[Common Issue] Why isn’t my SSL certificate provisioning automatically with Cloudflare & Netlify? Are there other problems with using Cloudflare in front of Netlify?

Netlify won’t be able to provision an SSL certificate for your hostname(s) when the DNS records for a site point to Cloudflare because Cloudflare - not Netlify - is serving the content.

Note: We recommend not using both Cloudflare’s CDN (“Accelerate and Protect”, the orange cloud in their UI) and Netlify for the same site at the same time. Why? Read on!

Netlify’s webservice are not designed to work optimally with another CDN “in front of” our CDN. Proxying to our service is in general not supported and we will advise you not to do it. Using Cloudflare in this way will cause issues with provisioning SSL certificates and with other Netlify features such as:

  • atomic deploys and rollbacks (Cloudflare can cache assets longer than our settings ask them to)
  • will provide slower service than using our CDN directly (measured by a customer over time using google webmaster tools)
  • and occasionally, catastrophic failures are observed where something goes amiss in the proxying and the only fix is disabling Cloudflare’s CDN as shown below.

For these reasons, we recommend disabling Cloudflare for your site when it is being served/hosted by Netlify.

This image shows how to disable Cloudflare’s CDN but continue using their DNS, which IS supported:

Once this change is made, you’ll need an SSL certificate in place at Netlify. Please wait at least five (5) minutes before clicking the “Let’s Encrypt Certificate” button in our UI or adding that custom domain in our admin UI . This will allow time for the old DNS records to expire and for the new values to become active.

If you have any questions about this, we’ll be happy to discuss in more detail!


(asking for the audience) will I be charged for bandwidth when I am DDOSed? what are some recommended ways to add DDOS protection for my Netlify site?

1 Like

Netlify pays for all bandwidth that is used by our service. We can only keep our service free for low usage sites when they are in fact low usage. If your site uses more bandwidth than the free allotment for any reason during a billing cycle, you will be liable for it, similar to AWS’ policy on the same topic.

Fortunately, we don’t take your site down when you have high usage - we allow it to keep running, since an appearance on shark tank or hacker news may look like an attack, but we try to keep your site up as long as the attack isn’t affecting the rest of our service.

1 Like