Invalid SSL
Cloudflare
Deeply Nested Subdomains
If you are using a deeply nested subdomain such as *.5stack.example.com, note that Cloudflare's free SSL certificate does not cover these domains. To secure deeply nested subdomains, you must purchase an SSL certificate through Cloudflare's Advanced Certificate Manager.
Cloudflare Proxy (not to be confused with reverse proxies)
If you are using Cloudflare's proxy and not using a reverse proxy, the 5Stack k3s cluster will attempt to generate its own SSL certificates using Let's Encrypt.
However, when Cloudflare's proxy is enabled, it blocks direct HTTP requests to your server. This prevents Let's Encrypt from verifying your domain and issuing SSL certificates, causing certificate generation to fail.
To resolve this, you have two options:
Option 1: Use Cloudflare Page Rule / Redirect Rule Exception (Recommended) You don't have to disable HTTPS globally — only for the ACME challenge paths.
- Go to Rules → Redirect Rules (or Page Rules if still enabled on your account)
- Create a rule:
- If URL path starts with
/.well-known/acme-challenge/* - → Do not forward to HTTPS
- If URL path starts with
- Make sure this rule is above any global redirect
Option 2: Disable Cloudflare proxy entirely Disable the Cloudflare proxy and ensure that any automatic HTTP to HTTPS redirects are turned off; otherwise, Let's Encrypt will still be unable to complete the verification process and the issue will persist.
Debugging
If you are not using a reverse proxy, 5Stack generates its own SSL certificates. Occasionally, these certificates may become invalid, which can lead to SSL errors when accessing your site.
To fix this and regenerate the SSL certificates:
- Go to your 5Stack installation directory.
- Run
git pullto ensure you have the latest updates. - Regenerate the certificates by running:
./fix-ssl.shWait a couple of minutes, then check the status of your SSL certificates by running:
./debug.sh