Browser cannot resolve let's encrypt authenticated domain name hosted cloudflare

I am trying to authenticate my domain name with certbot, I find that it is authenticated with google trust services when searching it in a web browser.

• The domain name is hosted by Cloudflare, I tried to set status of my records to "DNS Only", but the domain names could not be resolved.
• I disabled universal SSL, browser returns "unsecure website" error, it seemed like the let's encrypt certificates are never used.

After certificate generation, my nginx default file has been modified, with certificate location, and http port swiched to 443 from the default 80, and I could not resolve the domain until I added the following (default server with port 80)

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        index index.html; # index.htm index.nginx-debian.html;

        server_name sofianehamam.com www.sofianehamam.com;

        location / {
                try_files $uri $uri/ =404;
        }
}

Port 80 is the default for HTTP.
I don't know if I need to purchase the advanced certificate manager to configure custom certificates.

I am trying to establish a secure link between the server and other clients, and I need more control over the certificate files, I can't rely on a browser or any other authority, I need the server to use my own custom certificates.

My domain is: sofianehamam.com

I ran these commands to install certbot: Certbot Instructions | Certbot

My web server is (include version): nginx/1.26.0 (Ubuntu)

The operating system my web server runs on is (include version): ubuntu 24.10

My hosting provider, if applicable, is: CloudFlare

I can login to a root shell on my machine (yes or no, or I don't know): yes via ssh

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is : certbot 3.0.1

I'm not sure what the exact relationship between your issue and Let's Encrypt is, but as you're using Cloudflare, perhaps using their Origin CA certificate is a good idea?

Can you explain more about that?

Because when you proxy your domain at Cloudflare clients will connect to the Cloudflare Edge first. And, Cloudflare currently uses a Google cert at its edge.

Its Edge then contacts your Origin Server based on its SSL Encryption Modes. As Osiris pointed out maybe just use their Origin CA cert for your Origin.

Or, are you trying to connect directly to your Origin Server without proxying at Cloudflare? Currently you are proxied so not sure what you need help with. I see your home page just fine by the way.

Thanks @MikeMcQ and @Osiris
Now that you mention that, I discover that my understanding of Cloudflare is flawed, I thought the whole communication is secure, but it turns out that with my current Clouflare config, client - Cloudflare is encrypted, and not the Cloudflare - origin, I thought that the whole comm is encrypted. So let's encrypt in server side is not used.

Second, There are overall 3 types of certificates : client certificates, edge certificates and server certificates, what I needed were custom client certificates (for zero trust APIs), signed with a Clouflare CA, this encrypt comm between my client and cloudflare.

So this is not a let's encrypt problem

It depends on your Cloudflare setting. With Full and Full (strict), the connection between CF and the origin server is also encrypted.

It depends on what you want to achieve:

If you want Cloudflare to proxy your site (because you want protection or optimization), then set DNS records to "proxy on", then either use HTTP-01 or DNS-01 (with Cloudflare DNS plugin) validation method to get a Let's Encrypt certificate, or (easier) just generate an "Origin CA certificate" and put it into nginx config. It'll be valid for up to 30 years, but recognized only by Cloudflare Edge for the purpose of end-to-end trust.

Disabling "Universal SSL" will prevent Cloudflare from getting this automatically obtained certificate, and unless it has another source of certificate (e.g. Advanced or Custom), you won't be able to proxy HTTPS traffic.

If you want to use Cloudflare just as a DNS server, then set DNS records to "DNS only", and you may use any of the ACME methods: HTTP-01, DNS-01 (with Cloudflare DNS plugin), TLS-ALPN-01.

Sidenote: seems that www.sofianehamam.com DNS record is missing. While not a problem in itself, it'll fail certificate request if you try to include that name in order (with HTTP-01 or TLS-ALPN-01 methods). You could get it successfully with DNS-01, but usefulness will be limited without an actual record.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.