Let's Encrypt on cloudflare

Hi, i am trying to find a way to switch to Let's encrypt on cloudflare. Cloudflare offer two options for Universal SSL - Let's encrypt and Google Trust. However there is no option to select, but it is random. I would really appreciate if s.o. knows a way to switch to Let's encrypt. It is much preferred.

Hi @bglr, and welcome to the LE community forum :slight_smile:

I've never heard of any way to do that.
You might want to ask on their support channels.
[and let us know either way here]

3 Likes

I already asked there, but they shared officially there is no way to do that. However one of them mentioned there is unofficial way to switch to a Let’s Encrypt certificate, but that can't be shared on their official support.

I thought there was a way to upload custom certificates but there may be various restrictions on which accounts are allowed to do that. Search their docs.

But, I also think they might get overlapping certificates from multiple authorities as backups so generally you are better off letting them manage their certs for their own edge

2 Likes

Is this really worth the trouble?
What is the difference you see between?:

4 Likes

I agree. However that is a setup requirement i am forced to stick to.

That's a pretty weird requirement; both Google and Let's Encrypt should be in the trust stores of clients unless you're doing something particularly odd. Actually, using more than one CA can be really helpful, in that if one goes down you can switch to the other. (Big sites like Wikipedia use multiple CA's certificates at once so that they can switch providers quickly if one CA's OCSP goes down for an extended time.)

5 Likes

As others have indicated, that directive appears to demonstrate a lack of understanding of certificate fundamentals.

I didn't mention the DIY method on your topic in the Cloudflare Community because it relies on an undocumented API call. That means that it may not be reliable and could be removed at any time. It also will mean that you have to figure out since it is undocumented. I have no use for it, so I don't know what it is. The topics on the Cloudflare Community that discussed it no longer seem to include the actual API call.

5 Likes

Can you provide the documentation of this requirement?

2 Likes

I thought the only way to use your own certificates is to pay for it. I'm preeeetty sure Cloudflare would fix the workaround you're talking about if it would cost them revenue, right?

3 Likes

I was not referring to using your own certificate. That is definitely a paid-only feature at Cloudflare.

It is allegedly possible to specify the CA that will be used to issue the Cloudflare Universal SSL certificate. It was historically employed by people who wanted to stay on Cloudflare branded DigiCert certificates and avoid Let's Encrypt certificates.

During a recent incident where Google Trust Services certificates were ironically not being recognized by older Android devices there was a renewed interest in that API call. This time the desired outcome was to force the issuance of Let's Encrypt certificates instead of GTS certificates.

6 Likes

Ah, sorry, then I misunderstood/didn't read thoroughly.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.