Ryan S. Chiang

How to Fix Cloudflare + Let's Encrypt SSL with HTTP-01 (Tutorial)

Updated

4 min read

After connecting your domain to Cloudflare, you may be like me, wondering:

How do you keep and renew existing Let's Encrypt certificates with Cloudflare?

In this short post, I'll show you how to fix HTTP-01 (webroot) validation when renewing your Let's Encrypt certificates while using Cloudflare.

Note

This tutorial assumes that you have Let's Encrypt configured on your web server. If you don't, see the tutorial below about setting up Let's Encrypt with auto-renew via HTTP-01.

Tutorial: Let's Encrypt HTTP-01 Setup

Since Cloudflare sits between your users and your web server, ideally we want Full (Strict) SSL which enforces encryption between your users and Cloudflare and between Cloudflare and your origin server.

Cloudflare Full (Strict) SSL mode

Why doesn't Let's Encrypt HTTP-01 work with Cloudflare?

If you have Let's Encrypt certificates, your origin server already should handle SSL properly.

But HTTP-01 ACME renewal challenges don't automatically work with Cloudflare because Cloudflare sits as a reverse proxy in front of your server.

When Let's Encrypt tries to validate the challenge by requesting the challenge file at http://yourdomain.com/.well-known/acme-challenge/, the request goes through Cloudflare first, which caches (and often automatically redirects to HTTPS) responses by default.

This caching and HTTP-to-HTTPS rewriting can prevent Let's Encrypt from seeing the fresh challenge response file your server created.

How to fix Let's Encrypt HTTP-01 with Cloudflare

To fix this issue, we'll have a few options:

  1. Cloudflare Universal SSL/TLS + Cloudflare Origin Certificate

  2. Cloudflare Universal SSL/TLS + Let's Encrypt

The first method involves removing your Let's Encrypt certs and using Cloudflare origin CA certificates to encrypt traffic between Cloudflare and your origin web server.

This can often work well, but also has some drawbacks, mainly:

  • Longer maximum validity period (up to 15 years) can be considered less secure than Let's Encrypt's 90-day rotation
  • Origin certificates do not work with direct-to-origin traffic (those who bypass Cloudflare)
  • There may be some issues with client-server server side rendering (SSR) communications because all traffic must go through Cloudflare's proxy
Warning

Using Cloudflare's Origin CA certificates can break SSR client-server communications. Origin CA certs are meant only for Cloudflare and origin server communications. One main advantage of using Let's Encrypt for your origin server is to allow Full (Strict) SSL while avoiding SSR or intercommunication concerns between services on your web server. Otherwise, using Cloudflare Origin CA certs you will need ensure all frontend SSR data fetching is done through your Cloudflare proxied domain.

Let's dive into the solution of how to keep and renew Let's Encrypt via HTTP-01 / webroot validation for your origin server.

Enable Full (Strict) SSL

As explained above, we want Full (Strict) SSL to ensure end-to-end encryption by requiring valid, trusted certificates on both ends.

First, let's ensure Full (Strict) SSL is enabled. In your Cloudflare dashboard, navigate to SSL/TLS > Overview:

Cloudflare Settings SSL/TLs

Then click "Configure":

Cloudflare SSL Settings

Make sure Full (Strict) is selected.

Create a Cloudflare Configuration Rule

Navigate to Rules > Overview and scroll down to Configuration Rules:

Cloudflare New Configuration Rules

Create a new configuration rule, name it (such as "Let's Encrypt"), and define the filter expression.

The filter expression should look something like:

http://*.yourdomain.com/.well-known/acme-challenge/*

Cloudflare Configuration Rule Filter Expression

Note

Make sure to use HTTP, not HTTPS, here since Let's Encrypt HTTP-01 challenge uses (as per its name) HTTP.

Then, click "+Add" under Automatic HTTPS Rewrites and make sure it is disabled. This will turn off the Cloudflare Automatic HTTP Rewrites for our webroot ACME challenge endpoints.

Cloudflare Automatic HTTPS Rewrites Rule

Click "Save" and you're all set with the Configuration Rules.

Create a Cloudflare Cache Rule (Optional)

If you're using Cloudflare's Cache, you'll want to create a similar Cache Rule and select "Bypass cache":

Cloudflare Cache Rule Bypass

Otherwise, Cloudflare may cache old ACME challenges and/or not allow Let's Encrypt to properly verify due to caching.

Test Your Let's Encrypt Renewal

Lastly, to confirm that Let's Encrypt webroot/HTTP-01 validation is working, you can run:

bashsudo certbot renew --dry-run

You may need to wait a few moments for the rule changes to propagate through Cloudflare's network, but hopefully your HTTP-01 / webroot renewal is working.

With that, your Let's Encrypt certs should be all set and work seamlessly with Cloudflare. Let me know your thoughts, feedback, or questions.

Ryan Chiang

Meet the Author

Ryan Chiang

Hello, I'm Ryan. I build things and write about them. This is my blog of my learnings, tutorials, and whatever else I feel like writing about.
See what I'm building →.

Thanks for reading! If you want a heads up when I write a new blog post, you can subscribe below:

2025

How to Fix Cloudflare + Let's Encrypt SSL with HTTP-01 (Tutorial)

2024

Custom Support Email for Google OAuth Consent Screen (Tutorial)
How to Convert Microsoft Access (.ACCDB) to PostgreSQL (.SQL) in Python
Does Tailwind CSS support `direction: rtl` and Text Direction?
Zod Nested Discriminated Unions (Tutorial)
Google Docs Word Count as if Suggestions Were Accepted (Tutorial)
How to Actually Remove, Replace, or Clone Shadow DOM Roots
How to Prevent Google from Using "noscript" Content
How to Use React Shadow DOM with CSS Modules + style-loader
How to Add Cloudflare Turnstile to Next.js 14
How to Use PM2 Clusters with NodeJS for Zero Downtime Deployment
Tailwind CSS Interactive Star Rating (On Hover)
How to Bundle TailwindCSS using RollupJS (Step-by-Step)
Google OAuth Verification: What to Expect (2024 Walkthrough)
Personal Blogs Solve Problems
How to Resolve "[Error] Dynamic server usage: Route used cookies" in NextJS 14
How to Use Incremental Static Regeneration (ISR) with NextJS 14 App Router
How to Scope Tailwind CSS Styles (Including Preflight)
Optimizing Retrieval-Augmented Generation (Strategies and Tricks)
Three.js - Handling Click Events with Raycasting
NextJS HTTPS/SSL Made Easy (Let's Encrypt Tutorial)
How to Share Code with a SvelteKit Monorepo
Tailwind CSS Triangle Generator (Free Tool)
How to Create a Typewriter Effect in Svelte (Fancy Text Animation)
How to Deploy SvelteKit App to Nginx Reverse Proxy (With PM2 and SSL)
Iptables Rules for Nginx Reverse Proxy + Node.js Apps

2023

How to Convert .prtranscript to .SRT (Adobe Premiere Pro)
How to Improve Voice-Over Quality in Premiere Pro (5 Steps)
How to Self-Host a Video Course on AWS for $10/year

© 2023-2025 Ryan Chiangryanschiang.com

BlogToolsAboutWorkNewsletter