> – TLS termination mandatorily happens at Cloudflare (i.e. your traffic is mitm'ed). That's because this free product is meant as a gateway drug (aka a loss leader) to Cloudflare's WAF/Anti-DDOS products (which require TLS termination to happen on their side for technical reasons).
But on the flip side, this allows you to have a nice certificate on your outside connection without having to fiddle with letsencrypt or whathaveyou.
If someone finds LetsEncrypt challenging, they don't have sufficient network andsystem administrator skills to be running a private, public-facing web server. They should be running tailscale.
Well, one of the "challenges" is the one in a different comment: most registrars don't allow fine-grained control over who can update what DNS records.
Can it be done? Sure. But do I want to spend money on this for my home lab if I can work around it? Not a chance.
I'm kinda sensitive to the "MITM as a service" argument, but for my use case, it's not a problem.
> Well, one of the "challenges" is the one in a different comment: most registrars don't allow fine-grained control over who can update what DNS records.
Afaik, every major registrar allows you to add an NS record for the _acme-challenge subdomain, allowing you to put the _acme-challenge subdomain on a custom, self-hosted DNS server.
That in turn allows you to make the permissions as specific as you'd like. Personally I just run powerdns in docker for this.
Using CNAME delegation for the ACME challenge domain and directing that to a Route 53 zone is my preferred approach. Then (as long as you have CloudWatch configured) you get inherent auditing and very flexible privilege management.
That wouldn't work for this use case though would it? AWS doesn't allow downloading the certificate (I could be wrong)? Typically certificates can only be used with other AWS services. E.g. you can't download the certificate and serve it from a home server.
You're not wrong, but the idea here is not to use AWS' certificate manager but their DNS service on which you would only handle the acme-challenge subdomain. This would allow you to limit who can update which subdomain. The LE cert is obtained normally.
You don’t need automated DNS fiddling for lets encrypt. Certbot can either hook into Apache or NGINX, or run its own standalone server for verification.
Aside from sibling comment, you also need automated DNS fiddling if you want CloudFlare Strict TLS support, because if LE can only connect to CF proxy, it will never issue via HTTPS.
You don't necessarily need to do that, Cloudflare can generate you a long-lived certificate to install on your origin server which isn't publicly trusted but is trusted by their proxies, so it works with Strict TLS. YMMV with other CDNs though, you might need to fall back to using LE with a DNS challenge in some cases.
Not true. I have a CF rule that matches . well-known/acme-challenge and sets SSL off. The main setting is on full strict but the rule disables the auto redirect to https and the strict checking so an acme client behind a CF tunnel can bootstrap a cert with the HTTP-01 method.
Certbot has a Cloudflare extension so all you need to do is provide a credentials file and it will automatically apply everything. I have a monthly cronjob running that runs the cloudflare certbot in Docker.
HTTPS when used in the ubiquitous manner it is now always strikes me as unnecessary complexity and tedium, and reasonings like yours addressing them with even more complexity and tedium.
It happened that the last S changed from "stupid" to "secure".
If I use HTTPS I can safely enough connect to my home services through an open cafe Wifi, for example
I’ve been using caddy for a year which does everything for you. Basically nginx/haproxy but with https built-in via LE, no fiddling about with cert files and brittle LE scripts, also supports subdomains equally easily.
But on the flip side, this allows you to have a nice certificate on your outside connection without having to fiddle with letsencrypt or whathaveyou.