# Trellis + Bedrock behind CloudFlare **URL:** https://discourse.roots.io/t/trellis-bedrock-behind-cloudflare/7664 **Category:** trellis **Created:** 2016-09-18T09:39:58Z **Posts:** 13 ## Post 1 by @Ivan_Svaljek — 2016-09-18T09:39:58Z I have a Trellis + Bedrock setup behind CloudFlare. The CloudFlare SSL is setup as Full SSL so it requires SSL on the host. For the host SSL I’m using LetsEncrypt that comes bundled with Trellis. I know LetsEncrypt requires a periodic refresh of something (certificate I guess) so I’m not sure what will happen with this action when CloudFlare is active and handles the DNS. The other question is that I can’t seem to turn off the Lets Encrypt by provisioning the server with ssl: enabled: false I tried provisioning with tag --wordpress and --letsencrypt but redirect to https still occured for files wordpress and not. --- ## Post 2 by @ben — 2016-09-18T15:46:36Z I believe that even behind CloudFlare that the Let’s Encrypt renewal should still work as expected (I hope)… > [@Ivan_Svaljek](#): > > The other question is that I can’t seem to turn off the Lets Encrypt Have not yet tried this before but it might be a Trellis bug --- ## Post 3 by @fullyint — 2016-09-18T16:01:30Z I’m not familiar with integrating CloudFlare SSL with Trellis LE, but you’ll find some searchable discussion, e.g., [this](https://discourse.roots.io/t/letsencrypt-already-registered-errors/6318/4). Regarding “I can’t seem to turn off the Lets Encrypt,” maybe this will help: > [@Failure to establish connection when provisioning via ansible-playbook server.yml](https://discourse.roots.io/t/failure-to-establish-connection-when-provisioning-via-ansible-playbook-server-yml/6518/28): > > Note that if you end up choosing to set ssl `enabled: false` … your browser’s exposure to the letsencrypt setup for that domain will likely have an associated [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) header for the domain. If you return to http [vs https] … you’ll need to clear the HSTS header using something [like this](http://classically.me/blogs/how-clear-hsts-settings-major-browsers). > > The HSTS header instructs your browser to remember to automatically load your site as https only for some period of time. If your site moves back to http only, the browser obediently won’t load that http version till the original HSTS header has expired, or till it is cleared manually. This is designed to prevent man-in-the-middle attacks that could try to “downgrade” a user’s connection from https to http. In other words, Trellis and your server will obey your command to turn off LE SSL, but you need to give your personal browser the message too. A different browser that never visited the site will not have the HSTS header set and will not have the issue. --- ## Post 4 by @RiFi2k — 2016-09-29T02:20:26Z Just saw this, just want to throw this out there in case anyone else uses Cloudflare and Trellis. So I found it’s way easier and less error prone to use Cloudflare Origin Certs instead of LetsEncrypt. For one you can set the Origin certs to be good for up to 15 years and they support wildcards as well. So for staging I normally just use one domain with a bunch of subdomains for all the sites and I only need one wildcard Origin Cert from Cloudflare. [example1.domain.com](http://example1.domain.com) - [example2.domain.com](http://example2.domain.com), etc. So for example, you turn Cloudflare crypto to Full (Strict), then generate yourself an Origin cert and configure Trellis with the manual SSL setting and include your files from Cloudflare. Now for bonus points you can automate the whole thing using the Cloudflare CLI for linux. > **[CloudFlare Origin CA](https://blog.cloudflare.com/cloudflare-ca-encryption-origin/#3clicommandlineinterfacelinuxonly)** > > Faster, more secure alternative to public CA certificates for your CloudFlare-fronted servers. Extraneous overhead removed to optimize performance. Also to fix the syslog warnings about ssl-stapling you can bundle > **[What are the root certificate authorities (CAs) used with Cloudflare Origin CA?](https://support.cloudflare.com/hc/en-us/articles/218689638-What-are-the-root-certificate-authorities-CAs-used-with-CloudFlare-Origin-CA-)** > > If you are using cPanel, or another application that attempts to validate the chain of your Origin CA certificate, you will need to append the appropriate root below to your .pem file. > Note that cP... Then going further you can easily set up Authenticated Origin Pulls in Cloudflare and Nginx > **[Authenticated Origin Pulls](https://support.cloudflare.com/hc/en-us/articles/204899617)** > > Cloudflare sits on the network between end-user web browsers and website origin servers.  Traffic goes from the web browser to Cloudflare.  