How to Fix cPanel AutoSSL Errors Under a Cloudflare Proxy

A short while back, I woke up in the morning to find all my Let’s Encrypt SSL certificates had expired. How was this possible? I had been using AutoSSL or Let’s Encrypt for years and they were renewing without any issues. So I went into my web hosting panel and tried to renew them manually, but they all failed. Meanwhile, I was freaking out because my visitors were seeing error messages across all my sites. I frantically contacted my hosting customer support, and they told me that my Let’s Encrypt and AutoSSL SSL certificates couldn’t be renewed because I was using Cloudflare as a proxy.

“This must be a mistake,” I thought. After all, I had been using Cloudflare as a proxy for years, and had never had a problem with AutoSSL or Let’s Encrypt SSL renewal. But here my web hosting support guy was telling me that I need to un-proxy my site from Cloudflare!

After much hair-pulling, I finally settled on a permanent solution that won’t expire in 3 months. Click here to scroll straight to the solution.

Table of Contents

cPanel AutoSSL Renewal Errors Thanks to Cloudflare

I don’t know what changed, but apparently, you now can’t renew Let’s Encrypt or AutoSSL certificates from cPanel if Cloudflare is proxying your site. Here’s a screenshot of the chat transcript I had with my web hosting support:

Web hosting chat support on how my AutoSSL certificates weren't renewing thanks to Cloudflare
Web hosting chat support on how my AutoSSL certificates weren’t renewing thanks to Cloudflare

Now I still think that Cloudflare is the best CDN provider, and it’s done wonders for my site’s TTFB – especially with full site caching. So I’m not going to stop using them. But I don’t blame the support rep. They’re only telling me what they think is the problem. How do I explain to them that my SSL certificates have been renewing for years without any problem? In any case, I was forced to temporarily un-proxy my site from Cloudflare and use it only as a DNS. Then my Let’s Encrypt and AutoSSL certificates were renewed without a problem.

The Problem: Cloudflare Hides your Server’s IP Address

The problem, of course, is that Cloudflare hides your IP address, thanks to the “orange cloud” proxy icon as shown here:

Cloudflare Proxy Hides your IP Address Preventing AutoSSL Renewal
Cloudflare Proxy Hides your IP Address Preventing AutoSSL Renewal

This is great for keeping your site safe, but when you try and renew your Let’s Encrypt SSL certificates, the cPanel tool will check to which IP address your domain resolves. And it’ll only renew it if it resolves to an address on the cPanel server. Under Cloudflare however, the domain name will resolve to a Cloudflare IP address, and so the AutoSSL renewal fails.

There’s no way around this. It’s a fundamentally incompatible situation.

Unsustainable: My Certificates will Expire Again in 3 Months!

The problem is that after 90 days, my AutoSSL certificates will once again fail to renew. If I want to continue using Cloudflare as a proxy, it seems I will have to:

  1. Set a reminder before they expire
  2. Remove the proxy functionality from Cloudflare from all my sites
  3. Renew my Let’s Encrypt certificates
  4. Turn on Cloudflare proxy again

This is not only too much work, it increases the chances of something going wrong. What if I’m on vacation without access to the Internet when my certificates expire? I needed a more durable solution.

Permanent Fix: Use a Cloudflare Origin Certificate for 15-Years

Unfortunately, there’s no way to continue using AutoSLL or Let’s Encrypt SSL certificates with cPanel under a Cloudflare proxy. Sooner or later, the renewal will fail. And you can’t keep manually stopping the proxy every three months for every site you own. Instead, the best solution is to use a Cloudflare Origin certificate that’s valid for 15-years. This is a permanent solution to the problem. And you can turn on the Full (Strict) encryption mode for your site.

How to Install a Cloudflare Origin Certificate on cPanel

To permanently stop worrying about AutoSSL renewal, here’s how to install a Cloudflare Origin certificate.

