Set up cert for Cloudflare for Strict SSL?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):
Ubuntu 18
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version
certbot 0.31.0

The problem is that I have to set up Cloudflare properly to avoid uninterrupted service since I have been running Full Strict SSL for some years.


What's your exact question or issue? Because I'm currently not seeing one.


Well, my letsencrypt won't update, but since I'm not sure if the letsencrypt.log file contains secure info, I won't post that here.

1 Like

Without knowing anything about what you did and what the output was, we can't help you. You didn't specify the command you ran and no output at all.


I ran
/usr/bin/letsencrypt renew >& /var/tmp/cron.letsenc
and that file shows
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
http-01 challenge for
http-01 challenge for
http-01 challenge for
http-01 challenge for
http-01 challenge for
http-01 challenge for
Cleaning up challenges
Attempting to renew cert ( from /etc/letsencrypt/renewal/www.ingb produced an unexpected error: Missing command line flag or config en
try for this setting:
Input the webroot for Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

1 renew failure(s), 0 parse failure(s)

In /var/log/letsencrypt/letsencrypt.log I see at the end:
2020-09-23 11:59:18,381:ERROR:certbot.renewal:All renewal attempts failed. The f
ollowing certs could not be renewed:
2020-09-23 11:59:18,381:ERROR:certbot.renewal: /etc/letsencrypt/live/www.ingber
.com/fullchain.pem (failure)
2020-09-23 11:59:18,382:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/letsencrypt", line 11, in
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/", line 1365, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/", line 1272, in renew
File "/usr/lib/python3/dist-packages/certbot/", line 477, in handle_
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)


It seems your renewal configuration file is damaged for some reason. It's missing critical information: the webroot. Did you manually edit the file by any chance?


No, I did not. I thought perhaps a python3 update messed up, but I did a search and do not see this problem cited. So, what should I do now?


You could manually add the webroot again to the renewal configuration file (look in other renewal configuration files for examples if you have them).

You could also try to issue the certificate again. I.e., run certbot again without renew. It should store all the parameters again in the renewal configuration file after that. If you have more than one certificate in certbot, you can identify the certificate name from the list generated by certbot certificates. After that, you could use certbot --cert-name <insert cert name here> with after that the required options to issue a certificate like you did in the beginning.


OK. I'll try that. Thanks for your time and the suggestion.


He could also specify the entire command with the webroot and certbot should update the configuration automatically. That is unless certbot is barred from doing so for some reason. He could then use /usr/bin/letsencrypt certificates as you've suggested to note the old certificate name(s) then use /usr/bin/letsencrypt delete *old certificate name* to cleanup.

This would imply running the following:
/usr/bin/letsencrypt certonly --cert-name -a webroot -w *put the webroot here* -d,,,,,,

This is what @Osiris was meaning here:

Didn't realize I was duplicating. Sorry @Osiris. Hopefully the command and cleanup add value though.


That's what I said in my second paragraph, right?


You are going to somewhat hate my response, but you went through all these headaches for no reason.

Cloudflare is handling the "internet facing" SSL for all your domains (from a web browser to their Edge servers); if you click on the padlock for any of your sites in a browser window, you'll see their Certificates, not LetsEncrypt.

The LetsEncrypt certificates you obtained are only being used to Encrypt traffic between your web server (origin) and Cloudflare's network. While you can use LetsEncrypt to obtain these, they need to be renewed at least every 3 months.

The alternative? Cloudflare offers their own "Origin SSL Certificates" ( which you can just download and install onto your server. These certificates last 15 years.

The two main problems with running LetsEncrypt certificates behind Cloudflare:

  1. The http/https traffic used to validate the certificates is proxied through Cloudflare, so you can sometimes have hiccups of configuration issues within the Cloudflare network that you have no control over
  2. There are sometimes oddities troubleshooting/bugfixing that get complicated by this setup because public DNS no longer resolves to your website but resolves to the Cloudflare network

Which is also important?

Did you not read the next paragraph or was it unclear the alternative certificate from cloudflare, which you simply download once every 15 years, encrypts that segment?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.