Cloudflare fulfills the request from cache when possible,... --- ## Post 5 by @darjanpanic — 2016-09-29T11:44:02Z @RiFi2k Could you use this setup for subdomain Multisite Network with domain mapping also to get the https? --- ## Post 6 by @RiFi2k — 2016-10-05T23:30:45Z @darjanpanic For sure they issue all their certificates by default to work for all first level wildcard subdomains. So for example the main certificate is issued for: [example.com](http://example.com) \*.example.com Then the origin certs are issued the exact same way, so you would for sure only need the single origin cert for all your subdomains. The issue lies in configuring the DNS with Cloudflare for each new subdomain on-demand. > **[Does Cloudflare support wildcard DNS entries?](https://support.cloudflare.com/hc/en-us/articles/200168826-Does-CloudFlare-support-wildcard-DNS-entries-)** > > Cloudflare supports the wildcard * record for DNS management at all plan types. For Cloudflare Enterprise customers, we offer full proxy support for wildcard records.Cloudflare Free, Pro and Busine... Now if you were not allowing others to provision sites on your network and you did it all manually you could just hop over to Cloudflare and make a new DNS A record (Cloudflare’s DNS changes are activated instantly- [https://blog.cloudflare.com/never-deal-with-dns-propagation-again/](https://blog.cloudflare.com/never-deal-with-dns-propagation-again/) ) then as soon as you click the Orange cloud next to the record that site will already be fully configured with an SSL certificate (the origin certs are just extra security and allowing you to not have to rewrite URLS with a plugin or whatever). But if you were crafty you could use the links I put in my above post and use their CLI or API to automatically create the DNS records as the new sites are provisioned in the multisite, then you would be the man, and people would probably want to kiss you if you integrated it with the Domain Mapping Plugin. --- ## Post 7 by @RiFi2k — 2016-10-05T23:51:40Z As an added bonus if anyone wants to use Cloudflare with Trellis for their SSL certificates I’ll include a link to a gist I just threw up with my modified version of the [nginx.conf file from Trellis](https://github.com/roots/trellis/blob/master/roles/nginx/templates/nginx.conf.j2). This version will restore the correct IP address for use in NGINX and also I modified the logging part so if you look at your access logs they will have the correct IP address in them instead of just showing Cloudflare’s IP address (Cloudflare proxies all your traffic so their IP is what ends up showing up without doing this, but they are nice enough to send the real IP along as well you just need to capture it). My edits are line 38 - 66 and also 86 - 89 if your curious. Cloudflare Restore Real IP NGINX Config - [https://gist.github.com/RiFi2k/1ec986966bffc9117a23cf865f01aeee](https://gist.github.com/RiFi2k/1ec986966bffc9117a23cf865f01aeee) --- ## Post 8 by @TangRufus — 2017-09-16T14:08:14Z Now you can use create Cloudflare Origin CA certificates in Trellis just like letsencrypt. > **[TypistTech/trellis-cloudflare-origin-ca](https://github.com/typisttech/trellis-cloudflare-origin-ca)** > > trellis-cloudflare-origin-ca - Add Cloudflare Origin CA to Trellis as SSL provider I am curious about why you need that “Cloudflare Restore Real IP NGINX Config”. My servers seems getting read IPs without patching anything. --- ## Post 9 by @jeffbyrnes — 2020-12-18T02:27:50Z Thanks for mentioning this, I replaced LetsEncrypt with `trellis-cloudflare-origin-ca` and it works like a charm! --- ## Post 10 by @Taahir_Isaacs — 2022-03-14T07:52:14Z Hey @TangRufus ! I’ve followed steps provided in the trellis-cloudflare-origin-ca repo and everything worked perfectly - certificate was issued. However, when I went to the site it showed the certificate is not valid. And got the “Your connection is not private” page on Chrome. Any idea how to resolve this? I’ve reverted to LetsEncrypt for the meantime and changed encryption mode to Full on CF. --- ## Post 11 by @JordanC26 — 2025-05-02T22:28:40Z Is the **Cloudflare Origin CA to Trellis** still valid and working in 2025 @TangRufus ? Note: I will give it a go later today. Asking ahead of time. --- ## Post 12 by @Tetrahedrax — 2025-05-07T08:21:35Z It doesn’t work. It didn’t when I tried it a year ago anyway. Here’s how we solved it: Download the keys from Cloudflare and put them somewhere safe Go into trellis/group\_vars/production/wordpress\_sites.yml Set it to something like this, adjust it for the location of your keys: ``` ssl: enabled: true provider: manual cert: ~/ssl/example.com.crt key: ~/ssl/example.com.key ``` Now when you provision the server, it should work! --- ## Post 13 by @TangRufus — 2025-06-08T01:59:13Z No, the role doesn’t work anymore because Cloudflare removed the `cfca` package. See [Update pkg.cloudflare.com urls by siriusnottin · Pull Request #59 · typisttech/trellis-cloudflare-origin-ca · GitHub](https://github.com/typisttech/trellis-cloudflare-origin-ca/pull/59#issuecomment-1273160269)