[Common Issue] Why isn’t my SSL certificate provisioning automatically with Cloudflare & Netlify? Are there other problems with using Cloudflare in front of Netlify?

Netlify won’t be able to provision an SSL certificate for your hostname(s) when the DNS records for a site point to Cloudflare because Cloudflare - not Netlify - is serving the content.

Note: We recommend not using both Cloudflare’s CDN (“Accelerate and Protect”, the orange cloud in their UI) and Netlify for the same site at the same time. Why? Read on!

Netlify’s webservice are not designed to work optimally with another CDN “in front of” our CDN. Proxying to our service is in general not supported and we will advise you not to do it. Using Cloudflare in this way will cause issues with provisioning SSL certificates and with other Netlify features such as:

  • atomic deploys and rollbacks (Cloudflare can cache assets longer than our settings ask them to)
  • will provide slower service than using our CDN directly (measured by a customer over time using google webmaster tools)
  • and occasionally, catastrophic failures are observed where something goes amiss in the proxying and the only fix is disabling Cloudflare’s CDN as shown below.

For these reasons, we recommend disabling Cloudflare for your site when it is being served/hosted by Netlify.

This image shows how to disable Cloudflare’s CDN but continue using their DNS, which IS supported:

Once this change is made, you’ll need an SSL certificate in place at Netlify. Please wait at least five (5) minutes before clicking the “Let’s Encrypt Certificate” button in our UI or adding that custom domain in our admin UI . This will allow time for the old DNS records to expire and for the new values to become active.

If you have any questions about this, we’ll be happy to discuss in more detail!

7 Likes

(asking for the audience) will I be charged for bandwidth when I am DDOSed? what are some recommended ways to add DDOS protection for my Netlify site?

2 Likes

Netlify pays for all bandwidth that is used by our service. We can only keep our service free for low usage sites when they are in fact low usage. If your site uses more bandwidth than the free allotment for any reason during a billing cycle, you will be liable for it, similar to AWS’ policy on the same topic.

Fortunately, we don’t take your site down when you have high usage - we allow it to keep running, since an appearance on shark tank or hacker news may look like an attack, but we try to keep your site up as long as the attack isn’t affecting the rest of our service.

2 Likes

For this, you may still want to go through Cloudflare.
(For example, increase of transfer amount, attack, etc.)

So instead of using Let’s Encrypt, you can apply Origin certificates issued by Cloudflare.
It can be issued for free and can last up to 15 years.

Hi, @balloon, while you can do this it greatly limits our support team’s ability to troubleshoot any redirect, proxy, or site down issues for your site.

Please note we may ask you to disable the Cloudflare proxy to troubleshoot any connectivity or routing issues as we are not able to do so with another service proxying to ours.

@balloon, is Full (strict) mode required when using Cloudflare in front of Netlify?

I just tried to set this up and was receiving intermittent certificate warnings when accessing my site. I set the intermediate cert on Netlify using the root certificate from the page you linked.

Now I have it set to Full and it seems to be working fine …

@robert
Yes. If you have introduced Origin Certificates, you can choose Full (strict). That is the perfect choice.
Or TLS communication is maintained even with Full.

@luke
I often see the troubles associated with Let’s Encrypt when using Cloudflare. This is not only a problem with Netlify, but some services have staff in trouble.
For example, ZEIT Now (zeit.co and now.sh) adds this to the documentation:
https://zeit.co/docs/v2/custom-domains#provider-specific-instructions

But we around the world are choosing Cloudflare. And we also chose Netlify. Please recognize that fact and utilize it in the future.
I got your response and once I moved all the services I had from Netlify to other services.

2 Likes

Thanks for the suggestion, @balloon ! As Luke mentioned, using Cloudflare to front to our services has tons of problems (the ones that started this post, and more general descriptions of the higher level problems here: [Common Issue] Why not proxy to Netlify?). Since this isn’t a use pattern we can support for our CDN, I don’t think we’ll probably write code to enable the unsupported setup to incorporate lets encrypt SSL - we already provide SSL at the netlify hostname which you can tell cloudflare to connect to directly :)).

If you want to use Cloudflare, please do! It’s a great service! It just doesn’t work well in proxy mode with our CDN, so we won’t try to imply that it might work well by working around configurations that currently make it obvious to the end-user that this is not a good setup.