For the purpose of cloaking IP address associations, any proxy will do - doesn't have to be Cloudflare. Note that in case you use HTTP-01 challenges, this approach still exposes you to the proxy operator and gives them an MitM opportunity.
You can do both approaches combined, fwiw. Wildcards have the benefit of not leaking subdomain names in transparency logs at all.
If you provision via ACME, you should use DNS-01 instead of HTTP-01. It removes the need to associate a public IP in the first place and reduces the MitM vector (which can be mitigated with DNSSEC).
baobun•1h ago
For the purpose of cloaking IP address associations, any proxy will do - doesn't have to be Cloudflare. Note that in case you use HTTP-01 challenges, this approach still exposes you to the proxy operator and gives them an MitM opportunity.
You can do both approaches combined, fwiw. Wildcards have the benefit of not leaking subdomain names in transparency logs at all.
If you provision via ACME, you should use DNS-01 instead of HTTP-01. It removes the need to associate a public IP in the first place and reduces the MitM vector (which can be mitigated with DNSSEC).