Question Issue/Renew Let's Encrypt certificate if site is behind cloudflare

[X1X11X]

Server operating system version

Microsoft Windows Server 2016 x86_64

Plesk version and microupdate number

Plesk Obsidian 18.0.51.1

Hi,

I was wondering if there is a better way to issue or renew Let's Encrypt certificates in plesk, if the site is behind cloudflare.
Every time, my Let's Encrypt certificate is expired i have to temporarily pause cloudflare on my site, so that Let's Encrypt is able to resolve my dns records and especially the ACME txt record.

This does not seem like the ideal way of doing this, having to disable cloudflare everytime the cert expires.
The server itself has a Origin cert from Cloudlare, so the Let's Encrypt on is only needed for the mail part.

Best thing would be that the certificate automatially renews itself, which also doesnt work if the site is behind cloudflare.

The way i see it, there are currently 2 options:
1. Perfoming the above steps manually every time a cert expires
2. Don't proxy the domain in the cloudflare DNS

Am I missing something, can this be accomplished somehow?

I'm grateful for any input.

Thanks in advance!

 

[Peter Debik]

One solution could be to replace the cert with a Cloudflare cert on Cloudflare. Another solution could be using the steps described in How to Auto-renew and Issue Plesk Lets Encrypt SSL certificate with Cloudflare DNS – Smart Help Guides

 

[X1X11X]

Hi Peter,

thanks for your quick response!
Regarding the first solution with the cloudflare certificate, do you mean a root certificate?
Because as far as I know, root CAs can't be used to secure mail.
So I wonder how can I get such a cert for plesk, since the client ceritifactes are missing the .crt part

 

[Harun]

One solution could be to replace the cert with a Cloudflare cert on Cloudflare. Another solution could be using the steps described in How to Auto-renew and Issue Plesk Lets Encrypt SSL certificate with Cloudflare DNS – Smart Help Guides

I've tried this and I get an error:

"Non-NS records with that host already exist. (Code: 81055)"

Do I need to remove those? I don't want to botch it by experimenting. Anyone have the steps to do this?

 

[twebhosting]

There is a new, well documented tutorial to explain all steps at Plesk Let's Encrypt Wildcard SSL Certificate Cloudflare DNS

 

[T2121]

There is a new, well documented tutorial to explain all steps at Plesk Let's Encrypt Wildcard SSL Certificate Cloudflare DNS

This isn't a solid solution, the NS record will cause issues in the long term.
You'll get: SSL_ERROR_NO_CYPHER_OVERLAP when you have the CF proxy enabled.

At least that's my conclusion after trying this method.

 

[Harun]

My Let's Encrypt certificates have been renewing just fine since Nov 2023, after installing "DNS Integration for Cloudflare®" Plesk extension and enabling Auto-Sync for 3 domains. I don't recall the setup being too difficult, but it may have taken a little trial and error.

 

[T2121]

My Let's Encrypt certificates have been renewing just fine since Nov 2023, after installing "DNS Integration for Cloudflare®" Plesk extension and enabling Auto-Sync for 3 domains. I don't recall the setup being too difficult, but it may have taken a little trial and error.

I was hoping to avoid this method because I don't want all the records that Plesk generates in Cloudflare.

Do you have the CF proxy enabled for everything except the mail subdomain?

 

[Harun]

I was hoping to avoid this method because I don't want all the records that Plesk generates in Cloudflare.

Do you have the CF proxy enabled for everything except the mail subdomain?

Probably. It has been a while since I set it up.

 

[cpulove]

Have you sorted out, how to setup Letsencrypt with Cloudflare and enabled proxy? I ran into the SSL_ERROR_NO_CYPHER_OVERLAP as you mentioned and did not find a solution so far.
I need the proxies enabled, as I use some domainnames in virtual containers which I host with ipv6 only and cloudflares proxy gives them a vaild ipv4.
A way to solve this would be nice to know!