Cloudflare with Webroot (working solution)

Hi guys,

I just spent the last 2 hours trying to get Let’s Encrypt to work behind Cloudflare.

The easy and kind of obvious answer (once you actually find it) is: you have to activate Authicented Orgin Pull:

After activating this, everything worked as expected with certbot renew --dry-run.

The command I used to get the certs was: certbot certonly --rsa-key-size 4096 --webroot --webroot-path /var/www/ --renew-by-default --email my@email.adress --text --agree-tos -d

Hope this gets into some documentation or something, it’s so simple, yet kinda hard to find if your fumbling in the dark.

1 Like

Hi @enoch85,

I’m glad you got it working, but most people’s CloudFlare setup hasn’t needed this so far (we’ve probably had two or three dozen previous users get CloudFlare certs who have talked about it here on the forum).

It appears from CloudFlare’s documentation that this is necessary when a user has chosen to use this option on the origin server by following the instructions at

Otherwise, it should not be necessary in general.

Also, if you’re entirely behind CloudFlare you often don’t need a Let’s Encrypt certificate at all because you can use CloudFlare’s origin CA to get a server certificate that the CloudFlare CDN will accept when connecting to your origin.

1 Like

Thanks Seth, though when Googling for “Cloudflare Let’s Encrypt Webroot” or " urn:acme:error:connection :: The server could not connect to the client to verify the domain" (which was the case for me) that isn’t the first answer that comes up.

I really think you should consider documenting it, even if as you say it should not be neccesary, it was in my case.

Some documentation for LE working with Cloudflare in general would be appreciated.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.