[Moderator’s note, 2018-10-25: If your site is behind CloudFlare, the best option is to not use Let’s Encrypt at all, but instead to use Cloudflare’s Origin CA: https://blog.cloudflare.com/cloudflare-ca-encryption-origin/]
This seems to have come up a couple of times so here’s how to do it.
It’s not necessary to disable CloudFlare to use Let’s Encrypt.
If you’re configuring Let’s Encrypt for the first time for a site already active on CloudFlare, all that is needed to successfully verify and obtain your certificate and private key pair is to use the webroot method for verification.
certbot, the recommended Let’s Encrypt client and change to the download directory:
wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto
(OS-specific instructions can be found on the
Run the script for automatic installation:
certbot client with the
certonly command and the
--webroot flag, we’re able to verify and obtain the cert/key pair using HTTP verification. An example command might look like:
./certbot-auto certonly --webroot --webroot-path /usr/share/nginx/html/ --renew-by-default --email email@example.com --text --agree-tos -d example.tld -d www.example.tld
--webroot-path is the directory on your server where your site is located (nginx used in the example)
--renew-by-default selects renewal by default when domains are a superset of a previously attained cert
--text displays text output
--agree-tos agrees to Let’s Encrypt’s Subscriber Agreement
-d specifies hostnames to add to the SAN.
Successful completion of this verification method will show text similar to the following:
IMPORTANT NOTES - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.tld/fullchain.pem. Your cert will expire on 2016-03-03. To obtain a new version of the certificate in the future, simply run Let's Encrypt again.
As a note, both the cert and key will be saved to /etc/letsencrypt/live/example.tld/ . After both have been obtained, you’ll need to manually update your virtual host to use this key/cert pair.