Let's Encrypt Keeps Failing Behind Cloudflare? Fix This First.

The Fix (Do This First)

The most common cause of Let's Encrypt failures behind Cloudflare—especially with cPanel AutoSSL—is Cloudflare security rules blocking ACME HTTP-01 validation.

When Let's Encrypt tries to verify domain ownership, it makes an HTTP request to /.well-known/acme-challenge/ on your domain. If Cloudflare's WAF, bot protection, country blocking, or other security rules intercept that request, validation fails. Your certificate doesn't renew.

Here's the fix:

Create a Cloudflare Custom Security Rule

Log into Cloudflare, go to your domain's security settings, and create a custom rule with these settings:

• Match condition: URI Path contains /.well-known/
• Action: Skip (bypass WAF, country blocking, bot protection, and other security rules)

Make sure this rule is evaluated before any restrictive rules like geo-blocking, rate limiting, or challenge pages.

That's it. This often resolves intermittent or "random" certificate failures immediately.

Important Note

This fix applies to HTTP-01 validation, which is what most shared hosting and cPanel AutoSSL setups use by default.

DNS-01 validation is still the most reliable long-term solution because it bypasses Cloudflare's proxy entirely. But if you're just trying to stop AutoSSL from randomly failing, the security rule fix above will handle it.

Why This Breaks (Optional Reading)

Let's Encrypt uses automated challenges to verify you control a domain before issuing a certificate. The most common method is HTTP-01 validation.

Here's what happens:

• Let's Encrypt gives your server a unique token
• Your server places that token in /.well-known/acme-challenge/[token]
• Let's Encrypt's validation server makes an HTTP request to retrieve the token
• If the token matches, the domain is verified and the certificate is issued

The problem is that Cloudflare sits between Let's Encrypt and your server. When Let's Encrypt makes that validation request, Cloudflare sees it as just another HTTP request—and applies all your security rules to it.

If you have WAF rules, bot protection, geographic blocking, or even challenge pages enabled, Cloudflare might block or challenge the validation request. Let's Encrypt doesn't fill out CAPTCHAs. It just fails.

AutoSSL retries later. Sometimes it works. Sometimes it doesn't. The behavior looks random because it depends on which Cloudflare edge node handles the request and what security posture it's in at that moment.

Why One Site Works and Another Doesn't

I've seen this confuse a lot of people. You have five domains on the same server, all behind Cloudflare. Four of them renew certificates fine. One fails constantly.

Why?

Because Cloudflare security settings are per-domain, not per-account.

One domain might have stricter WAF rules. Another might have bot protection enabled. Another might have geographic blocking. You might not even remember setting it up differently—maybe you enabled stricter security during a spam wave and never turned it back down.

Timing and luck also play a role. If Cloudflare happens to route Let's Encrypt's validation request through an edge node that's less aggressive at that moment, it works. Next time it doesn't.

This is why admins often assume "it's fine" for years, then suddenly start seeing failures. The configuration didn't change. Cloudflare's behavior or edge routing just happened to start blocking validation.

Common Misdiagnoses

When AutoSSL fails behind Cloudflare, I see the same incorrect assumptions over and over:

"Mail traffic goes through Cloudflare, that's why it's broken"

No. Mail records (MX, mail.example.com A records, etc.) should not be proxied through Cloudflare, but that's unrelated to Let's Encrypt HTTP validation.

Mail uses ports 25, 587, 993, etc. Let's Encrypt uses port 80 for HTTP-01 validation. They don't interfere with each other.

"I need to keep reinstalling the certificate"

Reinstalling a certificate that's about to expire just buys you time. It doesn't fix why AutoSSL can't renew automatically.

If you're manually reinstalling certificates every 60-90 days, you're treating the symptom, not the cause.

"I'll just toggle the Cloudflare proxy on and off"

Turning off Cloudflare's proxy (gray cloud) during renewal works, but it's not a solution. You lose Cloudflare's protection and caching. And you have to remember to do it every renewal cycle.

If you're setting calendar reminders to toggle DNS settings, something is misconfigured.

"I'll add more DNS records, maybe that helps"

Adding random A records or CNAMEs doesn't fix ACME validation. The issue is that Cloudflare is blocking the HTTP request, not that DNS is misconfigured.

The Real Long-Term Fix

DNS-01 validation is the actual long-term solution.

Instead of Let's Encrypt making an HTTP request to your server, you prove domain ownership by adding a specific TXT record to your DNS. This happens entirely at the DNS level, so Cloudflare's proxy and security rules never see it.

DNS-01 validation is more reliable if:

• You have strict Cloudflare security rules you don't want to loosen
• Your server isn't publicly accessible on port 80
• You need wildcard certificates (DNS-01 is required for these)
• You're tired of dealing with intermittent AutoSSL failures

The downside is that DNS-01 requires API access to your DNS provider and usually isn't supported by default in cPanel AutoSSL. You either need to use ACME clients that support DNS-01 (like acme.sh or certbot with DNS plugins), or your hosting provider needs to configure it.

If you control your own server, DNS-01 is worth the extra setup. If you're on shared hosting, you're probably stuck with HTTP-01 and the security rule workaround.

Final Thoughts

This problem shouldn't exist in modern tooling.

There should be a checkbox in Cloudflare that says "I use Let's Encrypt" and it automatically excludes /.well-known/ from security rules. There should be a notice in cPanel when AutoSSL detects proxied DNS. There should be better error messages that say "validation blocked by upstream proxy" instead of generic timeouts.

But none of that exists, so admins waste hours toggling DNS settings, reinstalling certificates, and Googling why AutoSSL works sometimes and not others.

If you're behind Cloudflare and Let's Encrypt keeps failing, check your security rules first. It's almost always the answer.