Renew letsencrypt certificate for sites under Cloudflare

Cloudflare act as a guard that hide your server's real IP. However, this make Letsencrypt's certbot renew fail when using its default renewal method. One workaround is turn off Cloudflare's proxy settings temporarily, renew cert and then turn everything back.


Update on Aug. 2023

With latest certbot, user are not required to turn off any cloudflare security settings for renewal.

And gernally, you do not need to do any manual renewal after the first cert is accquired from letsencrypt. A timer job is automatically executed twice a day. For example, systemd user can view the job via:

systemctl status certbot.timer

Update on Apr. 2022

Now the only thing need to do every time is step 2, turning SSL/TLS mode to off, the Always Use Https options will turned off automatically and step 1 is not needed.


Login into Cloudflare control panel, make those changes (keep an eye on your old settings cause we have to change it back afterwards)

  1. In DNS management, turn any A/AAAA record's proxy status from proxied to DNS only.
  2. In SSL/TLS>Overview, turn SSL/TLS encryption mode to off

3.  In SSL/TLS>edge certificates, turn off Always Use Https

Log in site's server, stop any web service like nginx/apache and run certbot renew

After renewal success, back to cloudflare and turn everything back.


There may better ways to renew certs without change Cloudflare settings e.g. use another verification method or use the Cloudflare API key. Checkout other resource: