Author Topic: AutoSSL and Cloudflare  (Read 1114 times)

0 Members and 1 Guest are viewing this topic.

Offline
**
AutoSSL and Cloudflare
« on: February 26, 2024, 02:51:39 AM »
Curious what happens to me, I have two servers, they are two different vps, both, the dns in the registrar point to Cloudflare and from there, to the sites.

Well, one, no problem, I have the A record of www and the site name pointing to VPS1 (proxyfied by Cloudflare, orange icon) and without problem, autossl renews me without any problem.

The second VPS, VPS2 and another site, there is no way, if I don't deactivate Cloudflare it won't generate the AutoSSL certificate... and I don't know what to do anymore, I'm a little desperate.

Thanks and regards.

Offline
*****
Re: AutoSSL and Cloudflare
« Reply #1 on: February 26, 2024, 10:45:27 AM »
This is a Cloudflare issue.

But I would log into Cloudflare, look at all the SSL settings for the domain name that is working correctly, and mirror those setting to the 2nd.

More than likely you have Cloudflare handling the SSL somewhere.

Offline
*
Re: AutoSSL and Cloudflare
« Reply #2 on: February 26, 2024, 11:19:50 AM »
This is normal for Cloudflare, the RIGHT way to use cloudflare is that you install the cloudflare cert on your server, it is a wildcard ssl cert that goes between your server and cloudflare, then all proxied traffic is encrypted. Cloudflare then will use its own autossl between their servers and the internet.

This happens on cpanel as well, it is the way traffic is being blocked to the autogenerated paths, and since we are unable to dynamically create dns records to validate domain ownership, it makes it very complicated.

It works sometimes, but if you REALLY want it to work ALL of the time, spend the extra few minutes and just download and install the cloudflare cert then make sure in cloudflare ssl is set to full,  and enable all of the ssl features.

Offline
**
Re: AutoSSL and Cloudflare
« Reply #3 on: February 26, 2024, 11:41:36 AM »
This is a Cloudflare issue.

But I would log into Cloudflare, look at all the SSL settings for the domain name that is working correctly, and mirror those setting to the 2nd.

More than likely you have Cloudflare handling the SSL somewhere.

I have thought about it, because one server does work with the Cloudflare proxy and the other does not.
It has no explanation... I have reviewed the cloudflare configuration for the VPS that works for me, it does not handle any certificate.
I checked both accounts on Cloudflare and left them the same, with the same settings.
Maybe I should spend more and go point by point and see where the difference is.

This is normal for Cloudflare, the RIGHT way to use cloudflare is that you install the cloudflare cert on your server, it is a wildcard ssl cert that goes between your server and cloudflare, then all proxied traffic is encrypted. Cloudflare then will use its own autossl between their servers and the internet.

This happens on cpanel as well, it is the way traffic is being blocked to the autogenerated paths, and since we are unable to dynamically create dns records to validate domain ownership, it makes it very complicated.

It works sometimes, but if you REALLY want it to work ALL of the time, spend the extra few minutes and just download and install the cloudflare cert then make sure in cloudflare ssl is set to full,  and enable all of the ssl features.

Yes, I had already thought about it and done it in the past, it is easy to do, but....there I have a problem, I need the SAN for the email, if I do this, I do not have that possibility.

In cPanel, it didn't happen to me, but I haven't used it for a few years now...

Offline
*****
Re: AutoSSL and Cloudflare
« Reply #4 on: February 26, 2024, 02:35:26 PM »
This is normal for Cloudflare, the RIGHT way to use cloudflare is that you install the cloudflare cert on your server, it is a wildcard ssl cert that goes between your server and cloudflare, then all proxied traffic is encrypted. Cloudflare then will use its own autossl between their servers and the internet.
This only works if you have your web server separate -- but that is not the normal use case for CWP, which as a general purpose hosting platform, also has e-mail. So you need the other SANs that aren't available on the wildcard certficate. And CF only handles port 80 -> 443 in that case, not mail ports.

Offline
**
Re: AutoSSL and Cloudflare
« Reply #5 on: February 26, 2024, 07:42:27 PM »
This is normal for Cloudflare, the RIGHT way to use cloudflare is that you install the cloudflare cert on your server, it is a wildcard ssl cert that goes between your server and cloudflare, then all proxied traffic is encrypted. Cloudflare then will use its own autossl between their servers and the internet.
This only works if you have your web server separate -- but that is not the normal use case for CWP, which as a general purpose hosting platform, also has e-mail. So you need the other SANs that aren't available on the wildcard certficate. And CF only handles port 80 -> 443 in that case, not mail ports.

Correct, that's what I wanted to say and/or add in my previous reply.