How I replaced letsencrypt with CloudFlare and why

Clouds above my home town with artificial lens flare. Nice, huh?

Letsencrypt is a great tool to obtain valid TLS certificates for your services for free. But using it long-term started to be time-consuming.

In my case these were almost always some kind of web service, like my dad’s poem website or some HTTP API needed to expose. In any of these cases I wanted them to be both encrypted and ensure clients are talking to my servers.

Being old-fashioned

So I would go and setup ther service and nginx on a server along with letsencrypt and the automate the certificate refresh — they last for 3 months only — via cronjobs usually.

That works fine, and I wrote an article about it. Later, I moved most of my stuff to Kubernetes and again used letsencrypt to create certs. This was a bit clumsy but certainly doable, either manually by using the good ‘ole cronjobs to create and update secrets used in ingress controllers, later using CertManager.

This worked fine
-ish

• Fumbling with letsencrypt meant installing it in the first place
• The templating to automate all this was a maintenance mess (for me). No templating at all is a worse mess — just look at the length of that article.
• Letsencrypt needs to open port 80 in server mode which collides with web servers; I found it too hard to automate DNS-based validation, synchronizing DNS updates with letsencrypt invokes.

I am lazy

The less time I spend on tedious infrastructure the more time I can dedicate to my linking my dad’s poems to readings of those or help my friends Julia and Till to get started with their necklace business.

So instead of setting this all up myself, I outsourced the efforts to CloudFlare:

Register the domain

You probably have a domain or subdomain already. If not I can recommend INWX for cheap and reliable domain registration but you can use whomever.

It’s important that they let you change the NS entries (name server set) for said domain — so Cloudflare can take over.

Setup the domain in CloudFlare

Find your way around signing up with CloudFlare and setting up the domain name that you want to be under their control.

Cloudflare will scan your domain’s DNS settings and copy them.

This is both convenient and especially important when you have an email service setup, probably with your domain provider or even your own. Below you can see the MX and TXT records that need to be correct for your email to work properly.

at the top you can see that we are in the DNS section

Two things are important here: the content of the A record for that domain and the proxy status:

The content points to your server (or load balancer) where your web service runs on. The proxy status needs to be “proxied” in order to act as a, well, proxy in front of your service. This proxy will then handle encryption for you — making sure a TLS certificate for your domain is being issued and renewed and configure HTTPS on the proxy.

I am flexible about security here 😵

Being secure

In the screen shot above I have set the the encryption mode to “flexible” which is an euphemism for “insecure” as traffic between CloudFlare and my service is not encrypted or authenticated at all. For a demo web service or my dad’s peoms that’s probably fine.

In production I’d insist on encrypting that traffic as well. So, we need a TLS certificate, right? Wasn’t that meant for CloudFlare to be automated?

Well, at least they got the tedious certificate rotation sorted: CloudFlare will issue a 15-year-long valid certificate that they accept (but not any browser). You still need to install that certificate to be used by your server. Once. But you can skip brittle the rotation/renewal part altogether set a calendar entry … I mean really … wait for your customers to call you up in 15 years 😬

This dialogue can be found in the SSL/TLS section right next to DNS in the menu

The benefits

1. The best part for me is that I don’t have to worry about TLS refresh cronjobs not working any more because of some update to letsencrypt. That happened to me once and it was a pain to figure out where and how (differently) I have setup all this.
2. For small-scale applications, CloudFlare offers this for free.
3. You’re hiding the IPs of your production machines behind CloudFlare which makes it harder for attackers to identify your infrastructure.
4. CloudFlare can do minification and hides email addresses from spammers on its own so you don’t have to care about this.
5. You can hook into your requests using CloudFlare apps to log what’s going on in your API so you don’t have to configure this yourself.

👉 All in all, I don’t have to worry.

Drawbacks

1. If you want a secure system you still need to install a certificate on your service web serving end. CloudFlare only saves you from the validating and renewal part. Which is totally worth is for me.
2. You are relying on an external service which is an additional point of failure.
3. At some point of traffic, CloudFlare will charge you money.

Alternatives

Digital Ocean lets you do pretty much the same, you even get a very nice doctl CLI tool that makes it easy to automate your DNS when setting up CD pipelines for a project.