The certbot instructions force me to use snip to install the plugin. Is there an alternative way? I don't like snip because it forces updates on you just like win 10 does.
acme.sh? (different client)
1 Like
I would strongly encourage you to closely consider the words of @orangepizza. I feel like you may not understand exactly how Cloudflare works. When a visitor connects to one of your websites through Cloudflare, it is Cloudflare's certificate the visitor sees, no matter what you do. You can pay for an expensive package for them to use a certificate you supply to them, but they still hold the private key for that certificate. Once Cloudflare receives your visitor's request, Cloudflare connects to your webserver and sees whatever certificate you use. Thus, Cloudflare is already decrypting all of the traffic between your visitors and your webservers. Cloudflare offers Origin CA certificates that can be configured from your Cloudflare account. They last MUCH longer than Let's Encrypt certificates and are MUCH easier to acquire and manage than Let's Encrypt certificates.
4 Likes
That needs to be put into context; as, in general, I don't find that to be a true statement.
How about:
They last MUCH longer than Let's Encrypt certificates and are MUCH easier to acquire and manage than Let's Encrypt certificates when serving content through their CDN.
3 Likes
A fair distinction to be sure. 
3 Likes
Thanks for that clarification. At this point I'm looking for a free way to achieve my goal. I believe any CDN would act the same way. Seems like the botnet is the way to go. I care too much for the GTMetrix results my website achieve and it's not possible to achieve higher without a CDN. I'm sad that this seems the best resolution I can find on the lets encrypt forum. Thanks for your time!
1 Like
Origin CA certificates ARE free. I might have misunderstood your message.
I feel like the ACME process just wasn't really designed with distributed environments in mind in terms of the http-01 challenge.
4 Likes
Yes, I know they are. Seems I'm gonna go with it as much as I dislike the idea for the man in the middle. I'm just saying that any CDN would do that no matter what, so seems like certbot is pointless at this point. I'll keep it just for a few domains.
1 Like
Makes perfect sense to me. I don't like Cloudflare (or any CDN) decrypting my visitors' traffic either. It really comes down to trust. You are always trusting your hosting provider with terminating your SSL/TLS traffic. Whether you extend that trust to your CDN is up to you.
3 Likes
I really care for ranking in Google and blazing fast websites so... I have no choise. I'll just leave my most important domains with certbot and keep'em away from Cloudflare. Thank you everyone for your time!
1 Like
You're quite welcome.
4 Likes
Interestingly enough I tried using Cloudflare with the CA Origin Certificate.
Commented out Certbot settings in both configs and did:
certbot delete --cert-name website.com
then restart apache2
probably should revoke it also
Turns out that the page speed is slower compared to the website when using Certbot. Exactly 0.4s slower. I am kind of confused why the instruction is saying to include the config for the 443 port inside the main.com.conf instead of the main.com-conf-le.ssl.
1 Like
Why would you have an LE config file at all if you're using a Cloudflare Origin CA certificate?
3 Likes
To slow them down!
[by 0.4s]
LOL
I wonder if the certs were truly similar - or was one 4096 and the other 256 ?
3 Likes
I just saved it and commented out the lines with # just because I didn't want to kill certbot once and for all and keep it for an A/B testing.
1 Like
Ah. Makes sense. The only reasons I can imagine off the top of my head for a slower response for a Cloudflare certificate are a huge number of SANs on the certificate or a more complex key exchange.
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.