Changes between Version 24 and Version 25 of faq/security/setup-certificate


Ignore:
Timestamp:
Mar 13, 2019, 11:45:56 AM (6 months ago)
Author:
Chris Thompson
Comment:

Add section on using CloudFlare

Legend:

Unmodified
Added
Removed
Modified
  • faq/security/setup-certificate

    v24 v25  
    2727
    2828Our control panel is integrated with a free services called [https://letsencrypt.org/ Let's Encrypt]. They provide automated 3 month certificates free of charge. We have a regular scheduled job that will automatically renew your certificates every three months to ensure they are kept up to date.
     29
     30== Using https with CloudFlare ==
     31
     32Some members have elected to use CloudFlare - a content distribution network/caching system - with their web sites, and have shared their experience using it here. Current CloudFlare documentation should always be referenced before making changes you do not understand. We can not directly support CloudFlare, but you may find these instructions to be helpful when using it in combination with the automatic https offered by the control panel. This is due to how these services may conflict with each other: LetsEncrypt attempts to issue updated certificates using a method called the "webroot" authentication method. This method places a specially named file in the `.well-known` folder in the root of your web site. Then the LetsEncrypt service looks for this file on your server (to validate the certificate request is legitimate), however CloudFlare may respond to request inaccurately, preventing certificate renewal from occurring. Adjusting configuration on CloudFlare to specifically prevent the service from interfering with or modifying these verification responses can corrrect this situation:
     33
     34 * Log into your CloudFlare account and go to the Page Rules settings for your domain.
     35 * Add a page rule, ahead of any possible redirects (i.e. potentially just make this the very first rule).
     36 * Configure the rule as necessary. The important part, is that it ignores any requests for the `.well-known/` folder. For example: `*.workingdirectory.net/.well-known/*` for the URL, and the settings set the "Cache level" set to "Bypass".