Using Let's Encrypt with Cloudflare

Hello,
As you can see, I’m new here. I’m starting to try out Hetsia and see if I can move my websites/VPSs to it.

Before posting this question, I searched, but I didn’t find anything helpful, so please excuse me if this has already been addressed, but I missed it.

I’ve seen threads like these:

But as I mentioned, either they’re not helpful, or the links they have, while leading to the official Hetsia documentation, are no longer available.

The website I started with is hosted on Cloudflare, so even if I select Let’s Encrypt, it doesn’t generate the certificate.

I’ve seen threads like these:

But as I mentioned, either they’re not helpful, or the links they contain, while leading to the official Hetsia documentation, are no longer available.

The website I started with is hosted on Cloudflare, so even if I select Let’s Encrypt, it doesn’t generate the certificate.

I understand that I need to set the A and AAAA records to gray (not proxyed) for it to generate, but if I do that, will the certificate be automatically renewed when the time comes?

Or is there another way?

Thanks in advance.

Welcome to the HestiaCP forum.

That understanding is incorrect. I use Let’s Encrypt certificates on my origins with the Cloudflare proxy always enabled. Make sure that you dont have any settings in your Cloudflare config that could disrupt the HTTP-01 challenge, such as Always use HTTPS.

I like to use Config Rules to force requests to the /.well-known/acme-challenge path to use HTTP among a few other settings. You can see a somewhat complete selection here:

See if that helps. You should be able to use the native HestiaCP options to obtain Let’s Encrypt certificates once your Cloudflare is set up correctly.

Another option is to use Cloudflare Origin CA certificates, but they are incompatible with direct access, due to only being trusted by the Cloudflare edge. This limits them to use with only proxied HTTPS traffic.

Well, I sincerely appreciate your response and the link.

When creating the domain in the Hestia panel, I specified Let’s Encrypt, but once I logged in with the user created for the domain, went to the domain, clicked edit, and all the SSL options were disabled. Therefore, I deduced that it couldn’t install any certificates because it’s behind Cloudflare.

In some links (as I mentioned, I’ve read quite a few on the subject) I read that it was necessary to disable something in Cloudflare (I’m saying this from memory, I might be mistaken about the name, something like “bot fight” and something related to Boots (I don’t remember the name), but I hadn’t seen what you mention in your link, disabling “Always use HTTPS”.

Indeed, I’ve never been a fan of using Cloudflare Origin CA certificates because they’ve always given me problems on my sites, issues with email (SANS, etc.) or similar.

I prefer to use the native options as you mentioned.

I understand that, in the domain, I have to enable SSL and the options “Enable automatic redirection to HTTPS” and “Enable HTTP Strict Transport Security (HSTS).”

I was surprised that they were disabled because when I created the domain I specified that it should use Let’s Encrypt.

Tomorrow (it got very late today, it’s very late at night here) I’ll try it. I’ve had Cloudflare configured for a long time, but if I currently have “Always use HTTPS” enabled, I’ll disable it tomorrow.

Thanks again for your reply and the link.

I tried it today just like you said. First, I tried it with minimal changes in Cloudflare, and it worked perfectly on the first try… strange for me, but it worked flawlessly.
I created a rule in page rules similar to the one you mentioned and disabled HTTPS rewrite, left the DNS entries proximized (in orange), and it generated the certificate on the first try.
Thank you so much!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.