Changes between Version 24 and Version 25 of faq/security/setup-certificate

Mar 13, 2019, 11:45:56 AM (3 years ago)
Chris Thompson

Add section on using CloudFlare


  • faq/security/setup-certificate

    v24 v25  
    2828Our control panel is integrated with a free services called [ Let's Encrypt]. They provide automated 3 month certificates free of charge. We have a regular scheduled job that will automatically renew your certificates every three months to ensure they are kept up to date.
     30== Using https with CloudFlare ==
     32Some members have elected to use CloudFlare - a content distribution network/caching system - with their web sites, and have shared their experience using it here. Current CloudFlare documentation should always be referenced before making changes you do not understand. We can not directly support CloudFlare, but you may find these instructions to be helpful when using it in combination with the automatic https offered by the control panel. This is due to how these services may conflict with each other: LetsEncrypt attempts to issue updated certificates using a method called the "webroot" authentication method. This method places a specially named file in the `.well-known` folder in the root of your web site. Then the LetsEncrypt service looks for this file on your server (to validate the certificate request is legitimate), however CloudFlare may respond to request inaccurately, preventing certificate renewal from occurring. Adjusting configuration on CloudFlare to specifically prevent the service from interfering with or modifying these verification responses can corrrect this situation:
     34 * Log into your CloudFlare account and go to the Page Rules settings for your domain.
     35 * Add a page rule, ahead of any possible redirects (i.e. potentially just make this the very first rule).
     36 * Configure the rule as necessary. The important part, is that it ignores any requests for the `.well-known/` folder. For example: `**` for the URL, and the settings set the "Cache level" set to "Bypass".