Since putting my website behind cloudflare's proxy, I don't get expiration warnings for my let's encrypt certs anymore. Previously the expiration mails used to work great, but recently we discovered (luckily a few days before expiration) that because of an expired CF api token, the certificates weren't being renewed anymore. However, we didn't get any expiration mails for this certificate.
Cloudflare has their own tls cert for our website, which is served by their proxy. Our origin server uses a let's encrypt cert for communication between our server & cloudflare. I assume that cloudflare's up to date cert leads let's encrypt to believe that there is no need for an expiration email. However, It would be nice if I could still get an expiration mail for the let's encrypt certificate.
You should still get that, however I believe it is irrelevant - Cloudflare should still accept an expired Cert.
I also suggest you consider dropping LetsEncrypt in your setup. Cloudflare offers a multi-year certificate you can install (downloaded from their dashboard) for encrypting traffic between your Origin Server and their Network. Unless you need a LetsEncrypt cert as part of a backup plan to drop off the Cloudflare network, their Certificate is all you need.
I am definitely keen on keeping LetsEncrypt around as a backup plan. But if I should still have been getting the expiration mails, I'll go check if my cert-manager is properly configured to send along the right email adress when renewing certificates. Thanks!
Does CloudFlare use a cert with the exact same set of names on it as yours? (highly unlikely)
And even if it were, it would also have to be issued by LE to confuse the expiry emailing system.
[to think that you renewed your cert - when CF did the renewal]
In short: Those are two completely different certs (and from two CAs).
So... to answer your question:
"Is it possible to still get certificate expiry emails when my site is behind a cloudflare proxy?"
I would think so, yes.
Thanks, Is there a way to check if my email adress has correctly been registered with let's encrypt in case the certificate is about to expire? Is there a way to test certificate expiration emails aside from just letting a certificate expire?
While running behind some proxy should indeed not affect emails (Let's Encrypt sends expiry emails based on their own database records and doesn't connect to your site), it is possible that you didn't get any emails because the expiry mailer had a bunch of issues lately (which included expiry emails not send).
Thanks a lot, that also matches up with the timeframe of when I was expecting to get those expiry mails!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.