Can’t use letsencrypt because google has marked our domain as “unsafe” because it’s IP-limited. Not sure if we should use a Pro, Enterprise, or just Universal Cloudflare cert.
What steps have you taken to resolve the issue?
Works if we turn off proxying, then renew, then turn it back on.
Was the site working with SSL prior to adding it to Cloudflare?
Yes
What is the current SSL/TLS setting?
Full
What are the steps to reproduce the issue?
Try to renew certificate
Letsencrypt gives an error that the domain is “unsafe”
To be clear, not trying to get letsencrypt to work as it seems like the only way to do that is to open up an unacceptably wide IP range so that google can crawl the subdomain. Just trying to figure out what Cloudflare setup, including a paid SSL cert, would get us around this.
Thanks for your speedy reply. Unfortunately the server is not one where we have full access to the filesystem–it’s a Heroku-hosted application. We were using their automated certificate management, but it keeps hitting this snag.
OK, actually looked into that and it appears that, while less automated, this solution may work for us, as the heroku CLI lets us add a cert without having to fiddle the filesystem ourselves.
There’s also the option of creating Rules on Cloudflare so that the LetsEncrypt renewal passes, depending on what settings that you use are currently blocking it.
Though you should also be able to fully automate the process if Heroku offers certificate upload via the API.