Certificates not auto-renewing when using Cloudflare CDN

My YunoHost server

Hardware: VPS bought online /
YunoHost version: 3.6.4.3
I have access to my server : Through SSH | through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

I’m using Cloudflare for DNS and CDN purposes and I’ve noticed just recently that my SSL certs on Let’s Encrypt are not renewing. I tried manually renewing them and realized the issue was that because of the CDN feature being enabled, it would look for Cloudflare’s IP instead of mine and because of that the certs were not automatically renewed.

Info: Now attempting install of certificate for domain foo.com!
Warning: Debug information:
 - domain ip from DNS        104.31.86.40
 - domain ip from local DNS  185.xxx.xxx.xxx
 - public ip of the server   185.xxx.xxx.xxx

Is there a way to do that? Just tried with --no-checks but it didn’t work.

I know I could disable CF, but I wanna use it.

Thank you.

I don’t think there’s any obvious fix … the way Lets Encrypt works rely on your DNS record poiting to the right IP. If that not the case then it can’t work. Though there are alternative “challenges” in LetsEncrypt which allow to deliver a certificate through different methods, e.g. a DNS challenge. But it’s not integrated in YunoHost so it’s up to you to tweak whatever needs to be tweaked to make it work …

the solution is on the Cloudflare side

  1. under Page Rules
    Create Page rule as the first rule
    *.domain.tld/.well-known/acme-challenge/*
    add the setting SSL and set it to off

  2. under DNS
    add a record type CAA
    under tag you have to choose if you allow let’s encrypt to delivery * (wildcards) certificate or for specific hostname (which I prefer)
    allow Value letsencrypt.org
    you will end with something like this:
    CAA domain.tld 0 issue "letsencrypt.org" Automatic

but at the end Let’s Encrypt or the Self-signed Certificate already generated by yunohost will change nothing everything will be encrypted from
user to cloudflare than to cloudflare to your yunohost which means you and your user have to trust cloudflare because they act as a man in the middle.

if it still not working
try to reduce the Max Age Header (max-age) to a 2 months
under Crypto and HSTS

Would that work with Full SSL (Strict) config from Cloudflare?

According to Cloudflare, this means that your traffic is encrypted in all stages, if I understood correctly