Customer Example

“I’m using Cloudflare DNS (or another proxy service), and my SSL is not working or renewing. Why?”

Issue

SSL installation or auto-renewal fails when a domain is using a proxy service instead of pointing directly to the origin server.

Cause

When a proxy is enabled, traffic is routed through the proxy provider rather than directly to the server.

Let’s Encrypt requires the domain to resolve directly to the server’s A record in order to complete validation. If a proxy is enabled, the domain does not resolve directly to the server, and validation fails.

Explanation

DNS records can operate in two modes:

• Proxied: Traffic is routed through a proxy (e.g., Cloudflare)
• DNS Only (direct): The domain resolves directly to the server

Let’s Encrypt validation only works when the domain resolves directly to the server’s IP address.

Symptoms

• SSL fails to install
• SSL auto-renewal fails
• Website shows as “Not Secure”
• Validation errors during SSL issuance

Solution

Option 1: Disable Proxy (Recommended for Free SSL) 

1. Log in to your DNS/proxy provider
2. Locate your domain’s A record
3. Disable proxy (set to DNS only / direct)
4. Wait a few minutes for propagation
5. Retry SSL installation or renewal

Option 2: Use a Paid SSL Certificate

If the proxy must remain enabled:

• Let’s Encrypt will not validate reliably
• A paid SSL certificate is required

You can:

• Purchase a 1-year SSL certificate (e.g., GlobalSign)
• Install it manually on the server

Important Notes

• SSL auto-renewal will fail if proxy is enabled during renewal
• Re-enabling proxy after installation may impact future renewals
• Always ensure the domain resolves directly to the server before issuing SSL