marklcfc Posted January 30, 2023 Posted January 30, 2023 (edited) If I'm using Cloudflare what SSL do I need on my server? Previous to using Cloudflare I bought one from RapidSSL which is still active but expiring soon, I'm wondering would a free LetsEncrypt be enough considering its going through Cloudflare too now? Or does a paid one still have benefits? Edited January 30, 2023 by marklcfc
Randy Calvert Posted January 30, 2023 Posted January 30, 2023 You can have any valid cert or none at all. In your CF SSL settings, Fexible means you don’t need any SSL at origin (CF takes care of the SSL to your users). Full will use SSL to origin, but ANY cert (even expired) can be used. CF won’t check the cert. Strict means SSL to origin AND a valid cert issued by a trusted CA must be used. https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/
Dll Posted January 30, 2023 Posted January 30, 2023 Cloudflare supply a free origin certificate that can go onto your server. It's only for use between cloudflare and your server, so can't be used if you have direct traffic still. https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/ I wouldn't recommend using their flexible SSL, as that won't encrypt the traffic between your server and theirs.
marklcfc Posted January 31, 2023 Author Posted January 31, 2023 (edited) Not sure what to do as my hosts said this in reply to asking if I can change to standard letsencrypt on the server from the paid ssl Quote It could work but we can't offer any guarantee, historically we have had a lot of issues where cloudflare acting as a proxy has interrupted the acme validation for Let's Encrypt and caused it to fail. You can turn it on to see how it goes but if there are any issues we would suggest going back to a standard certificate. Edited January 31, 2023 by marklcfc
Randy Calvert Posted January 31, 2023 Posted January 31, 2023 Short answer is yes. You can use flexible or strict with Let’s Encrypt at origin. LE is a valid/trusted CA.
marklcfc Posted January 31, 2023 Author Posted January 31, 2023 3 hours ago, Randy Calvert said: Short answer is yes. You can use flexible or strict with Let’s Encrypt at origin. LE is a valid/trusted CA. I have it set as just full currently
marklcfc Posted January 31, 2023 Author Posted January 31, 2023 Ok, what I don't know though is should I just use lets encrypt or continue to pay for the RapidSSL cert (very little knowledge on the subject)
Randy Calvert Posted January 31, 2023 Posted January 31, 2023 It won't make a difference what cert you use for 2 reasons: Your current setting of Full does not validate a certificate issuer. It just checks to see if the server is accepting requests over SSL (meaning port 443). So it does not matter if you use Let's Encrypt, RapidSSL, or even if you generate your own self-signed cert. The issuer is not checked at all. Even if you were to change from Full to Strict, both Let's Encrypt AND RapidSSL are valid certificate authorities (CA). Cloudflare trusts certs issued by those CA's so it would continue to work with either even if you were to use the more secure/strict certificate validation process.
Recommended Posts