# Trellis + Bedrock behind CloudFlare

**URL:** https://discourse.roots.io/t/trellis-bedrock-behind-cloudflare/7664
**Category:** trellis
**Created:** 2016-09-18T09:39:58Z
**Posts:** 13
**Showing post:** 3 of 13

## Post 3 by @fullyint — 2016-09-18T16:01:30Z

I’m not familiar with integrating CloudFlare SSL with Trellis LE, but you’ll find some searchable discussion, e.g., [this](https://discourse.roots.io/t/letsencrypt-already-registered-errors/6318/4).

Regarding “I can’t seem to turn off the Lets Encrypt,” maybe this will help:

> [@Failure to establish connection when provisioning via ansible-playbook server.yml](https://discourse.roots.io/t/failure-to-establish-connection-when-provisioning-via-ansible-playbook-server-yml/6518/28):
>
> Note that if you end up choosing to set ssl `enabled: false` … your browser’s exposure to the letsencrypt setup for that domain will likely have an associated [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) header for the domain. If you return to http [vs https] … you’ll need to clear the HSTS header using something [like this](http://classically.me/blogs/how-clear-hsts-settings-major-browsers).
> 
> The HSTS header instructs your browser to remember to automatically load your site as https only for some period of time. If your site moves back to http only, the browser obediently won’t load that http version till the original HSTS header has expired, or till it is cleared manually. This is designed to prevent man-in-the-middle attacks that could try to “downgrade” a user’s connection from https to http.

In other words, Trellis and your server will obey your command to turn off LE SSL, but you need to give your personal browser the message too. A different browser that never visited the site will not have the HSTS header set and will not have the issue.

---

_[View the full topic](https://discourse.roots.io/t/trellis-bedrock-behind-cloudflare/7664)._