Prepare Your Web Server
Ensure your web server (e.g., Nginx, Apache) is configured to serve files from the .well-known/acme-challenge/ directory. For example, in Nginx, add to nginx:
location /.well-known/acme-challenge/ {
root /var/www/html;
}
Restart your web server after changes (e.g., sudo systemctl reload nginx ).
Configure Cloudflare
- Log into your Cloudflare dashboard and go to Rules > Overview.
- Create a Configuration Rule
- Name: Let’s Encrypt HTTP-01
- Filter: http.request.uri.path matches “^/.well-known/acme-challenge/.*$”
- Disable Automatic HTTPS Rewrites by adding and turning it off.
- Optionally, create a Cache Rule with the same filter and select Bypass cache to prevent caching issues.
Renew the Certificate with acme.sh
- Run the renewal command:
acme.sh --renew --domain yourdomain.com --webroot /path/to/webroot
Replace /path/to/webroot with your website’s document root (e.g., /var/www/html). - If it’s your first time, use:
acme.sh --issue -d yourdomain.com --webroot /path/to/webroot - Wait a few minutes for Cloudflare rule changes to propagate, then check for errors.
Automate Renewals
Set up a cron job for automatic renewal, e.g.,:
sudo crontab -e
Add:
@weekly /root/.acme.sh/acme.sh --cron --home /root/.acme.sh > /dev/null
If renewal fails, check for conflicting Cloudflare rules or ensure the challenge path is accessible. Some users suggest temporarily disabling IPv6 in Cloudflare if issues persist, though this is usually unnecessary.