Step 1: Create a Certificate on the Cloudflare SSL/TLS Tab

First, go to your Cloudflare dashboard and click the “SSL/TLS” tab. Then click the “Origin Server” sub-tab and hit “Create Certificate” as shown here:

Cloudflare Origin Certificate Valid for 15-years
Cloudflare Origin Certificate Valid for 15-years

In this screenshot, I’ve already generated an origin certificate. And since today is 2021, this certificate will expire in 2036. You don’t have to renew it till then. Pretty neat! Once you click “Create Certificate”, verify your domain details on the next screen:

Configure the Cloudflare Origin SSL Certificate
Configure the Cloudflare Origin SSL Certificate

The default settings should be fine in most cases. This SSL certificate covers your root domain, all subdomains, and you can even use wildcards to cover sub-sub-domains if needed. Confirm your details, and generate the certificate on the next screen. You’ll see two boxes with text in them:

  1. The Cloudflare certificate itself
  2. The private key
Copy and Save the Cloudflare Origin Certificate and Private Key in Two Separate Files
Copy and Save the Cloudflare Origin Certificate and Private Key in Two Separate Files

Copy each of these and save them in two separate text files. In particular, save the private key in a place where no one else can access it. This key can be used to decrypt communications between your web host server and Cloudflare. So keep it safe!

Step 2: Install the Cloudflare Origin Certificate in cPanel

For the next step, log into your cPanel dashboard and go to the “SSL/TLS” section. Now click through to the certificates section where you can generate, view, upload, or delete SSL certificates from your server:

Certificates Section in SSL/TLS Manager in cPanel
Certificates Section in SSL/TLS Manager in cPanel

In the certificates screen, scroll down to the section called “Upload a New Certificate”. In the box provided below, paste the code for your certificate (not the private key) into the text area:

Paste the Cloudflare Origin Certificate into the cPanel SSL Upload Section
Paste the Cloudflare Origin Certificate into the cPanel SSL Upload Section

You’ll know you’ve got it right because the bottom will immediately populate with the details of the Cloudflare Origin certificate. Make sure the details are accurate, and then save the certificate. I suggest you also add a brief description of the certificate.

Step 3: Check to See that the Certificate is Added in cPanel

After saving the certificate, scroll up to the top to see if it’s been added to the list. You can see here that my list of SSL certificates now contains the one from Cloudflare that I just uploaded.

Cloudflare Origin Certificate is Installed on cPanel
Cloudflare Origin Certificate is Installed on cPanel

And you’re done! You now don’t need to worry anymore about your AutoSSL certificates expiring because of Cloudflare. Thanks to the origin certificate, you’re set for the next 15 years :).

Step 4: Change the Cloudflare Encryption Mode to Full (Strict)

For maximum security, head back to the Cloudflare SSL/TLS section, and enable the last box giving your Full (Strict) security when using Cloudflare:

Enable Full (Strict) Encryption Mode on Cloudflare
Enable Full (Strict) Encryption Mode on Cloudflare

Congratulations! You now never need to worry about AutoSSL or Let’s Encrypt SSL certificates expiring because you’re behind a Cloudflare proxy.

Enabling AutoSSL When you Use Cloudflare as “DNS Only”

Since the certificate we installed is only valid for encrypting traffic between your web hosting origin server and Cloudflare, you’ll run into problems if you ever disable the Cloudflare proxy and use the “DNS Only” functionality. To get around this, just create the AutoSSL certificates when you’re not using the proxy. It’ll take a couple of minutes and you’ll be set for the next 3-months at least. It’s not ideal, sure. But it’s the best solution I’ve come up with so far.

Hopefully, this tutorial saves you hours of hair-pulling frustration. Web hosts and Cloudflare don’t document this aspect of SSL at all, so this should help!

About Bhagwad Park

I've been writing about web hosting and WordPress tutorials since 2008. I also create tutorials on Linux server administration, and have a ton of experience with web hosting products. Contact me via e-mail!

Speak Your Mind