the solution is on the Cloudflare side
-
under Page Rules
Create Page rule as the first rule
*.domain.tld/.well-known/acme-challenge/*
add the settingSSLand set it tooff
-
under DNS
add a record type CAA
under tag you have to choose if you allow let’s encrypt to delivery * (wildcards) certificate or for specific hostname (which I prefer)
allow Valueletsencrypt.org
you will end with something like this:
CAA domain.tld 0 issue "letsencrypt.org" Automatic
but at the end Let’s Encrypt or the Self-signed Certificate already generated by yunohost will change nothing everything will be encrypted from
user to cloudflare than to cloudflare to your yunohost which means you and your user have to trust cloudflare because they act as a man in the middle.