Hi there – CloudFlare TLS PM here.
@jsha is correct in that the tls-sni-01 method is incompatible with any reverse proxy (such as CloudFlare) that you don’t control. To complete the authorization, you have two main options:
- Temporary disable CloudFlare (what we call “gray clouding”) for the domain.
- You can do this by logging in, clicking on the DNS App, and then clicking the orange cloud on the right-hand side of the row. The graphic should go gray and at that point you can proceed with your validation.
- Keep in mind that what this method does is temporarily advertise your origin IP address, so if you’re concerned about exposing that to potential adversaries, you should use the webroot authenticator as @jsha suggests.
- Use the webroot authenticator.
-
This method has the advantage of i) not requiring any temporary changes and ii) not leaking your origin/protected IP addresses. - See below for an overview of the commands that need to be run. For sake of completeness, I’ve provided a sample NGINX config file. Most likely (almost definitely), you’ll already have this server block in place but if not you can use this simple skeleton config.
In either case, you’ll need to manually install the certificate after it’s been issued and downloaded to your server. Follow the appropriate instructions for your HTTP/S server.
Best,
Patrick Donahue
@prdonahue
# set up the web root (if not already done)
export DOMAIN=yourdomain.com
mkdir -p /var/www/html/$DOMAIN
# set up nginx config (if not already done)
cat > /etc/nginx/conf.d/$DOMAIN.conf << EOF
server {
listen 80;
server_name $DOMAIN www.$DOMAIN;
root /var/www/html/$DOMAIN;
index index.html;
location / {
allow all;
}
access_log /var/log/nginx/$DOMAIN.log main;
error_log /var/log/nginx/$DOMAIN.err debug;
}
EOF
# download and run the letsencrypt client
cd ~/src
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
# after running the following command you’ll be prompted to enter your email address (do it) and indicate you’ve read license agreement (do it as well)
# ./letsencrypt-auto certonly -a webroot --webroot-path /var/www/html/$DOMAIN -d $DOMAIN -d www.$DOMAIN --server https://acme-v01.api.letsencrypt.org/directory --agree-dev-preview
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly -a webroot -- webroot-path /var/www/html/patentbust.com -d patentbust.com -d www.patentbust.com --server https://acme-v01.api.letsencrypt.org/directory --agree-dev-preview
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/yourdomain.com/fullchain.pem. Your cert will
expire on 2016-02-15. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.