LE SSL still needs to be enabled after adding the website to cloudfare?

Hi
I have been running LE SSL in ispconfig for my site.

I just added my site to cloudflare, and changed dns to them.

should I disable LE SSL in ispconfig setting for the site? As i understand the website IP will be change tod cloudflare IP.

Thanks

 

So the domain is now managed by cloudflare? But you still use the webspace hosted by your ISPConfig installation for the domain?

Then you don't change the DNS A Record at all, you just keep it poiting to the IP of you ISPConfig server. However be aware that if you use the Cloudflare Proxy Option you may need to disable it and set it to DNS Only for ISPConfig to be able to successfully obtain a SSL certificate. I don't know if that's still the case but more information can be found here:
https://developers.cloudflare.com/ssl/origin-configuration/origin-ca

 

My site is serving global users, and I am using cloudflare. I have different websites, some using CF name server, some not and using CNAME with CF for proxy.

Case 1: using NS from CF

Case 2: using CNAME with CF for proxy
Since cdoudflare does not work in China, www.mydomain.com has 2 DNS records www > server IP (if user from China) & www > cloudflare (if user not from China),

when cloudflare proxy enabled, the site IP will be changed to CF. In this case, Can Ispconfig LE SSL auto renewal still work? Will LE check the IP and see that is CF and fail to renew SSL? A bit confusing to me here...

thanks for the advise.

 

but I still need the LE SSL for the china user who will not access via CF. Is there a way to make the ispconfig LE SSL renewal wroking in such case?

 

Thanks for the sharing.
I google and found someone said this works with ISPconfig. Wildcard certificate from Let’s Encrypt with CloudFlare DNS
https://www.bjornjohansen.com/wildcard-certificate-letsencrypt-cloudflare

Do I just follow all the steps inside?

 

1. my domain IP is pointing to cloudflare. I am not sure if ispconfig LE auto renew will still work with HTTP Challenge. ISPConfig uses http auth only for Let's encrypt. so does it matter if website proxy via CF or not? is there a way to test it?

2. If not , I need to manually update it.
I have manually created the LE cert by running below:
sudo certbot certonly --manual --preferred-challenges=dns --email [email protected] --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -mydomain -d *.mydomain

How to manually renew OLD LE SSL CERT that was auto created by ispconfig LE setting checkbox? I got all the certs files, but don't know where to update.

should I uncheck the LE SSL setting in ispconfig?

3. I can not use CF API for LE renewal as well because my domain is not using CF DNS server, my domain IP just pointing to CF custom domain setup.


thanks

 

I did a manually renew test for a domain that is point to CF, and it works by selecting 1: Obtain certificates using a DNS TXT record.
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/m.mysite.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/m.mysite.com/privkey.pem

But compared to previous LE key created by ispconfig, the path and key files name are different. why? how to apply new cert?

VHOST FILE
server {
listen *:80;
listen [::]:80;
listen *:443 ssl http2;
ssl_protocols TLSv1.2;
listen [::]:443 ssl http2;
ssl_certificate /var/www/clients/client0/web101/ssl/m.mysite-le.crt;
ssl_certificate_key /var/www/clients/client0/web101/ssl/m.mysite-le.key;


certbot certonly -d m.mysite.com
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Obtain certificates using a DNS TXT record (if you are using Cloudflare for
DNS). (dns-cloudflare)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/m.mysite.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for m.mysite.com

Successfully received certificate.

Certificate is saved at: /etc/letsencrypt/live/m.mysite.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/m.mysite.com/privkey.pem
This certificate expires on 2024-07-31.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

 

So far, this is still valid.

 

thanks for the replies. I hate manual LE SSL renewal, and love ispconfig auto renewal. I am trying to work out the steps (if possible) to keep ispconfig LE SSL auto renewal working for domains that are proxy enabed in cloudflare.

So far my understanding of the flow is:
1. disable proxy in CF domain DNS setting so that domain IP is from original server
2. Ispconfig auto renew the domains (the problem is different domains have different expired date, and how can I control ispconfig to renew certain domains during the CF proxy disabled period? except manual creating new cert)
3. enable back proxy in CF domain DNS setting

By the way, is ispconfig using 3: Place files in webroot directory (webroot) to renew cert?

I tried selecting 3 to test for a domain having proxy enabled in CF, cetbot can still get the cert. I wonder CF proxy domain really stops ispconfig from auto LE SSL renewal? anyone has any experince about it?

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Obtain certificates using a DNS TXT record (if you are using Cloudflare for
DNS). (dns-cloudflare)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3

 

You could use Cloudflares API to set DNS Records for all Domains that are managed by Cloudflare. The acme.sh has a option to use this API to automatically set DNS records that are needed to generate a new certificate. That way it is much easier to automate the whole process.

See:
https://github.com/acmesh-official/acme.sh/wiki/dnsapi
https://developers.cloudflare.com/api/

 

----------------------------------------------------------------------------
I underdtand that, but my use case is a bit complicated.
m.mysite.com has 2 CNAME DNS records:
m CNAME Cloudflare-custom-domain (when visitor not from China, this route) CF SSL
m CNAME original server IP (when visitor from China, this route because cloudflare is very slow in China) LE SSL

that is why I need a true LE SSL for China users.

 

As I known, ispconfig not yet support such way for auto LE cert renewal. can only be done manually.

 

You have a very speical requirements. So you only have two options right now:

-> Go the manual route and renew the ceriticates by disabling Cloudflare Proxy and use ISPConfigs build in function to request them, then reeanble the proxy function
-> Build your own automated solution for this case with some shell scripting and cron jobs with the docs i provided

 

So far my understanding of the flow is:
1. disable proxy in CF domain DNS setting so that domain IP is from original server
2. Ispconfig > uncheck LE checkbox of the website, save, check LE checkbox of the website.
3. enable back proxy in CF domain DNS setting

there will be downtime when doing step 2, right?

 

Not really. Don't know about chaning the Cloudflare proxy setting.