The joy of first starting up Cloudflare and seeing those pagerank and pagespeed numbers give you As can quickly turn to anguish when you next come to auto-update your Let’s Encrypt SSL certificate, only to be met with a warning that says that your certificate couldn’t be renewed. Luckily there’s a quick fix that can get you back on track.
What’s the problem?
Cloudflare takes over all of your website delivery by redirecting your domain through their servers and showing you a local version of the website so that it can download as quickly as can be. Whilst this is great for getting the website to your visitors as quickly as possible, it also means that they have control over what is and isn’t allowed to happen. This means that access is blocked to areas that Cloudflare deems as sensitive and this includes the /.well-known/acme-challenge/ folder on your server, which is used to check the website is getting the right certificate. This means it won’t verifiy and your certificate won’t be renewed.
What’s the solution?
You have to tell Cloudflare to exempt the folder from its SSL protection by using the following code
and dropping it into the Page Rules area of the Cloudflare, clicking Add a Setting, selecting SSL and changing the dropdown to Off. Just remember to swap out yoursite.xyz for your actual website address (you don’t need to add the http bit, the * allows all the bits before to be taken care of).
This then allows Let’s Ecrypt to access this folder and run it’s tests. After that, it should all be plain sailing!