[Support Guide] Why isn’t my SSL certificate provisioning automatically with Cloudflare & Netlify? Are there other problems with using Cloudflare in front of Netlify?

Netlify won’t be able to provision an SSL certificate for your hostname(s) when the DNS records for a site point to Cloudflare because Cloudflare - not Netlify - is serving the content.

Note: We recommend not using both Cloudflare’s CDN (“Accelerate and Protect”, the orange cloud in their UI) and Netlify for the same site at the same time. Why? Read on!

Netlify’s web service is not designed to work optimally with another CDN “in front of” our CDN. Proxying to our service is in general not supported and we advise you not to do it for best hosting results. Using Cloudflare in this way will cause issues with provisioning SSL certificates and with other Netlify features such as:

  • atomic deploys and rollbacks (Cloudflare will cache assets for most customers, for 5 minutes longer (at best!) than our default settings specify). This would lead to changes you make not showing up immediately on the web and interferes with some of our features like Analytics and Split Testing.
  • will likely provide slower service than using our CDN directly (measured by a customer over a few months, using google webmaster tools)
  • our Support team do not have any visibility into what happens to network requests that go through Cloudflare’s CDN (which always happens if you use the orange cloud), so we cannot easily advise you on problems in your configuration or help you debug connection trouble.
  • Country-based redirects may not work reliably; we’ll look up Cloudflare’s IP, not your visitor’s, to decide which country the request comes from.
  • and occasionally, catastrophic failures have been observed using this setup, and something goes wrong in the proxying. In these cases the only effective, quick fix has been disabling Cloudflare’s proxying as shown below.

For these reasons, we recommend disabling Cloudflare’s proxying (also known as “Accelerated and protected” on their service) for your site when it is being served/hosted by Netlify.

This image shows how to disable Cloudflare’s proxying, but continue using their DNS, which works great with our CDN as long as you disable proxying:

If you are making this change, you’ll need two things:

  1. You’ll need to make sure that our UI is configured for ALL OF your custom domain(s). On the Domain settings page, ensure that all hostnames that you were using via proxy at Cloudflare are set in our UI.
  2. You’ll need an SSL certificate to cover these names to be in place at Netlify. If you haven’t purchased a certificate from someone else (details in this article), we’ll protect you with an automatically managed and renewed Let’s Encrypt certificate. After you change your DNS settings in our UI, we’ll start repeatedly trying to fetch a certificate for you (for as much as the next 3 days after your change), but there will likely be some downtime while your settings change at Cloudflare (which are DNS changes) propagate. This article describes what kind of delay you can expect on this process and how to make sure it goes as quickly as possible.

If you still want to proxy from Cloudflare, we can’t stop you. You may find this customer-supplied (written by @chrism2671!) Build Plugin helps mitigate the situation around them not providing a “no-cache” option for people below their Enterprise account level: https://github.com/chrism2671/netlify-purge-cloudflare-on-deploy

If you have any questions about this, we’ll be happy to discuss in more detail! Please feel empowered to ask BEFORE you make changes, so we can guide you to the smoothest migration experience.

7 Likes
How do I use cloudflare DNS with a Netlify custom domain
[Support Guide] Why not proxy to Netlify?
Ssl error bad cert domain
DNS configuration
Installing Netlify SSL Certificate on Other Servers
Proxying services with forwarding client IPs
[Support Guide] Which are some good DNS providers for ALIAS/ANAME support?
Form works only on "//page" but not on "/page" - [Gridsome]
'www' not resolving [Using Cloudflare for DNS]
Help: I'm being billed a lot for bandwidth
Ssl error bad cert domain
_redirect but keep the same origin (transparent)
SSL certificate branch deploy addition
522 Error; Connection timed out
Analytics unique visitors very low
Err_too_many_redirects
Forms 405 error on submit
Error 522 - cloudflare
SSL Provisioning is temporarily disabled
Domain Setup issue
URL rewrites not behaving as expected
How to fix SSL renew fail while using Ezoic proxy?
502 error just occurred for no apparent reason
How do I use cloudflare DNS with a Netlify custom domain
Enabling SSL on Subdomains
Page is giving 301 redirect when it shouldnt (Cached?)
[Support Guide] DNS Quick Start - How to set up DNS
Do you proxy to Netlify from another CDN?
Error: "We could not provision a Let’s Encrypt certificate for your custom domain"
Deleted files and directories are not removed when deploying
Redirect triggering for existing content, erratically
SSL Not working for my wesbite
How does redirect caching work?
Custom SSL certificate is no longer served by the server
Error in adding domain to netlify site
Limiting bandwidth/traffic to netlify on starter tier plan
Page not found connecting using CNAME
Can't generate Let's Encrypt SSL
Certificate is not a valid PEM certificate
SSL error with subdomain
DNS configuration issue

(asking for the audience) will I be charged for bandwidth when I am DDOSed? what are some recommended ways to add DDOS protection for my Netlify site?

