I decided to cover this issue because it just happened to us, and I didn’t manage to find out a solution on the net.
This article is for those that have a Let’s Encrypt certificate installed on their web host – which gets renewed automatically – and also use Cloudflare.
Why we ended up using Cloudflare
We used to have MaxCDN in place for our website, but SiteGround, our hosting company, kept blocking their IPs, which resulted in our website being partially broken from time to time.
Fortunately, every time I contacted them, they whitelisted the IPs.
But, one day, they refused to whitelist a range of IPs for security reasons, saying:
I relayed your request to our sys admins and unfortunately, we will not be able to execute it as this will cause a very large security risk for the server.
I didn’t bother to find a solution, since this happened quite often, and our security plugin, iThemes Security, was often blocking MaxCDN IPs too, so it was becoming quite annoying.
Don’t get me wrong, MaxCDN is great, and it’s basically not their fault. They could, maybe, acquire better IPs or something, but I really don’t know how it works, since it’s not my area of expertise.
So, we still wanted a CDN, because it does help with a site’s performance and loading time.
We decided to give Cloudflare a try, so we set it up at the end of February, 2018.
Cloudflare works differently from MaxCDN, and it also offers some extra stuff besides CDN, such as caching, DDoS protection, and other useful features.
You can see here a comparison between MaxCDN and Cloudflare, and what they offer.
Now let’s get to the important part.
Why isn’t the Let’s Encrypt certificate not auto renewing itself anymore
Since you are reading this topic, I assume you already have Cloudflare set up and a Let’s Encrypt certificate installed, and know what they are, and so on, so I won’t go into those details.
When you set up Cloudflare, you’ll have to point your domain name server (DNS) to them.
By doing this, your Let’s Encrypt certificate will stop renewing automatically, since the DNS are not pointing to your web host anymore.
So you’ll eventually wake up with an email, like we did, saying:
Since this is the first time we’re using Cloudflare, and everything’s new to us, I contacted SiteGround’s support in order to ask them what’s the proper thing to do in this case.
Fortunately, the solution is quite simple, and I’ll share it with you below.
How to renew the Let’s Encrypt certificate if you’re using Cloudflare
Theoretically, this should work for everyone, not just for those that use SiteGround or WordPress.
In order to allow the Let’s Encrypt certificate to automatically renew itself, you’ll have to temporarily deactivate Cloudflare, which shouldn’t lead to any downtime or issues.
To deactivate Cloudflare:
- Log in to your Cloudflare account;
- Select the Overview tab;
- Click the Advanced link;
- Click the Pause button.
Now give it a couple of minutes for the Let’s encrypt certificate renewal to take place.
How to check if the Let’s Encrypt certificate has been renewed
In order to check if the Let’s Encrypt certificate has been renewed, so you can activate Cloudflare again, go to SSL Hopper and add your domain there.
I used letsencrypt.org as an example.
First of all, if you used SSL Hopper before, make sure you are not viewing a cached results. In order to see uncached results, click the “clicking here” link.
Then check the Issuer, which should be Let’s Encrypt, and the expiration time, which shouldn’t be more than 90 days, since a Let’s Encrypt certificate is valid for 90 days.
On SiteGround, and perhaps other web hosts as well, the Let’s Encrypt certificate automatically renews 30 days before the expiration, so they don’t wait for the whole 90 days.
It shouldn’t show very few days as well, because it means it didn’t renew and you’ll have to wait a bit more.
For example, when we received the email, we had 19 days left until expiration. If I would have checked with SSL Hopper, and it would have returned 19 days until expiration, it would have meant that the renewal didn’t take place.
After I deactivated Cloudflare, and the certificate renewed, we got 72 days until expiration date. Pretty random, but…
Why is it important to have SSL set up on both web host and Cloudflare
Cloudflare doesn’t offer end to end encryption by default, which means that the traffic from Cloudflare to the end users of your website will be encrypted, but not from Cloudflare to your web host.
Therefore, it’s strongly recommended that you use an SSL certificate – Let’s Encrypt certificate, in our case – on your web host as well, so that the traffic from Cloudflare to your web host will also be encrypted.
That’s a wrap
Hope the post was comprehensive and helped you to renew your Let’s Encrypt certificate while using Cloudflare.
Don’t forget to share to help out others!
If you have questions or thoughts, or need help, drop a comment, contact us, or message us on Facebook.
You can also follow us on Twitter and subscribe to our YouTube channel.
If you want to start your own WordPress blog, or need a website for your business, our WordPress installation service is at your disposal!
Thanks alot, you saved my time
Great. Very time and effort saver. Thank you
Thanks a lot !!!! you are a life-saver
You’re most welcome! Glad it helped!
Thanks you have given the best and easy method to renew certificate.
It seems you don’t necessarily have to disable cloudfront fully. For a blog I’m supporting it seems it was enough to disable http->https rewrites from Cloudfront as it seems the challenge is served over http and won’t work over https.
I assume the autorenewal will work as long as I leave the forced http->https redirect off at cloudfront and manage that directly from the website as necessary.
If you didn’t write CloudFront by mistake, instead of Cloudflare, then note that CloudFront is different from Cloudflare.
I confirm that keeping Full (Strict) enabled but disabling ‘Always Use HTTPS’ option in CloudFlare is enough to automatically renew my LE certificate via certbot.
I followed those simple steps to install my certificates: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
You can run the dry test command to check how will go your next cert renewal:
certbot renew –dry-run
Hope that helps!
Thanks for sharing this!