Last week, I shared a tip on how to get Cloudflare, Laravel Forge, and TLS all working together.
This led to a reader question about what happens when it comes time for that certificate to get renewed? Would Cloudflare get in the way?
I knew it wasn't an issue, since I've had Forge sites with Lets Encrypt running behind a Cloudflare proxy for years, but let's dig deeper and understand why.
The reason it works is that LetsEncrypt has two methods for validating your domain, both on original issuance and on renewal:
- It places a file in the public root of your site at
.well-known/acme-challengeand Cloudflare will proxy that request right on through to your Forge site, so it doesn’t get in the way. (Why ACME? That's the name of the protocol.)
- The other option, usually only used if you’re generating a wild-card certificate, is to set a DNS record. Forge has a configuration for Cloudflare DNS management, so no problem here either.
That being said, one thing to watch for is third-party services that you point a CNAME record at in Cloudflare. I have seen some platforms that aren't setup to handle proxied traffic from Cloudflare, causing the TLS certificate renewal to fail. In that case, my solution was to just not have Cloudflare proxy that one CNAME record.
Here to help,
P.S. I read every single reply to these emails, and I really enjoy them. Often, questions and comments will spark further ideas for tips to share. So please, keep them coming!