Troubleshooting Cloudflare Issues
Cloudflare is a reverse proxy service that can help to secure and speed-up your sites. While SpinupWP is fully compatible with Cloudflare, there are a few Cloudflare settings that can cause problems. This doc aims to outline those problems.
Too Many Redirects
If you’re receiving the ERR_TOO_MANY_REDIRECTS
error when accessing your HTTPS enabled site that is being proxied through Cloudflare, it’s likely that you have SSL set to Flexible. This should be set to Full (strict), which will ensure connections to your site are fully encrypted end-to-end.
The SSL setting can be found under the SSL/TLS tab.
Unable to Verify DNS
When deploying a HTTPS site via SpinupWP, we first verify that DNS is correctly configured so that a Let’s Encrypt certificate can be generated. To verify DNS, we place a file on your server and check that it’s accessible via the site’s domain name. This allows us to verify DNS, even when you’re using Cloudflare’s proxy services, which hides your server’s IP address.
For this check to succeed, your domain name must be reachable over a standard HTTP connection (port 80). If you have Always Use HTTPS enabled, this will cause DNS verification to fail. We recommend that you disable this setting, as SpinupWP will automatically configure HTTP to HTTPS redirects for you once your site has been deployed.
The Always Use HTTPS setting can be found under the SSL/TLS > Edge Certificates tab.
Unable to Renew Your Https Certificate
If you receive a SpinupWP email informing you that we couldn’t renew your HTTPS certificate, it might be because your Cloudflare Firewall configuration is blocking Certbot requests. Certbot is the tool installed on your server which obtains certificates from Let’s Encrypt and auto-renews them.
The first thing to check is whether “Bot Fight Mode” is enabled and disable it. This can be done from the Security -> Bots area in your Cloudflare account for the given domain. If it is enabled, you can disable it by toggling the switch to the right of “Bot Fight Mode”.
One other thing to check is whether “Under Attack Mode” is active, because the Cloudflare challenge will prevent the Certbot requests from completing. This can be disabled by going to Security -> Settings and switching the “Security Level” from “I’m Under Attack!” to “Essentially Off”.
The final thing to check is whether you have a Firewall rule enabled which blocks bots. Click on Security -> WAF, and see if you have a rule enabled that may be blocking bots. If you see a rule which has the “Block” action and a description that includes “Known Bots”, try disabling it from the toggle on the right-hand side of the rule.
Alternatively, you can exclude the endpoints that Certbot uses from your Firewall rules by adding a condition to each rule that the “URI Path” does not contain /.well-known/acme-challenge/
.