Will certificate generation work behind cloudflare?

[sandrodz]

I recently enabled cloudflare (proxy with full strict ssl) for one of the sites behind docker-letsencrypt-nginx-proxy-companion.

Meaning:
client browser <-> cloudflare (full strict ssl) <-> nginx proxy (letsencrypt)

This KB article states: https://support.cloudflare.com/hc/en-us/articles/214820528-How-to-Validate-a-Let-s-Encrypt-Certificate-on-a-Site-Already-Active-on-Cloudflare

As a note, the default method used for ACME authentication by the Let's Encrypt client utilizes the DVSNI method. This will fail for a domain which has Cloudflare enabled as we terminate SSL (TLS) at our edge and the ACME server will never see the certificate the client presents at the origin. Using alternate ACME validation methods, such as DNS or HTTP will complete successfully when Cloudflare is enabled.

Since companion uses simp_le, it seems HTTP is the default method, and that it should work.

Anyone?

[lukecyca]

It is not working for me. I get the following error:

/etc/cron.daily/letsencrypt-renew:
Attempting to renew cert (example.ca) from /etc/letsencrypt/renewal/example.ca.conf produced an unexpected error: Failed authorization procedure. example.ca (tls-sni-01): urn:acme:error:tls :: The server experienced a TLS error during domain verification :: remote error: tls: handshake failure, www.example.ca (tls-sni-01): urn:acme:error:tls :: The server experienced a TLS error during domain verification :: remote error: tls: handshake failure. Skipping.
All renewal attempts failed. The following certs could not be renewed:
 /etc/letsencrypt/live/example.ca/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
run-parts: /etc/cron.daily/letsencrypt-renew exited with return code 1

(I've changed my domain to example.ca in the output above)

[lukecyca]

It turns out I was running an older version of letsencrypt-nginx-proxy-companion.

I pulled the latest image, and manually renewed using force_renew and all my certificates were successfully renewed even though they are sitting behind cloudflare.

[sandrodz]

I can also confirm, this seems to be working out of box. I'm still waiting to make sure its bulletproof, after few auto renewals.

[buchdag]

This comment might be helpful to people using Cloudflare: #247 (comment)