I would like to restrict all web traffic 80 and 443 through Cloudflare
I am able to do this by only allowing traffic outbound to their Proxy Blocks listed here:
With this in mind:
I need a way to push LetsEncrypt to validate certificates through Cloudflare OR to allow LetsEncrypt through my Firewall rules.
I have seen previous posts in which you stated you don’t want to provide a public list of IP blocks that LetsEncrypt will utilize. But I believe that we should atleast be able to get LetsEncrypt to work through an allowed method at least to provide additional layers of security.
ACME HTTP-01 validation works by making requests to your website. If you want a certificate for
www.example.com, Let’s Encrypt’s validation servers make requests to
It’s fine if http://www.example.com/ is using Cloudflare, as long as the requests succeed.
TLS-ALPN-01 validation won’t work through Cloudflare’s web proxy.
DNS-01 validation uses DNS queries. It doesn’t make HTTP requests at all.
In other words, Cloudflare should not pose any obstacles, unless you’re using TLS-ALPN-01 validation, or set it to block everything.
If there are configuration issues, they can be fixed.
For proxied (sub)domains, you can also use Cloudflare’s Origin CA instead of Let’s Encrypt.
you’d better use Cloudflare origin certificate for talk to cloudflare.
client’s won’t see your lets encrypt cert unless you are using at least business plan from them.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.