How can I use Go's autocert package with CloudFlare?

Question

I tried running this example code from the autocert documentation, changing it to use my domain:

package main

import (
    "fmt"
    "log"
    "net/http"

    "golang.org/x/crypto/acme/autocert"
)

func main() {
    mux := http.NewServeMux()
    mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
        fmt.Fprintf(w, "Hello, TLS user! Your config: %+v", r.TLS)
    })
    log.Fatal(http.Serve(autocert.NewListener("mydomain.work"), mux))
}

In the browser I saw a CloudFlare error saying Error 525 SSL handshake failed. The output of the Go program was

2020/02/27 00:44:10 http: TLS handshake error from 172.69.22.250:26624: acme/autocert: unable to satisfy "https://acme-v02.api.letsencrypt.org/acme/authz-v3/3031814088" for domain "mydomain.work": no viable challenge type found

The problem persisted when I turned off CloudFlare's Always Use HTTPS feature, which would have been blocking the http-01 challenge. It also persisted when I set TLS to Off in the CloudFlare console. I finally got it working by going back to NameCheap's Basic DNS.

I like CloudFlare's functionality, so this leaves me wondering: how can I make Go's autocert package work with CloudFlare? Or is it unnecessary because I could just use a self-signed cert with CloudFlare's Full Encryption setting?

Answer 1

On CloudFlare, go to SSL/TLS and then the Origin Server tab. Click the Create Certificate button and they'll make one for you for free. You can use that to work with their Full (strict) encryption setting.