The best way for Cloudflare customers to encrypt '''fully''', is to use Certbot. Cloudflare support echoes [https://support.cloudflare.com/hc/en-us/articles/214820528-How-to-Validate-a-Let-s-Encrypt-Certificate-on-a-Site-Already-Active-on-Cloudflare word-for-word] what Let's Encrypt says in their community forum: [https://community.letsencrypt.org/t/how-to-get-a-lets-encrypt-certificate-while-using-cloudflare/6338 How to get a Let's Encrypt certificate while using CloudFlare]
tldr; Use the <code>--webroot-path </code> option with the <code>certonly<<code>--preferred-challenges="dns"</code>, but you'll need to manually intervene. Optionally, if you just turn off the proxying while you issue the certificate, you can use TLS-SNI and HTTP-01 challenges (and then turn proxying back on.) For more advanced usage, check out the docs where they describe [https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks pre and post validation hooks]
With the pre-hook and post-hook options, you can script the conditions needed to authenticate and renew.
<code>certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"</code>
The <code>--renew-hook</code> only runs when a certificate has been successfully renewed, so use this script to do things like concatenate the fullchain and
== Resources ==
