Cloudflare SSL - Do You Use Or Not?

scottalanmiller

I use both as well.

JaredBusch

You have to switch to DNS based auth for the LE certs if you are putting the traffic through CloudFlare or you need to disable cloudflare prior to the renew request.

At least that is how it was when LE went public. Haven't looked into CF since.

NashBrydges

@black3dynamite @scottalanmiller Is there any benefit in using CF's SSL? I only see this as confusing if users verefy the cert in their browser. Granted, that's likely a pretty rare thing but still. Any specific reason for using it vs not? You're using it just because it's there?

NashBrydges

@jaredbusch said in Cloudflare SSL - Do You Use Or Not?:

You have to switch to DNS based auth for the LE certs if you are putting the traffic through CloudFlare or you need to disable cloudflare prior to the renew request.

At least that is how it was when LE went public. Haven't looked into CF since.

Thanks @JaredBusch I'll watch for this the next time I'm registering a new domain. So far, I've been migrating existing ones to CF so haven't run into this on renewal.

dbeato

@jaredbusch said in Cloudflare SSL - Do You Use Or Not?:

You have to switch to DNS based auth for the LE certs if you are putting the traffic through CloudFlare or you need to disable cloudflare prior to the renew request.

At least that is how it was when LE went public. Haven't looked into CF since.

Yes, that is true. I went through this with Zimbra and LE which caused a lot of problems.

dbeato

@nashbrydges said in Cloudflare SSL - Do You Use Or Not?:

@black3dynamite @scottalanmiller Is there any benefit in using CF's SSL? I only see this as confusing if users verefy the cert in their browser. Granted, that's likely a pretty rare thing but still. Any specific reason for using it vs not? You're using it just because it's there?

It is a reverse proxy for you without the need of an additional Server, you can also host sub-domains with the same SSL, it is free but the SSL just needs to be renewed in CloudFlare.

black3dynamite

@nashbrydges said in Cloudflare SSL - Do You Use Or Not?:

@black3dynamite @scottalanmiller Is there any benefit in using CF's SSL? I only see this as confusing if users verefy the cert in their browser. Granted, that's likely a pretty rare thing but still. Any specific reason for using it vs not? You're using it just because it's there?

I use the non strict Full SSL because I have some self-signed certs.

JaredBusch

@black3dynamite said in Cloudflare SSL - Do You Use Or Not?:

@nashbrydges said in Cloudflare SSL - Do You Use Or Not?:

@black3dynamite @scottalanmiller Is there any benefit in using CF's SSL? I only see this as confusing if users verefy the cert in their browser. Granted, that's likely a pretty rare thing but still. Any specific reason for using it vs not? You're using it just because it's there?

I use the non strict Full SSL because I have some self-signed certs.

Same here.

NashBrydges

@black3dynamite said in Cloudflare SSL - Do You Use Or Not?:

@nashbrydges said in Cloudflare SSL - Do You Use Or Not?:

@black3dynamite @scottalanmiller Is there any benefit in using CF's SSL? I only see this as confusing if users verefy the cert in their browser. Granted, that's likely a pretty rare thing but still. Any specific reason for using it vs not? You're using it just because it's there?

I use the non strict Full SSL because I have some self-signed certs.

That would be a good use-case scenario. Thanks.

FATeknollogee

I use CF for DNS & as domain registrar.
My web hosting is done somewhere else.

I'm trying to use LE certs (at my web hoster) but the dns-01 validation is failing.

What am I doing wrong?

black3dynamite

@FATeknollogee said in Cloudflare SSL - Do You Use Or Not?:

dns-01

Not sure what that is but could this help?

Cloud Flare hook bash for dehydrated - DNS-01 Challenge Let's Encrypt
https://github.com/sineverba/cfhookbash

travisdh1

@FATeknollogee said in Cloudflare SSL - Do You Use Or Not?:

I use CF for DNS & as domain registrar.
My web hosting is done somewhere else.

I'm trying to use LE certs (at my web hoster) but the dns-01 validation is failing.

What am I doing wrong?

You'll need a cloudflare api key and the registered email in a file. Mine is in /root/.secrets/cloudlfare.ini, which has 2 lines

dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = your key

Then you can:

certbot2 certonly --dns-cloudflare-credentials /root/.secret/cloudflare.ini --renew-by-default -d domain.com -d subdomain.domain.com

You do have to list all domains and subdomains you want the cert to be valid for in the command. I have mine scripted to run once every day.

dbeato

@travisdh1 said in Cloudflare SSL - Do You Use Or Not?:

@FATeknollogee said in Cloudflare SSL - Do You Use Or Not?:

I use CF for DNS & as domain registrar.
My web hosting is done somewhere else.

I'm trying to use LE certs (at my web hoster) but the dns-01 validation is failing.

What am I doing wrong?

You'll need a cloudflare api key and the registered email in a file. Mine is in /root/.secrets/cloudlfare.ini, which has 2 lines

dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = your key

Then you can:

certbot2 certonly --dns-cloudflare-credentials /root/.secret/cloudflare.ini --renew-by-default -d domain.com -d subdomain.domain.com

You do have to list all domains and subdomains you want the cert to be valid for in the command. I have mine scripted to run once every day.

Yep, I have it that way for my home as I cannot get SSL since my ISP blocks port 80.

JaredBusch

I just don't wan tto take the time to convert everything. I have been using LE for so long...

black3dynamite

@JaredBusch said in Cloudflare SSL - Do You Use Or Not?:

I just don't wan tto take the time to convert everything. I have been using LE for so long...

Why would you have to convert? Is this a new way of getting certs now?

FATeknollogee

@dbeato @travisdh1
Are you guys doing this on a VPS or you have a self-hosted web server?

travisdh1

@FATeknollogee said in Cloudflare SSL - Do You Use Or Not?:

@dbeato @travisdh1
Are you guys doinf this on a VPS or you have a self-hosted web server?

Mine is a self hosted server with an nginx proxy handling all external traffic. Should work the same with a VPS when using cloudflare for DNS.

JaredBusch

@black3dynamite said in Cloudflare SSL - Do You Use Or Not?:

@JaredBusch said in Cloudflare SSL - Do You Use Or Not?:

I just don't wan tto take the time to convert everything. I have been using LE for so long...

Why would you have to convert? Is this a new way of getting certs now?

Yes. This would allow us to use CloudFlare again. When I first switched to LE, I had to manually disable CloudFlare (uncheck the orange cloud), wait a minute, then run the LE renew, then reenable CloudFlare.

Certbot eventually came out with a plugin that you could use the CloudFlare API to enable, and disable during the process. But, by then, I had already just disabled CloudFare proxying all my sites that use LE.

Now, with DNS verificaiton, I can turn everything back on and not even need the API to enable/disable. But I will need to take the time to set things back up again.

Baldwin_Cannon

In principle, the combination of both will be appropriate for better safety of the web site. Only along with the above, I also use other types of SSL such as there https://hostovita.pl/ssl/

stacksofplates

I use the actual CloudFlare certs that they give you also. Not just clicking the cloud. I use GitLab pages to host my blog and LetsEncrypt renewal is still manual there. So I got a free cert from CloudFlare which is good for 15 years and used that instead.