For some time, I’ve hidden my nextclould behind CF zero trust. When refreshing certificates via letsencrypt I would manually disable the tunnel, refresh and re-enable the tunnel. Now that letsencrypt will no longer notify me via email I need a more robust (read automated) way of refreshing certs. Do I have any options other than disabling zero trust? (the advantage would be I no longer need vpn to have the mobile app working).
You must log in or # to comment.
Maybe you can use letsencrypt’s DNS-01 challenge. That works without an HTTP connection. But ultimately, I don’t think you need a certificate on the server, doesn’t Cloudflare tunnel the traffic (unencrypted) and terminate the HTTPS on their side?
Thanks for the reply, among all answers I chose this. Just because it works for me.
Behind a cloudflare tunnel you can use a self signed or expired certificate, just check the “no TLS verify” checkbox
Edit: or use DNS based verification, nginx proxy manager can do it automatically using cloudflare api when behind cloudflare tunnels
Thanks for the reply, among all answers I chose this. Just because it works for me.
Are you a bot?
Would a bot tell you? 🧐
No posts/c9mments in like a year and a half, then this… I’d guess yes.
3 people independently advice dns challenge. They all deserve the same appreciation don’t they?
I don’t think a copy/paste answer comes across as appreciation, no.
It comes across weird, especially on a low activity account, and seems like a bot response that got stuck.
I’m just a passive observer and it’s fine. You can assume it’s a bot but that’s not on them. They seem legitimate and my assumption is maybe English isn’t their first language.
With the other comments since, yeah not a bot. Early on with the long gap, then a post and the same commen t being the only comment - yeah that looks like a bot.
Its not an indictment of them, just observation.
DNS-01 challenge with letsencrypt. Or use cloudflare tunnel and don’t use https internally.
Thanks for the reply, among all answers I chose this. Just because it works for me.
Setup a cron that does it once per day, when you don’t need it, like certbot does. Easy.
