How to get a Let's Encrypt certificate while using CloudFlare

Hello I followed all steps and made it to the congratulations part. I now have 4 files saved at /etc/letsencrypt/live/DOMAIN/ called: cert.pem, chain.pem, fullchain.pem and privkey.pem.

When looking at my config file at /etc/nginx/sites-available/default I have these 2 lines:
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
I do have the cert.pem file but what about the cert.key? I can’t seem to find it.

Help much appreciated.

Hello @Koyaanis,

As you are using nginx, in ssl_certfile directive you should specify the fullchain.pem file (it includes your domain cert and the intermediate cert). And for ssl_certificate_key directive you should specify the privkey.pem file:

ssl_certificate /etc/letsencrypt/live/HEREYOURDOMAIN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/HEREYOURDOMAIN/privkey.pem;

Note: Use always the full path to the cert files.


Thanks a lot that worked!

1 Like

You should also suggest to set Cloudflares SSL mode at least to “Full SSL (Strict)” or (better) use keyless SSL. Because all other SSL options of Cloudflare are very flawed and always keep in mind that Cloudflare man-in-the-middles your “secure” connection.

More at @scotthelme’s blog:



If we have sites loading from more than 1 web root, how do we specify this in the command? do I have to generate a new cert for every site that loads from a different web root?

Hello @andrewjs18,

Take a look to ./letsencrypt-auto --help webroot and you will see two options to specify a webroot per domain/domains.

Example using -w ( –webroot-path ):

./letsencrypt-auto here_your_options -w /var/www/domain.tld -d domain.tld -d www.domain.tld -w /var/www/otherdomain.tld -d otherdomain.tld -d www.otherdomain.tld

Example using –webroot-map:

./letsencrypt-auto here_your_options --webroot-map '{"domain.tld,www.domain.tld":"/var/www/domain.tld", "otherdomain.tld,www.otherdomain.tld":"/var/www/otherdomain.tld"}'


Thank you. I’ll give it a try tonight.

@sahsanu, not quite sure what I’m doing wrong here. when I run ./letsencrypt-auto, it asks me which sites I’d like to activate HTTPS for, I choose them, then it errors out with a similar error as I’ll post below.

I then moved on to the instructions provided here: How to get a Let's Encrypt certificate while using CloudFlare

after doing so, it errored out, with the following:

any help is greatly appreciated!


again you (according to the error) tried tls authenticatinng (which only works if their is an existing cert)

instead of the previously advised webroot auth method

Hello @andrewjs18,

I recommend to put the options you will use in the command line and use the webroot method.

For example;

./letsencrypt-auto certonly --email youruser@yourdomain.tld --text --renew-by-default --agree-tos --webroot -w /home/site/public_html/ -d -d -w /home/site2/public_html/ -d -w /home/site3/public_html/ -d -w /home/site4/public_html/ -d --dry-run

Replace your email, your domain names and webroot path with the real ones and execute again the command. If you get no error you could remove the last parameter --dry-run and launch again the command (--dry-run option simulates all the process but doesn’t issue the certificate so you can check that all will work fine once you are ready).


@sahsanu, thanks.

just tried rerunning the command…this time it returned a different error:

Failed authorization procedure. (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from []: 404


  • If you lose your account credentials, you can recover through
    e-mails sent to

  • The following errors were reported by the server:

    Type: unauthorized
    Detail: Invalid response from
    []: 404

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

  • Your account credentials have been saved in your Let’s Encrypt
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Let’s
    Encrypt so making regular backups of this folder is ideal.

@andrewjs18, the error is clear, the challenge can’t be accessed to verify your domain.

Put a simple test file in /path/to/document/root/for/ and try to access it using your web browser If you get the content of testfile all is ok, if you receive a 404 Not found something is wrong in your conf.

Also, re-check that you wrote the correct webroot-path for your domain when you executed the letsencrypt-auto command.


1 Like

@sahsanu ah…that’s what it was, a slight directory issue in my command. thanks for all of your help!

I liked seeing this:


  • The dry run was successful.

@andrewjs18, you are welcome. I’m glad you get it working, now, remove --dry-run and get your certs :wink:

1 Like

@sahsanu, just finished that up.

when I go to automate the renewal of the certs, can I just stuff the same command I ran to get the certs into a file that’s then set up in crontab?

That would work, but letsencrypt renew is a better option since it’s smarter about which options it uses, when it actually renews the certificates, etc.

Just put it in a daily cronjob, test it once, and you should be good to go. :smile:

1 Like

@pfg, do I need to include my other commands when running letsencrypt renew, like so:

./letsencrypt-renew certonly --email youruser@yourdomain.tld --text
–renew-by-default --agree-tos --webroot -w /home/site/public_html/ -d -d -w /home/site2/public_html/ -d -w /home/site3/public_html/ -d -w
/home/site4/public_html/ -d --dry-run

No, Let’s Encrypt will try to renew using the settings you last used for your certificates. This should do:

./letsencrypt-auto renew

Take a look at the documentation for more details.

1 Like

@pfg, perfect…thanks!

How do you do it with certbot-auto?

If I’ve already installed it with certbot-auto by simply dissabling cloudflare to install it and then re-enable it…