Cloudflare & Wildcard ACMEv2 Certificates - Compatible?


#1

I’ve been waiting for wildcard support to replace my current paid Cloudflare cert. However, it seems they are requiring LetsEncrypt certs to not use ACME? How is this affected by the upcoming release? See


ACMEv2 and Wildcard Launch Delay
#2

Also, does this affect HTTP Strict Transport Security (HSTS), which has a default of 6-month expiration?


#3

Hi,

HSTS is only affected if the SSL is invalid.
(You’ll be fine if you keep SSL-endpoint valid)

Thank you


#4

Hi @lingber,

I suppose you are using the option $5 for Dedicated SSL Certificate or $10 for Dedicated SSL Certificate with Custom Hostnames offered and managed by Cloudflare and these paid certs are available on all plans BUT you could use a Let’s Encrypt certificate only if you are using a Business Plan ($200/month per domain) or above so keep this in mind.

Sorry, I don’t understand it. The link you provide is just a doc to issue a cert using http-01 challenge when you are using a Cloudflare SSL cert, this is because there is (indeed was) another type of challenge tls-sni-01 that is incompatible when Cloudflare is terminating the tls connection but don’t worry about it, tls-sni-01 challenge has been disabled due to security issues and don’t worry about http-01 challenge too because you can’t use it to get a wildcard certificate issued by Let’s Encrypt because the challenge used to validate the domain must be the dns-01 challenge.

STS header only tells a browser that your site should be accessed via https instead of http during a defined time frame. It could affect your site if for some reason you are not serving it using https, then the users could not access your site because they must use https to access it (till the time frame expires of course).

Cheers,
sahsanu


#5

The problem described there is not related to the use of ACME or ACMEv2.

As a note, the default method used for ACME authentication by the Let’s Encrypt client utilizes the DVSNI method.

The TLS-SNI-01 method (Let’s Encrypt’s implementation of the DVSNI technology) was phased out for all new certificates last month due to a security problem. It is no longer the default or even an option for new certificates. When it was available, it caused a lot of trouble for CloudFlare users because, as CloudFlare notes in this article, it wasn’t compatible with CloudFlare.

Let’s Encrypt has always offered two other validation methods, called DNS-01 and HTTP-01. These methods have worked with CloudFlare before, and they still do. When you use these other methods, you’re still using ACME to obtain your certificate.

None of these things will be changed by ACMEv2 or wildcard support.


#6

Thanks for your reply (as well as thanks for the other replies).

Yes, I am using the $5/month for Dedicated SSL Certificate with a free account. So, unfortunately, it seems I will not be able to take advantage of the upcoming LetsEncrypt release.

Lester


#7

It is possible for a certbot or acme.sh deploy script to upload a certificate via CloudFlare’s API. But most people who would use Let’s Encrypt are happy with the free SSL certificates provided by CloudFlare, so it seems nobody has bothered to write such a script yet. Perhaps when wildcard support is generally available somebody will be more interested in coding that up. :wink:


#8

This is really limited since only “business” and above plan can upload a ssl certificate to Cloudflare…


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.