[Solved] Sucuri WAF, Full https


My site is hosted on Linode and employing Sucuri reverse proxy/WAF.
Now, I want to move my WordPress powered site from http to https
DNS is pointing to reverse proxy and not my own server.
Sucuri provides free Lets’Encrypt SSL certificiate… and partial https setting is working just fine.

My question:

I want to enable SSL at my hosting end to make it Full https or Full https (strict). Will I be able to install LetsEncrypt certificate on my hosting end, even if DNS is pointing to Sucuri WAF?



According to the sucuri documentation .Its possible to install our cert in the server.From the proxy to client end they will provide [partial].If we want full ssl , we need to install certificate at server end .This Question should be asked at sucuri forum or open a ticket


With the DNS pointing to sucuri, is it possible to install Let’s Encrypt SSL certificate at the server end?


check this .


I’ve been thru that guide, and contacted Sucuri. This is what they said:

“you do not need to install the SSL on the hosting and you can use only Let’s Encrypt on our side, however if you want the communication between the firewall and the host to also be secured, you can ask the host o install the SSL on the hosting side and then change the SSL MODE from Partial to Full.”

So, it’s not about Sucuri… I just want to know this >>… With the DNS pointing to sucuri, is it possible to install Let’s Encrypt SSL certificate at the server end?


I didnt use it . But i can suggest you one thing . Try changing the document root inside your server[linode]. Then try accessing your site .If it shows forbidden or some error , sure it reaches your document root. Then use apache webroot to issue ssl ,it will resolve to its document root . and add the ssl to your config or htaccess and change the ssl status from partial to full in sucuri .


Let’s Encrypt policies and Internet tech standards don’t prevent this, but a practical question may be whether the Sucuri device blocks the method that you would otherwise use to prove your control over the domain name in order to obtain the certificate. The most popular methods of proving control over the domain name involve receiving inbound connections (on port 80 or port 443) from the Let’s Encrypt certificate authority. Particular information presented in response to these connections by your Let’s Encrypt client helps to confirm that the person who requested the certificate is the same person who controls the domain name.

If the Sucuri device blocks or interferes with any of these connections, the verification process might not succeed. In that case, you’ll need to get it not to interfere that way, or else use a different verification method.

However, there is no other reason preventing the issuance and use of a Let’s Encrypt certificate for a back-end server behind a WAF device.


Will check it out. Thanks.

Even if I succeed with SSL certificate installation, hope the process doesn’t get complicated during renewal… such as the one described here.

Renewing a Certificate with a Proxy Server - Help - Let’s Encrypt Community Support:



Thanks everyone… It’s sorted out now! :sunglasses:

[Fix] Sucuri and LetsEncrypt - ACME Domain Authorization Failed


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.