After activating this, everything worked as expected with certbot renew --dry-run.
The command I used to get the certs was: certbot certonly --rsa-key-size 4096 --webroot --webroot-path /var/www/example.com --renew-by-default --email my@email.adress --text --agree-tos -d example.com
Hope this gets into some documentation or something, it’s so simple, yet kinda hard to find if your fumbling in the dark.
I’m glad you got it working, but most people’s CloudFlare setup hasn’t needed this so far (we’ve probably had two or three dozen previous users get CloudFlare certs who have talked about it here on the forum).
It appears from CloudFlare’s documentation that this is necessary when a user has chosen to use this option on the origin server by following the instructions at
Otherwise, it should not be necessary in general.
Also, if you’re entirely behind CloudFlare you often don’t need a Let’s Encrypt certificate at all because you can use CloudFlare’s origin CA to get a server certificate that the CloudFlare CDN will accept when connecting to your origin.
Thanks Seth, though when Googling for “Cloudflare Let’s Encrypt Webroot” or " urn:acme:error:connection :: The server could not connect to the client to verify the domain" (which was the case for me) that isn’t the first answer that comes up.
I really think you should consider documenting it, even if as you say it should not be neccesary, it was in my case.
Some documentation for LE working with Cloudflare in general would be appreciated.
