Let's Encrypt with Cloudflare (Apache)

Hi Guys,

I currently run all my websites through Cloudflare's reverse proxy and also the SSL certs in strict mode.

Unfortunately, Cloudflare has a 100MB upload limit and I need more than that for my Nextcloud instance.

So I was wondering if I can use certbot to create a certificate for one of my vhosts (subdomain) without destroying my other vhosts configs running with Cloudflare (strict mode).

If anyone can tell me pros and cons or what to look out for when doing this - that would be really nice!

Are you not already using Let's Encrypt certificates on all of your origin vhosts?

Since you are using Apache, why not use mod_md in the vhost configuration?

Are you encountering problems with your uploads through Cloudflare? Nextcloud should be chunking your uploads. If you need to explore upload chunking topic further, the Nextcloud Community is going to be the appropriate venue

No, Cloudflare issues its own self-signed certificates for the origin server to communicate between the Apache server and Cloudflare. And to communicate between users and Cloudflare, Cloudflare also issue a certificate from their own Certificate Authority that is known to the Browsers. Here in visual form http://blog.cloudflare.com/content/images/2015/02/illustration-strict-ssl--2--1.png

And no, it has nothing to do with Nextcloud, it is Cloudflare that limits the upload via the reverse proxy to 100 MB. https://s3.us-east-2.wasabisys.com/gridpanekb/cloudflares-cdn-and-upload-limitations/cloudflare-upload-01.png

Cloudflare doesn't automatically issue Origin CA certificates. That's your choice. I only use Let's Encrypt certificates on my origin sites.

There is nothing wrong with using Cloudflare Origin CA certificates if you will always proxy that hostname.

I am well aware of the 100MB upload limit on the free Cloudflare plan. I also know that does not prevent one from uploading files over 100MB as long as the application limits its chunks to <100MB. It is not uncommon for people to run Nextcloud behind Cloudflare and the topic has been discussed on their forums.

Regardless, you certainly can set your Nextcloud hostname to DNS Only in Cloudflare and secure it with a Let's Encrypt certificate issued by Certbot, mod_mod, or another ACME client if you prefer.

Oh, I didn't knew that about Nextcloud, thanks for the info. At first I thought you misunderstood me, sorry my bad...

Are there any good tutorials out there for "mod_md" can't really find one

The mod_md docs are not easy to find. Apache docs here
https://httpd.apache.org/docs/2.4/mod/mod_md.html

And the github for mod_md below. Probably best to start with these docs:

Those are the mod_md docs that I linked in my first reply and are what I would have offered again, had @MikeMcQ not already repeated it for emphasis.

The github repo shouldn't be needed as long as you are running Apache 2.4.30 or newer, as it has been included since that version.

Like any module, you will need to enable it and configure it. I put the vhost related elements directly in my vhost configs. I also keep some global configs in /etc/apache/conf-available/md.conf

MDCertificateAgreement accepted
MDContactEmail ssl@example.com
MDPrivateKeys secp384r1 rsa4096
MDStapling On

Yes, I should have noted I showed github mostly for the docs as parts are more how-to than the Apache ones. Also, asking questions on that might get to more experts than here for mod_md specifically

I keep threatening to write something about TLS-ALPN-01 and mod_md. If I do, I promise to share it here in the Let's Encrypt Community.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.