• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Issue/Renew Let's Encrypt certificate if site is behind cloudflare

X1X11X

New Pleskian
Server operating system version
Microsoft Windows Server 2016 x86_64
Plesk version and microupdate number
Plesk Obsidian 18.0.51.1
Hi,

I was wondering if there is a better way to issue or renew Let's Encrypt certificates in plesk, if the site is behind cloudflare.
Every time, my Let's Encrypt certificate is expired i have to temporarily pause cloudflare on my site, so that Let's Encrypt is able to resolve my dns records and especially the ACME txt record.

This does not seem like the ideal way of doing this, having to disable cloudflare everytime the cert expires.
The server itself has a Origin cert from Cloudlare, so the Let's Encrypt on is only needed for the mail part.

Best thing would be that the certificate automatially renews itself, which also doesnt work if the site is behind cloudflare.

The way i see it, there are currently 2 options:
1. Perfoming the above steps manually every time a cert expires
2. Don't proxy the domain in the cloudflare DNS

Am I missing something, can this be accomplished somehow?

I'm grateful for any input.

Thanks in advance!
 
Hi Peter,

thanks for your quick response!
Regarding the first solution with the cloudflare certificate, do you mean a root certificate?
Because as far as I know, root CAs can't be used to secure mail.
So I wonder how can I get such a cert for plesk, since the client ceritifactes are missing the .crt part
 
My Let's Encrypt certificates have been renewing just fine since Nov 2023, after installing "DNS Integration for Cloudflare®" Plesk extension and enabling Auto-Sync for 3 domains. I don't recall the setup being too difficult, but it may have taken a little trial and error.
 
My Let's Encrypt certificates have been renewing just fine since Nov 2023, after installing "DNS Integration for Cloudflare®" Plesk extension and enabling Auto-Sync for 3 domains. I don't recall the setup being too difficult, but it may have taken a little trial and error.
I was hoping to avoid this method because I don't want all the records that Plesk generates in Cloudflare.

Do you have the CF proxy enabled for everything except the mail subdomain?
 
I was hoping to avoid this method because I don't want all the records that Plesk generates in Cloudflare.

Do you have the CF proxy enabled for everything except the mail subdomain?
Probably. It has been a while since I set it up.
 
Have you sorted out, how to setup Letsencrypt with Cloudflare and enabled proxy? I ran into the SSL_ERROR_NO_CYPHER_OVERLAP as you mentioned and did not find a solution so far.
I need the proxies enabled, as I use some domainnames in virtual containers which I host with ipv6 only and cloudflares proxy gives them a vaild ipv4.
A way to solve this would be nice to know!
 
Back
Top