CloudFlare CDN and Heroku ACM (or similar)

Domain: tibit.com / api.tibit.com
My hosting provider: Heroku w/ CloudFlare

Greetings.

I read in multiple topics here that using LE for the Origin-CloudFlare ‘encryption-leg’ isn’t a problem, but other places (including seemingly Heroku https://kb.heroku.com/how-can-i-use-automated-certificate-management-with-cloudflare) contradict that.

Which seems to somewhat make sense, but I would appreciate some help and a bit better technical understanding.

As I understand it, if the DNS is pointing to CloudFlare (CDN turned on for A record, site not Paused) then the CloudFlare SSL cert will be used for the CloudFlare-Client ‘encryption-leg’, but we still need a cert installed on Heroku.

Is it a solvable problem (and something that Heroku have just not bothered to implement) that for Heroku, ‘ACM provisioning process involves performing a DNS verification step with Let’s Encrypt’ and so (I assume) Heroku ACM LE certificate renewal will fail after turning on CloudFlare?

I get the impression that there are other mechanisms that can be used to pass the LE checks?

Is the situation largely the same for ‘typical’ (cPanel) webhosts - will automatic LE cert issuance also fail there if the DNS is being pointed at CF?

I’m so in love with LE auto-certificate issuing and renewal, it’s going to be painful to go back to manual installation of CF ‘origin certificates’ or self-signed certs, or whatever… Is there an easy way (think startup with limited resource for learning yet more technical-complexities) to get the benefits of LE auto-cert-issuance-and-renewal when using a cloud hosting origin behind a DNS-pointed reverse-proxy?

Googling makes it clear I’m not the only one with some confusion and uncertainty around this - it would be good to have a decent write-up on the issue and what it actually means for users. While that may ideally fall to each cloud hosting provider, there are generalities and context that might best come from LE and experts in the different ways LE certs can be managed automatically when DNS is not pointing at the certificate install target…

Let’s Encrypt needs to verify your control over the domain before it can issue you a certificate for it. It can do this in three possible ways. It seems that Heroku only implemented one of those, TLS-SNI-01, which works by issuing temporary certificates with special names. This is indeed not compatible with running behind a proxy like Cloudflare that terminates the TLS connection itself rather than passing it through directly to your server. The other methods, HTTP-01 and DNS-01 both work fine behind Cloudflare, but I guess Heroku didn’t implement them. If you use a different client that does support those methods (most do support at least one, though I have no idea about cPanel in particular), you should be fine.

1 Like

For what it's worth, Cloudflare Origin certificates can include wildcards, and can be valid for up to 15 years.

(And since it's all under Cloudflare's control, revocation is actually reliable!)

You still have to suffer issuing and configuring the certificate, but not ongoing renewals.

Yeah, I found a bunch of these (and similar) but they all assume locally-administered servers - there’s a real lack of information to help people understand the implications of LE certs when using Cloudflare when using a ‘locked down’ cloud hosting service.

I appreciate it’s complex, and varies a lot according to the hosting provider, but there are some major hosting services and config-platforms (like Heroku and cPanel) that it’s hard to get specifics about. And trial-and-error is painful when it comes to DNS config for non-DNS-experts.

I think (per mnordhoff) the way to go (with much regret) is to abandon Lets Encrypt and go with CF Origin Certs.

Maybe we should write up a broader introduction to Let’s Encrypt that talks about who would be responsible for what in various kinds of hosting models. I agree that our existing introductory material is a bit specific to the things that we’re best-equipped to support with clients like Certbot—primarily VPS and dedicated servers, without a CDN or load balancing.

why not figure it out and write a guide?

sorry to be blunt but if you make certain design choises then that’s up to you - expecting there to be guides to cover every possible situation is a bit unrealistic

most of the guides people use are written by peope figuring things out and sharing (but someone has to try )

I don’t have the budget to go and setup test servers etc but am happy to help you figure things out if you need it

if you can install an origin cert from cloudflare you should definitely be able to get a lets encrypt cert

Andrei

heroku ACM use hinges on the use of Heroku DNS (it's the way they wrote the client)

You can use the heroku CLI to install 3rd party certificates.

So the process should be something like

A) A laptop with certbot and a CloudFlare API key
B) Heroku CLI
C) Certbot renews the certs and runs a heroku CLI command to install the let's encrypt cert

Not ideal but thats the way things are

You can also look at a nodejs application to do this as well

Andrei

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.