AutoSSL + Cloudflare + Redirect HTTP to HTTPS = Fail?

depricated

AutoSSL emailed errors saying it could not renew the certificate:

The validation required 1 HTTP redirect, but the AutoSSL provider “cPanel (powered by Comodo)” does not permit HTTP redirects. When the system accessed the “http://www.[mydomain.tld/.well-known/pki-validation/xyz.txt]” URL, it redirected to the “https://www.[mydomain.tld.well-known/pki-validation/xyz.txt]” URL.

If I remove the HTTP to HTTPS redirection in Cloudflare, AutoSSL completes successfully.

Is it possible to use AutoSSL + Cloudflare + HTTP to HTTPS redirection? Surely this must be common.

vovler

The redirection is made too early, thanks to cloudflare...

Make the redirection happen in the .htaccess instead of cloudflare.

depricated

@vovler said:
The redirection is made too early, thanks to cloudflare...

Make the redirection happen in the .htaccess instead of cloudflare.

Like this? The internet is full of several variations of the following:

RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

I also read that Apache documentation now recommends against this and suggests a change to the main server config file... which I doubt is an option on shared hosting.

For simplicity, is there a way to get Cloudflare's method to work? I don't know anything about htaccess.

Harambe

Why use AutoSSL AND CloudFlare? Install CloudFlare's self-signed cert in cPanel for your domain and call it a day.

vovler

@Harambe said:
Why use AutoSSL AND CloudFlare? Install CloudFlare's self-signed cert in cPanel for your domain and call it a day.

The request is only encrypted from the visitor to cloudflare, not from cloudflare to your server.

@depricated said:

@vovler said:
The redirection is made too early, thanks to cloudflare...

Make the redirection happen in the .htaccess instead of cloudflare.

Like this? The internet is full of several variations of the following:

RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

I also read that Apache documentation now recommends against this and suggests a change to the main server config file... which I doubt is an option on shared hosting.

For simplicity, is there a way to get Cloudflare's method to work? I don't know anything about htaccess.

I don't know how to create exceptions in the cloudflare page rules... I tried to google it, but didn't find anything

depricated

cPanel also offers another solution. Thoughts?

HTTP redirects seem to be pretty troublesome: specifically, the default cPanel/Comodo provider will fail if it finds a redirect. To address this, we’re implementing logic in 60 to insert mod_redirect exclusions into a virtual host’s .htaccess file when necessary.

You can do this in 58, but it will be a manual process. Here are the exclusions to add in:

For cPanel’s internal DCV checks:
RewriteCond %{REQUEST_URI} !^/[0-9]+..+.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$

For Comodo:
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}.txt$
RewriteCond %{REQUEST_URI} !^/.well-known/pki-validation/[A-F0-9]{32}.txt(?:\ Comodo\ DCV)?$

For Let’s Encrypt:
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/

Insert these lines before every “RewriteRule” directive to ensure that domain control validation (DCV) will avoid redirects. Only the Comodo one should be strictly necessary, but the others are good ideas just in case.

https://forums.cpanel.net/threads/autossl-and-http-redirects.567801/

Harambe

@vovler said:

@Harambe said:
Why use AutoSSL AND CloudFlare? Install CloudFlare's self-signed cert in cPanel for your domain and call it a day.

The request is only encrypted from the visitor to cloudflare, not from cloudflare to your server.

No, if you install a cert, any cert, it's encrypted between server + CF. In the SSL settings section you can generate a CloudFlare-signed cert to install on your server which allows you to enable the 'strict' SSL settings in CF without purchasing a cert or using Let's Encrypt.

depricated

Seems @vovler is describing Cloudflare's Flexible SSL, and @Harambe the Full or Full (strict) options.

Wouldn't installing Cloudflare's certificates on the origin server require regular manual intervention? If so, I'd rather avoid that.

robohost

What script do you use? If it's php base redirect https in your config or header, last time i try lets encrypt will refuse to validate if i throw it in .htacess because it was https

Harambe

@depricated said: Wouldn't installing Cloudflare's certificates on the origin server require regular manual intervention? If so, I'd rather avoid that.

You can issue a 10 year cert and get Full (strict) mode. No manual intervention after that initial install.

You just literally copy/paste the certificate details it spits out into the SSL section in cPanel. Done deal.

depricated

Harambe said: You can issue a 10 year cert and get Full (strict) mode. No manual intervention after that initial install.

You just literally copy/paste the certificate details it spits out into the SSL section in cPanel. Done deal.

Ok, I created a certificate in Cloudflare (no 10 year... it's 15 haha), entered the details in the shared hosting cPanel, and enabled HTTPS redirects and Full (strict) mode in Cloudflare.

I don't know if it was necessary, but I also deleted the old certificates in cPanel.

mail.mydomain.tld and webmail.mydomain.tld are on a different server (mxroute), which uses AutoSSL.

Is this setup ok?

Harambe

@depricated said:

Is this setup ok?

Seems fine to me - is everything loading as expected?

Pointing those subdomains at MXRoute shouldn't cause any issues as long as you followed the guide.

depricated

As far as I can tell, everything is working. No problems with accessing webmail either. I didn't change anything at mxroute's servers. Also passed the SSL tests at https://www.ssllabs.com/

Harambe said: Pointing those subdomains at MXRoute shouldn't cause any issues as long as you followed the guide.

So it's ok to have different certificates (Let's Encrypt) at some subdomains (mail, webmail), even though the certificate from Cloudflare has a wildcard coverall all subdomains?

Harambe

depricated said: So it's ok to have different certificates (Let's Encrypt) at some subdomains (mail, webmail), even though the certificate from Cloudflare has a wildcard coverall all subdomains?

>

Wildcard means it would work on any of those subdomains if applied there, doesn't mean you need to use it on them.

If I'm not mistaken the way the MXRoute white label subdomains work is by pointing those subdomains at MXRoute's server and they handle the AutoSSL, so you don't need to touch any SSL configuration there.

depricated

Perfect. Thanks so much for your help. Hopefully cPanel will stop emailing me warnings now.

One confusing bit is that there seem to be different types of certificates with different expiration dates. Eg. the browser shows 6 months to expiration. But at least cPanel shows the expected 15 year expiry.

Harambe

@depricated said:
Perfect. Thanks so much for your help. Hopefully cPanel will stop emailing me warnings now.

One confusing bit is that there seem to be different types of certificates with different expiration dates. Eg. the browser shows 6 months to expiration. But at least cPanel shows the expected 15 year expiry.

No problem.

The 15 year cert is just their self-signed cert, no one will ever publicly get that cert - it's just for encrypting traffic from your server to CloudFlare servers.

The public-facing cert you see is generated by CloudFlare (on their servers) and the renewal will be handled by them automatically, probably within 30-60 days of it expiring.