Managed TLS with Cloudflare

I’m trying to set up an endpoint with managed TLS. I created the necessary records in Cloudflare but they’re still showing as incorrect. Any ideas as to what’s going on?

My guess is that Cloudflare is proxying that domain, i.e. it’s an “orange-cloud” record. You can confirm this by resolving your domain e.g. by running dig +short $DOMAIN. If it comes back with the Endpoint hostname you set ( then it’s not proxying the domain (“gray-cloud”). If you get an IP address back, then there’s a proxy between the client and the Endpoint. The Aptible Dashboard only shows a domain as correctly set up if DNS resolves to the expected values which is why it shows proxied records as incorrect.

Despite the fact that the Dashboard shows that the records are incorrect, http-01 validation should still work assuming that it allows plain HTTP requests since http-01 validation has to be done on port 80 (HTTP) per Let’s Encrypt’s documentation. Non-proxied records (“gray-cloud”) must be used for dns-01 validation records (_acme-challenge) as it relies on DNS resolution to confirm ownership of the domain.