I’m trying to use ACM to restrict connections to specific cipher suites for a custom domain in Cloudflare Pages. It seems like the Universal SSL cert is not replaced with the Advanced SSL cert even though the Advanced SSL cert is active, and I’ve removed and disabled the Universal SSL cert under Edge Certificates.
I’ve also tried to change the minimum TLS version to 1.3 but scanning on Qualys SSL Labs still shows Universal SSL cert with TLS 1.2 is enabled.
Did you tried some other online tools?
They might have an SSL certificate in a cache for some time.
Or even display two certificates - in my case, it was always the Universal SSL + ACM SSL as I have had both of them active and enabled.
This is unfortunately correct, and apparently unavoidable.
I had a ticket some months ago about this, and was provided the following response:
We’ve checked in internally with Pages Team and they confirm that indeed Pages uses SSL for SaaS certificates and it is not possible to use Advanced Certificates for Pages. Currently there is no plans to support any other type of certificate configuration.
My use case was to use ACM to set a limited set of Ciphers. ACM ciphers do not work with Pages when using the SSL for SaaS certs. If you are able to use a Custom Cert then it will take priority, and the ACM ciphers you define will become active.
I totally agree. I would prefer that you could choose from a few cipher sets (perhaps like Cloudfront security policies), or have Cloudflare change the default to a better set of ciphers, and have users jump through hoops to enable weaker ciphers.