I am trying to understand how this works so that I can maintain it. I do not understand how my digital ocean app was able to automatically issue and serve a cloudflare edge certificate despite CF proxy disabled on that domain.
I have a basic network that consists of a few resources on DO and AWS with CloudFlare Proxy. CF is set to strict mode There are three hosts
A.example.com - A Record to AWS Server, Proxied, LetsEncrypt Certificate
B.example.com - CNAME Record to DO App, Not Proxied, **CF Edge Certificate**
C.example.com - CNAME Record to DO CDN, Not Proxied, LetsEncrypt Certificte
For Host A, everything is what I would expect. I use certbot with cf plugin to issue certificates directly on the host. When I turn off the proxy I see my host cert, when I turn on the proxy I see CF's edge cert.
For Host C, everything is what I would expect. I generate the certificate with certbot and upload the certificate and key to digital ocean. I could move my nameservers to digital ocean for them to manage this too but I have not yet. When I turn off the proxy I see my LE certificate
Host B is where I do not understand. I started an app with a static website. I added the domain to the app, I was expecting to have to provide a certificte but instead it appears to serve cloudflares edge certificate for my domain with strict mode enabled and proxy disabled.
What is going on here? I read somewhere the CF is providing certificate services for DO. Who is going to renew my certificate for B.example?
