Ok, step one to do this involves temporarily unchecking the orange cloud and bypassing Cloudflare entirely. To issue the initial certificate Let’s Encrypt needs direct communication with your server.
Ensure that in your app.yml the following lines are uncommented:
- “templates/web.ssl.template.yml”
- “templates/web.letsencrypt.ssl.template.yml”
and add this one:
- “templates/cloudflare.template.yml”
There’s little to no risk in doing this, so click on the orange cloud to disable CloudFlare, configure Let’s Encrypt. When your site is working again under HTTPS you also need to make a change within Discourse enabling the force_https setting under /admin.
Once your server is communicating via HTTPS you can change one more setting at Cloudflare if there are no other sites or applications under the same domain. Visit the ‘Crypto’ tab at Cloudflare and swap SSL from ‘Flexible’ to ‘Full (Strict)’.
Note that certain CloudFlare features are incompatible with Discourse, you’re going to need to create the following page rule:
And disable Brotli, which is under the ‘Speed’ tab of your domain:
This is neither easy, not a good idea. It’s easy to secure Discourse using Let’s Encrypt once you allow Let’s Encrypt to enrol the certificate. Troubleshooting the mixed scenario is much more hassle.