• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Cloudflare's proxy function and SSL certificates

LionKing

Regular Pleskian
Server operating system version
Ubuntu 22.04.4 LTS
Plesk version and microupdate number
Plesk Obsidian Version 18.0.62 Update #2
Hello.

I wonder if there is a way to get around this.Cloudflare's proxy function for each domain name block's for any automatic SSL certificate renewal and that means that when we have to update and renew our company's SSL certificates for plus 30 domain it takes oceans of times to do this because you have to manually disable each proxy function in each domain name's DNS record such as A, C-Name etc. It is a very time consuming and repetitive process as you can imagine.

We have tested with just setting each domain in "Developer mode" but that doesn't really make a difference.

So with that said: is there a way to get around this issue and actually get the automatic SSL renewal working on CloudFlare so you do not have to disable the proxy function each time the domains needs to be renewed?

Thanks in advance!
Kind regards
 
I have many domains under CloudFlare (proxy), I haven't encountered this issue. I can issue the SSL and automatically renew via Plesk. No issues.
 
I have many domains under CloudFlare (proxy), I haven't encountered this issue. I can issue the SSL and automatically renew via Plesk. No issues.
That sounds odd!
On our CloudFlare account, SSL certificates are not issued at all if we do not disable each domain name's DNS records proxied records. So we to do it manually on each time we need to do a renewal.

Do you use the Plesk extension "DNS Integration for Cloudflare" perhaps"?
Maybe that is why it is working for you @WebHostingAce?

We cannot use that as we disabled and uninstalled the DNS server that comes with the Plesk package when we installed Plesk because we do not use it. instead we use external DNS servers which of course means that the server is a bit faster because it is not taxed with using resources on the DNS sever itself + all the DNS query it has to handle.

Kind regards
 
So anyone here on the Plesk forum that might now the solution to this issue please?

Thanks in advance..
 
Do you use the Plesk extension "DNS Integration for Cloudflare" perhaps"?
No, I do not use this extension.

The process I take is, change the domain's name servers to CloudFlare name servers. Then add the domain to the Plesk.

I can confirm that all my domains, A and CNAME records are proxies. Yet I can issue and renew the SSL without any issue via Plesk.
 
I'm using "Full" in SSL Setting of the CloudFlare.
Same. We are also using that "Full" SSL setting at CloudFlare for all our domain names.

It's quite odd that you have a completely different experience than us. I just have no clue how that can be the case.
 
The process I take is, change the domain's name servers to CloudFlare name servers. Then add the domain to the Plesk.
Same there too for us. But as you already know. We we're getting a totally different result, (In terms of the renewal process of Let's Encrypt SSL certificates).
 
Well here is the error generated by Plesk while attempting to generate "Let's Encrypt" SSL certificate while CloudFlare's proxy DNS is enabled on the domain records A and C-name:

1726506882807.png

Note the line saying:
"DNS zone contains an AAAA record, but the domain is not assigned an IPv6 address in Plesk."
But in fact Plesk do not have any DNS installed and there is no AAAA-record either in CloudFlare´s DNS so the issue is peculiar
Also there is no IPv6 IP-.address to assign as the server uses the traditional IPv4 version which is assigned the the server.

More info:
1726507258058.png

Kind regards
 
Thanks for the reply @Sebahat.hadzhi and your suggestion.

Here is the result;
It does generate a CloudFlare IPv6 server address to our domains/our server:

1726559043183.png

Although as previously mentioned we have not setup a AAAA-record for our server, nor have we assigned a IPv6 ip for the server.
Thoughts? :rolleyes:

Kind regards
 
It looks like the IPv6 addresses are part of Cloudflare's range. If you use enterprise Cloudflare account you can disable IPv6 from your Cloudflare account > Websites > domain.com > Network > IPv6 Compatibility - OFF. If you are utilizing a free Cloudflare account, I would suggest getting in touch with CloudFlare support for further assistance on how to configure the API:
What else I can suggest is to try the 'Flexible' SSL mode according to the following thread. If you decide to give it a try, please thoroughly test your website afterward to ensure there are no accessibility issues.
 
I found myself in a similar situation with one of my domains.

Regarding the first image you posted, this usually happens to me within a few minutes of adding the domain in the Cloudflare to the Plesk. It typically resolves itself after a short time.

The second image is my concern. Are you using any of the Challenges in the Cloudflare for the domains? You can find more information here: Challenges | Cloudflare Web Application Firewall (WAF) docs

If so, that could be the culprit.
 
Thanks for your reply @WebHostingAce

Regarding the first image you posted, this usually happens to me within a few minutes of adding the domain in the Cloudflare to the Plesk. It typically resolves itself after a short time.
For use it is a recurring issue for all our domains. Even for newly added domains it CloudFlare behaves like this.

The second image is my concern. Are you using any of the Challenges in the Cloudflare for the domains? You can find more information here: Challenges | Cloudflare Web Application Firewall (WAF) docs
Yes, we are using CloudFlare only for domain management so we are using the free plan. We won loads of domains (Our company name) for IP reasons and using one the paid plan would be too expensive. So we use CloudFlare just for the CDN network, the added server protection and firstly to mange the domains themselves.

Thanks for the link, I will check that out.

Kind regards
 
The issue with my domain was, that domain was configured to use Human Verification challenge in CloudFlare.
Can you explain what you had enabled at Cloudflare? I have a free Cloudflare plan so no WAF. I do have some WordPress-specific custom rules set up but that shouldn't affect the HTTP challenge for Let's Encrypt. I do have bot blocking turned on tho (Free version). Where did you have your (managed?) challenge enabled?
 
Domain > Security > Settings > Security Level | This was 'I'm under attack!" changed to "Medium"

Also you should be able to see if the Let's Encrypt bot being blocked by visiting to Security > Events
 
Back
Top