1000 FAQs, 500 tutorials and explanatory videos. Here, there are only solutions!
Solving a Let's Encrypt and Cloudflare problem
This guide explains how to resolve an installation issue with a Let's Encrypt certificate if you are using Cloudflare with strict security rules – especially those that filter by country or IP address.
Adjust the SSL / geoblocking settings
When you protect a website with Cloudflare and want to obtain a free Let's Encrypt SSL certificate from Infomaniak at the same time, there may be technical conflicts. These issues often arise from how Cloudflare handles security and network connections.
Let's Encrypt needs to verify that you are the owner of the domain name for which you are requesting a certificate. To do this, it sends what is called a "challenge": a specific HTTP request to your site, at an address of the type http://domain.xyz/.well-known/acme-challenge/.... If this verification fails, the certificate cannot be issued or renewed.
The issue is that some protections enabled on Cloudflare can block these verifications:
- Security rules (WAF), for example if you block certain regions of the world (like the United States or Switzerland).
- Custom rules, such as IP filtering.
- Geoblocking, which prevents certain countries from accessing your site.
However, Let's Encrypt no longer verifies from a single location. For some time now (and even more so since March 2024), it performs its verifications from several countries at the same time – including new ones like Sweden or Singapore. Result: if one of these countries is blocked by your Cloudflare settings, the certificate request may fail, even if everything else is correctly configured.
Worse still: even if you try to make an exception solely for the challenge address (.well-known/acme-challenge), this does not necessarily work with certain Cloudflare rules. Indeed, country or IP blocking rules are applied before any URL path-based exception.
Adjust the SSL/TLS mode in Cloudflare
Cloudflare offers different levels of SSL encryption. If you are having trouble with the Let's Encrypt certificate, switch to "Full" or "Full (strict)" mode instead of "Strict only". These modes allow you to use a self-signed or temporarily expired certificate while waiting for the real certificate to be renewed.
Using custom rules (advanced users)
It is recommended not to use "IP Access Rules" that cannot be overridden, but to set up "Custom rules" with geoip or any other desired rule, and especially to allow the path "/.well-known/acme-challenge/" without access restrictions so that the Let's Encrypt challenges can pass despite the restrictions in place.
Temporarily disable geographic blocking
If you block access to your site from certain countries (for example, to avoid attacks), consider temporarily lifting this restriction while Let's Encrypt performs its verification. Once the certificate is issued or renewed, you can reactivate the protections.