Cloudflare's proxy functionality can indeed be used with Let's Encrypt certificates on Laravel Forge, and many developers successfully combine these services to achieve SSL encryption and CDN benefits. Here is a detailed explanation addressing how they work together, what to watch out for, and specific considerations with Forge.
When using Cloudflare's proxy (the orange cloud in DNS), traffic between end users and Cloudflare is encrypted using Cloudflare's edge SSL certificate, not the Let's Encrypt certificate installed on your Forge server. However, the connection between Cloudflare and your origin server (your Forge-hosted site) can still be secured using a Let's Encrypt certificate. This setup is often recommended to ensure secure end-to-end encryption (browser to Cloudflare, and Cloudflare to origin).
The key technical aspect of using Let's Encrypt with Cloudflare lies in how Let's Encrypt validates domain ownership. There are two common methods Let's Encrypt uses for issuing certificates:
1. HTTP-01 challenge: Let's Encrypt places a challenge file in the `.well-known/acme-challenge` directory on your server, which it then tries to fetch via HTTP to verify control over the domain.
2. DNS-01 challenge: Let's Encrypt verifies domain ownership by checking for specific DNS TXT records.
Since Cloudflare acts as a reverse proxy, it forwards HTTP requests to your Forge server, including those for the `.well-known/acme-challenge` path. This means the HTTP-01 challenge works correctly even when the domain is proxied through Cloudflare, as requests to that challenge path pass through Cloudflare to the origin server without interference. This allows the Let's Encrypt certificates to be issued or renewed seamlessly via Forge while Cloudflare proxying is enabled.
For wildcard certificates (e.g., `*.example.com`), Let's Encrypt only supports validation via the DNS-01 challenge. Forge supports integration with Cloudflare's DNS API, allowing it to automatically add the required DNS TXT records on your behalf to complete the DNS challenge. For this to work, you need to provide Forge with a Cloudflare API token or key that has appropriate permissions to manage DNS records (usually permissions like `Zone.Zone.Read` and `Zone.DNS.Edit`). This makes it easier to automate issuance and renewal of wildcard Let's Encrypt certificates with Cloudflare DNS in Forge.
When using Cloudflare proxy and Let's Encrypt on Forge, consider the following points:
- Cloudflare's SSL mode should be set to "Full (strict)" to ensure Cloudflare validates the origin server's SSL certificate (the Let's Encrypt cert) properly before forwarding traffic. This avoids issues like "too many redirects" or insecure connections.
- The SSL certificate visible to website visitors is the Cloudflare edge certificate. The Let's Encrypt certificate secures only the Cloudflare-to-origin leg. Visitors' browsers see the Cloudflare cert.
- If you're using third-party services or pointing CNAME records to other platforms through Cloudflare, proxying might cause SSL certificate renewal issues for those services. In such cases, proxying for the specific DNS records must be disabled (grey cloud) to let Let's Encrypt validation succeed.
- Laravel Forge supports multiple DNS providers for wildcard certificate automation, including Cloudflare. Ensuring the Cloudflare API token has correct and sufficient permissions is critical for successful automation.
- It is possible to use Let's Encrypt certificates behind Cloudflare proxy without upgrading to a paid Cloudflare plan; the free plan supports full SSL with origin certificates.
The procedural workflow on Forge typically is:
1. Configure your domain in Forge and enable SSL with Let's Encrypt.
2. If using wildcard certificates, provide a Cloudflare API token in Forge with appropriate permissions.
3. Forge will execute the DNS-01 challenge using Cloudflare's API when necessary, or rely on HTTP-01 challenge for normal certificates.
4. Cloudflare proxy is enabled (orange cloud) for DNS records.
5. Configure Cloudflare SSL to "Full (strict)".
6. Your site is secured end-to-end, with Cloudflare presenting its certificates to users, while the origin is also encrypted with Let's Encrypt.
In summary, combining Cloudflare's proxy functionality with Let's Encrypt on Forge is a supported and practical approach to securing web applications. The two systems complement each other, where Cloudflare provides CDN and proxy benefits, and Let's Encrypt ensures that origin server communication is encrypted. Problems generally only arise if the DNS API credentials are insufficient or if proxying is enabled for DNS records pointing to external services not configured for Cloudflare, which can lead to certificate renewals failing. Proper API token setup, challenge method understanding, and Cloudflare SSL configuration ensure this integration works smoothly.
Overall, modern Forge setups explicitly support Cloudflare API integration for wildcard SSL issuance and renewal with Let's Encrypt, enabling fully automated and secured sites even behind Cloudflare proxy. Thus, it is entirely feasible and common for Laravel Forge users to run sites with full Cloudflare proxy protection while maintaining Let's Encrypt certificates on their origin servers for secure connections.