, but not for HTTPS where again I’m faced with the same invalid SSL error. It seems as though the browser first checks for SSL and then considers/disregards the redirect.

These nameserver and mail URLs don’t have any direct purpose to be visited by anyone, so is this really a thing to be concerned about or should I just leave them “unsafe” in the browser’s eyes?

No, Cloudflare warns about it here…

Yes, the SSL is part of the connection process which comes before any data, including a redirect, can be delivered for obvious reasons.

Without the certificate being validated, your users may accept any certificate including one from a third-party that has intercepted their connection. It is insecure and you shouldn’t do it. Just apply a LetsEncrypt certificate.

1 Like

Thank you! The thing is that I’m on cPanel and it uses a feature called AutoSSL that automatically installs Let’s Encrypt certs. But there are a few problems with it.

It wont renew the cert if “Always Use HTTPS” is enabled. So you have to disable it and then renew it. Imagine doing that manually for 50+ domains. Plus not certs expire at the same time.

There is also another issue native to cPanel where if you have multiple domains, AutoSSL randomly combines hostnames in certs from all domains you own. Although when hostname gets covered by the SSL, Common Name may not display that hostname but hostname from a completely different domain.

Yes, the acme challenge stuff requires HTTP. You can use the DNS method with the Cloudflare DNS plugin with certbot and it get round that and works nicely when set up in a script - we do 10s of certificates this way with a single command. Uses the Cloudflare API to insert, then delete, the _acme-challenge TXT records for you. Easy for multiple certificates.

certbot --dns-cloudflare --dns-cloudflare-credentials ./cloudflare-credentials.txt --preferred-challenges dns certonly -d example.com -d *.example.com

1 Like

I understand but I’m very short on the knowledge and the time required for this. Is there anyone that can achieve this for me or is there a fairly complete guide to follow and do it myself.

With Let’s Encrypt you can disable Always Use HTTPS and leave it off. You can handle the redirect to HTTPS in your origin or with other rules at Cloudflare. You need to make sure that you exempt the path by ACME clients which is /.well-known/acme-challenge.

I don’t know if AutoSSL can be similarly managed. It might be worth searching the cPanel forums.

You may also be able to use AutoSSL only on the :grey: hostnames and exclude the ones using the Cloudflare Origin CA certificate.

1 Like

Just when I thought I had everything figured out after months of hard work, :grey: records came along. :pensive:

I’m not planning to use AutoSSL due to the mentioned issues. But I might consider installing the Let’s Encrypt via certbot.

So to confirm, for :orange: records: If I use Let’s Encrypt (or any other CA that uses ACME validation) I can’t use Always Use HTTPS, but I need to create a redirect rule to force HTTPS while exempting the /.well-known/acme-challenge.

For :grey: records I need to create the same rule at my origin?

1 Like

That should work. If you have any questions or concerns with the configuration on the Cloudflare side, you can always ask here in the Community.

1 Like

I found my post in the Let’s Encrypt Community that references the Cloudflare settings that I like to use with ACME HTTP-01 challenges.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Continuing the discussion from Unproxied A records + Cloudflare Origin SSL + Redirects?:

@epic.network, while I was researching your last answer the topic has closed. I’m continuing it here to finalize everything. I read your post from Let’s Encrypt about excluding the ACME path for validation to work. So you’re turning off cache and SSL options for this path:

Cache Rule “ACME Challenge”:

(starts_with(http.request.uri.path, "/.well-known/acme-challenge/"))
Cache status: Bypass cache

Configuration Rule “ACME Challenge”:

(starts_with(http.request.uri.path, "/.well-known/acme-challenge/"))
Automatic HTTPS Rewrites: Off
Browser Integrity Check: Off
Opportunistic Encryption: Off
Security Level: Essentially Off
SSL: Off

I don’t see an option for also turning off the Always Use HTTPS option for the ACME path in the Configuration rules, which means it needs to be disabled globally. You said that you handle HTTPS redirects at the origin, but I still wish to configure them at Cloudflare. So I need to configure a redirect rule to force HTTPS but with the ACME path excluded. I will post my results when I’m done.

Just one observation in the meantime: Have you guys at Cloudflare considered adding the option of turning on/off the Always Use HTTPS in Configuration rules?

You can’t really do that because it is a global setting for the entire domain.

It should be possible to create a redirect rule (or rules) to match anything other than the .well-known/acme-challenge path and send it over to an HTTPS version of itself.

1 Like

I have these rules in this order:

  1. Remove www - http(s)://www.example.com/ => https://example.com/
  2. Force HTTPS - http://example.com/ => https://example.com/
  3. Force HTTP on ACME - https://example.com/.well-known/acme-challenge/ => http://example.com/.well-known/acme-challenge/

The first two work great, but when third is enabled I get an endless redirect loop:
HTTP => HTTPS => HTTP => HTTPS ...

That’s not going to work. You need to exclude the .well-known/acme-challenge path from redirection. You can’t redirect it.

Are you trying to use Page Rules (old and busted) or Redirect Rules (new hotness)?

1 Like

I’m only using redirect rules. :slight_smile:

Question:

Is it possible to stack functions inside of concat() and use AND / OR operators, for example:

concat("http://",http.host,starts_with(http.request.uri.path,"/abc/"))
or
concat("https://",http.host,not starts_with(http.request.uri.path,"/abc/"))

I’m currently testing and will post a solution once I have it.

1 Like

One quick question before I post the results:

Since Let’s Encrypt SSL covers domain and 1st-level subdomains with a wildcard, is it required that /.well-known/acme-challenge/ path is accessible through each subdomain besides the apex? For example:

http://example.com/.well-known/acme-challenge/

http://www.example.com/.well-known/acme-challenge/
http://mail.example.com/.well-known/acme-challenge/
http://sub.example.com/.well-known/acme-challenge/
...

Wildcard certificates use the DNS-01 challenge. The.well-known/acme-challenge path is used by HTTP-01 validation. See the following for more detail on ACME challenges.

1 Like