2 Likes

Netlify pays for all bandwidth that is used by our service. We can only keep our service free for low usage sites when they are in fact low usage. If your site uses more bandwidth than the free allotment for any reason during a billing cycle, you will be liable for it, similar to AWS’ policy on the same topic.

Fortunately, we don’t take your site down when you have high usage - we allow it to keep running, since an appearance on shark tank or hacker news may look like an attack, but we try to keep your site up as long as the attack isn’t affecting the rest of our service.

2 Likes

For this, you may still want to go through Cloudflare.
(For example, increase of transfer amount, attack, etc.)

So instead of using Let’s Encrypt, you can apply Origin certificates issued by Cloudflare.
It can be issued for free and can last up to 15 years.

Hi, @balloon, while you can do this it greatly limits our support team’s ability to troubleshoot any redirect, proxy, or site down issues for your site.

Please note we may ask you to disable the Cloudflare proxy to troubleshoot any connectivity or routing issues as we are not able to do so with another service proxying to ours.

@balloon, is Full (strict) mode required when using Cloudflare in front of Netlify?

I just tried to set this up and was receiving intermittent certificate warnings when accessing my site. I set the intermediate cert on Netlify using the root certificate from the page you linked.

Now I have it set to Full and it seems to be working fine …

@robert
Yes. If you have introduced Origin Certificates, you can choose Full (strict). That is the perfect choice.
Or TLS communication is maintained even with Full.

@luke
I often see the troubles associated with Let’s Encrypt when using Cloudflare. This is not only a problem with Netlify, but some services have staff in trouble.
For example, ZEIT Now (zeit.co and now.sh) adds this to the documentation:
https://zeit.co/docs/v2/custom-domains#provider-specific-instructions

But we around the world are choosing Cloudflare. And we also chose Netlify. Please recognize that fact and utilize it in the future.
I got your response and once I moved all the services I had from Netlify to other services.

2 Likes

Thanks for the suggestion, @balloon ! As Luke mentioned, using Cloudflare to front to our services has tons of problems (the ones that started this post, and more general descriptions of the higher level problems here: [Common Issue] Why not proxy to Netlify?). Since this isn’t a use pattern we can support for our CDN, I don’t think we’ll probably write code to enable the unsupported setup to incorporate lets encrypt SSL - we already provide SSL at the netlify hostname which you can tell cloudflare to connect to directly :)).

If you want to use Cloudflare, please do! It’s a great service! It just doesn’t work well in proxy mode with our CDN, so we won’t try to imply that it might work well by working around configurations that currently make it obvious to the end-user that this is not a good setup.

Hey guys,
Does using Cloudflare has any impact on the deploy preview generated by Netlify under the netlify.app domain (i.e: caching) ? as in:

https://coolapp.netlify.app/
https://5f6721c1e593fd5cadd9d2a9--coolapp.netlify.app/

Hi, @zanona. No URLs with domain names ending with netlify.app will go through Cloudflare, so that is not the issue here.

The root cause in this case is that these are manual deploys. Manual deploys which use an “alias” or “branch” option are not treated identically to branch deploys with a build at Netlify.

You cannot use the branch subdomain feature with manual deploys at this time. We have an open feature request to make manual deploys with a branch option to work identically to branch deploys at Netlify. However, at this time, that feature request remains “open”.

If/when it is possible to use the branch subdomain features with manual deploys we will post an update here to let you know. If there are other questions, please let us know.

Thanks so much for clarifying, Luke, and apologies for the noise under this thread, as my case feels unrelated.

So I take it that aliases will never override past branch deploys URLs. What you would recommend in this case? Recreating the site on Netlify and disable auto-publishing? Would those aliases such as next become available if we do that? — So far, aliases were working fine for the ‘alpha’ branch for us, as we never had an auto published branch deploy for that one

I guess that’d be simpler than changing the git development branch name itself :smile: Just trying to think on a way to clear all those cached URLs. Perhaps is there anything else you could advise?

Thanks again for following up

I bumped into the same problem and solved it. The image in the OP needs some explainer text.

Basically, to disable Cloudflare’s DNS Proxy to be “DNS only”, you have to click Edit, and in the edit panel, click on the orange cloud icon and it will toggle to DNS only. Hit save.

Then I was able to renew my cert at Netlify right after.