Using AutoSSL with CloudFlare

Using cPanel's AutoSSL feature with CloudFlare can sometimes lead to complications, especially during the SSL certificate renewal process. This is often due to the 'Always Use HTTPS' and Strict mode settings in CloudFlare. This guide aims to provide a comprehensive solution to these issues, including how to set up HTTPS redirects using .htaccess.

The Problem

When using CloudFlare with cPanel's AutoSSL, you may encounter errors that prevent SSL certificate renewal. One such error message might read:

Local HTTP DCV error (domain.com): The content "301 Moved Permanently 301 Moved Permanently…" of the DCV (Domain Control Validation) file did not match the expected value.

The reason you see this error is because Sectigo, who issue cPanel's AutoSSL certificates, do not allow the certificate to be issued if the domain is redirecting. This will be the case if CloudFlare is configured to Always Use HTTPS, as this introduces a redirect from http:// to https:// for any request to the domain./p>

Immediate Fix: Disable Strict Mode in CloudFlare

Strict mode in CloudFlare requires a valid SSL certificate on your origin server. If this requirement is not met, it can cause issues with AutoSSL renewals and may result in a 526 error on your site or in the browser console for certain resources.

To immediately resolve this:

1. Log in to your CloudFlare account.
2. Navigate to the SSL/TLS tab.
3. Under the SSL/TLS encryption mode, change from 'Strict' to 'Full'.

Impact of Changing to Full Mode

Switching to 'Full' mode will still encrypt the connection between CloudFlare and your origin server but is less strict about the SSL certificate being valid. This means that CloudFlare will accept a self signed certificate from the origin server. As the connection from CloudFlare to the visitor will use CloudFlare's SSL certificate, this will mean that the connection is restored as a fully valid connection without errors.

Long-Term Solution

Although changing to Full Mode provides an immediate fix, it may be preferable to ensure that AutoSSL can properly issue the certificate. In this way if you ever need to disable CloudFlare, you can rest assured that you have a valid SSL certificate issued on your domain.

Again, typically the reason AutoSSL couldn't run will be due to Always Use HTTPS being turned on in CloudFlare. So this will need to be disabled to allow AutoSSL to issue a renewal.

Step 1: Disable 'Always Use HTTPS' in CloudFlare

1. Log in to your CloudFlare account.
2. Navigate to the SSL/TLS tab.
3. Go to the Edge Certificates tab.
4. Locate the 'Always Use HTTPS' option and disable it.

Step 2: Renew Your Certificate in cPanel (If Needed)

If your AutoSSL certificate failed to renew, follow these steps:

1. Log in to your cPanel account.
2. Navigate to the SSL/TLS section.
3. Click on 'Manage AutoSSL' and proceed to renew your certificate.

It may take several minutes for AutoSSL to successfully renew your SSL certificate. Keep in mind that so long as strict mode is turned off then you should no longer have any errors on your site and so you can wait for this to complete.

Step 3: Re-enable Strict Mode (Optional)

Once the AutoSSL has successfully renewed, you may opt to re-enable Strict mode in CloudFlare for added security.

Benefits of Using Strict Mode

Strict mode ensures that the SSL certificate on your origin server is valid, providing an extra layer of security. However, some clients might elect to leave this off to avoid potential issues in the future should AutoSSL not be able to renew the certificate for any reason.

Step 4: Set Up HTTPS Redirects Using .htaccess (If Needed)

If your site is not already redirecting to HTTPS, you can set up HTTPS redirects using .htaccess:

1. Log in to your cPanel account.
2. Navigate to the File Manager.
3. Locate the .htaccess file in your website's root directory.
4. Edit the .htaccess file and add the following code:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

By following these steps, you can ensure a smooth SSL certificate renewal process via cPanel's AutoSSL while still maintaining HTTPS redirects for your website. This approach avoids the pitfalls associated with CloudFlare's 'Always Use HTTPS' and Strict mode settings, offering a more reliable long-term solution. Clients may choose to re-enable Strict mode for added security or leave it off based on their specific needs.