[x110dc]

For #4 (strict full) the origin server doesn’t have to use a Cloudflare-supplied cert. Any cert issued by a publicly trusted CA will do. See https://developers.cloudflare.com/ssl/origin-configuration/s...

[Aulig]

Exactly, I've been doing this with letsencrypt.

[creeble]

How do you get certbot to work? Or do you renew manually or something?

[Matt3o12_]

Getting it to work the first time was a pain. Basically, you want to disable cloudflare (just untick the box so that it goes directly to your server, you can keep using cloudflare's dns server), then obtain the normal way, and reactivate Cloudflare. But I would highly recommend using cerbot's cloduflare dns plugin[1] instead so that you can (re)create the certificate w/o disabling cloudflare.

1: https://certbot-dns-cloudflare.readthedocs.io/en/latest/

[gh123man]

I just went though this. you need to whitelist the acme-challenge (using page rules) like this:

  *example.com/.well-known/acme-challenge/*
  Disable Security, SSL: Off, Cache Level: Bypass, Automatic HTTPS Rewrites: Off

and one big gotcha:

  Under SSL/TLS -> Edge Certificates -> disable Always Use HTTPS

(assuming you are using the HTTP-01 challenge).