Cloudflare, Let's Encrypt and alias

OS type and version CentOS 7
Webmin version 2.101
Virtualmin version 7.7
Related packages lets encrypt, dns

Here is my situation. I have a domain and subdomains under that ( being one.

I also have an alias pointing to the subdomain. that alias is
I recently put the site into cloudflare. All went great as usual. I kept the MX records out of cloudflare. I had issues until I turned off DSN in the cloud flare panel. Everything is working fine except letsencrypt is going nuts trying to renew the cert.

I found a thread about using certbot and --webroot with cloudflare. that didn’t error out.

What are the ideal settings for Cloudflare and Virtualmin in this setup? the MX records did not work so I am still needing SSL for that.

This is what works for me however I am not using CentOS, its worth a try.

In Cloudflare DNS, set domains to DNS only (remove proxied). www is set as cname.

Then request your let’s encrypt certificate.

After setting up your websites caching, configs or whatever.

Return to Cloudflare DNS and set to proxied.

In Cloudflare SSL set to Full Strict

Didn’t have any problems yet. With wildcard certs its a different process though…

Do you have to do this every 2 months or so?

Why don’t you do what @madeupname has suggested?

And if you have additional requirements such as the one about the two months, then you should mention them all in your initial message.

It is quite counterproductive to ask a question and when you receive an answer from the community, you ask further questions instead of doing what was suggested in the answer that you have received.

No you don’t have to do this every 2 months. Just make sure virtualmin is able to renew certs after this setup. It usually works if you have the correct setup (webmin bind module, correct domains listed in nginx/apache etc).

If you don’t have the correct setup you can either figure out whats missing from error logs or just simply make a cron job to force renew certs. (that too requires some level of correct setup, see error logs if any)

Is it easy to force virtualmin to use cloudflare for LetsEncrypt certs (wildcard as well) by using a separate cronjob and change the LE cert locations in templates for nginx, postfix, dovecot etc?
Are the paths to ssl certs/keys set globally somewhere in the templates?

I’m currently running a different control panel, but I feel I’m most likely better off using virtualmin as it seems to allow more back-end config without messing everything up. Plus, I like perl.

Yes, it is set in System Settings ⇾ Server Templates: SSL website for domain page.

There is absolutely no need for doing it. Virtualmin can and should handle LE renewals on its own.

I see what you mean, but let’s just say my cert has a historical background and needs to be one cert with ALL domain names hosted by me in it. This saves me a lot of hassle, if I can keep things running that way, since it for example allows people to still keep using and/or and as their imap or smtp server without suffering key/cert mismatches.

Plus, it also simplifies DANE TLSA.

There is a specifically an option for this in System Settings ⇾ Virtualmin Virtual Servers ⇾ Configuration: SSL settings page called Share SSL certificates between domains where possible with option Yes, even when owner is different. This is the feature you’re really looking for.