DEV Community

Cover image for Stop Fighting SSL in Coolify Behind Cloudflare
Taki Elias
Taki Elias

Posted on

Stop Fighting SSL in Coolify Behind Cloudflare

#ssl #cloudflarechallenge #coolify #ai

If you're using Coolify with Cloudflare, SSL can feel confusing.

You deploy your app, connect the domain, and expect HTTPS to just work.

But instead, you end up:

  • changing SSL modes in Cloudflare
  • trying different configs in your server
  • not really sure what’s broken

Everything looks fine, but something is off.

What’s going on

When Cloudflare proxy is enabled, there are two connections:

  1. User → Cloudflare
  2. Cloudflare → Your server

The second one is the important part.

If your server doesn’t have a proper certificate, Cloudflare can’t securely connect to it — especially in Full (Strict) mode.

That’s where most setups fail.

The right way to handle it

Cloudflare provides Origin CA certificates.

These are meant for your server (not browsers), and they:

  • work with Cloudflare proxy enabled
  • last up to 15 years
  • don’t require validation like Let’s Encrypt

So instead of fighting SSL, you just need to set this up correctly.

The problem

Setting this up manually takes time:

  • generate key and certificate
  • upload to server
  • configure Traefik or Caddy
  • update DNS
  • switch SSL mode

It’s easy to make a mistake in one of these steps.

A simpler way

I built a small CLI tool called CertGun to handle this.

It automates the full setup for Coolify servers using Cloudflare.

How to use it

First, run:

certgun init
Enter fullscreen mode Exit fullscreen mode

Then:

certgun add 103.21.44.10 example.com
Enter fullscreen mode Exit fullscreen mode

Done.

What it handles for you

CertGun takes care of:

  • generating the certificate
  • installing it on your server
  • configuring Traefik or Caddy
  • updating DNS in Cloudflare
  • setting SSL mode to Full (Strict)

You don’t need to do these manually.

Wildcard support

You can also use wildcard domains:

certgun add 103.21.44.10 *.example.com
Enter fullscreen mode Exit fullscreen mode

When this helps

This is useful if you:

  • use Coolify
  • keep Cloudflare proxy enabled
  • want Full (Strict) SSL without extra steps

Why use this instead of Let’s Encrypt?

Let’s Encrypt works well, but with Cloudflare it often adds extra steps.

Origin certificates are simpler in this case:

  • no validation issues
  • no renewal every 90 days
  • no need to disable proxy

Try it

GitHub: https://github.com/takielias/certgun
Docs: https://docs.ebuz.xyz/certgun

If you’ve been adjusting settings just to make SSL work, this removes that hassle.

Top comments (0)