Can't configure Byethost site for Cloudflare free SSL, even on Flexible with no origin ssl cert


#1

I’ve orange-clouded the domain on cloudflare. I have my email address for cloudflare the same as I have it on byethost, so I can’t enable it from the cPanel in Byethost. I already created a support ticket with Byethost, and they replied with telling me to contact you about it.

I’m unable to use your downloadable origin cert with Byethost. They don’t allow for wildcard (sub-)domains with my free account, however I tried creating one without the wildcard sub-domain and inputting it into their SSL cert plugin and it still complained that the cert was not for my domain (but I know for a fact that it was).

I’m perfectly happy to continue using Flexible as my site’s info will not be sensitive (at least I have no plans as of now for user accounts and the like), but of course I’m willing to return to Full as well if it’s what will work properly. Ultimately I simply want SSL for my site, and would prefer it to be through cloudflare.

Can anyone from cloudflare with the ability to twiddle on the backend help me out with this? For security purposes I’d rather not list my work-in-progress domain on this public forum, thus maybe we could continue via email?


#2

In that case you better mail them at support[at]. This is a public community and there is little point in asking here for a private contact.


#3

I’m content with someone from cloudflare simply assisting me on the backend without emailing, given that they should be able to map my account from here and see the only website I’ve attached. If need be, we can still communicate here about it whilst maintaining discretion.


#4

Is there a particular reason for the secrecy?

All I could suggest is you run a check with your domain on sitemeer.com, tell me when you ran it, and I can check which domain it was without disclosing it :slight_smile:


#5

I ran it, thanks :slight_smile:


#6

Alright, I believe I got it. Your DNS setup looks okay, so does your naked domain, your www host however still seems to point to your webserver. Is only HTTPS the issue?


#8

sorry it filtered something as a tag. please read this one instead:

I have configured (in Byethost) a deliberate redirect to the https://[non-www domain] when attempting www-prefixed accesses to my site. I realize cloudflare can do this as well, but I have it off because it’s already configured on my site. I’m not seeing any lock when I attempt my site from several browsers, and get the ‘unsafe, continue anyway?’ warning.


#9

Well, the problem is, if you go via the www host you are presented with a self-signed certificate which is configured on your server for your domain. Going via the naked domain gives you a proper certificate, but you still end up with a redirect loop, because it wants HTTPS but the connection between your server and Cloudflare is HTTP (due to Flexible).

Do you have any chance to get a proper certificate configured on your server? If so, you could configure strict Full as TLS status. If that does not work you could still configure simple Full. If you need Flexible however, you should remove the HTTPS redirect on your server.


#10

I mean, I can always do a self-signed cert but that would defeat the purpose of me going with cloudflare yes? I’ve tried to delete the default SSL cert from Byethost and it didn’t change anything.

The same failures occur for every combination of whether or not it’s set to Full or Flexible, and whether or not I include the ‘redirect-to-non-www’ statements in my config.


#11

Generally yes. As long as your Cloudflare account is configured with simple Full it would still work on the user side, as they’d be presented with the Cloudflare certificate, but there is a potential chance of a MITM attack.

There are two issue, the self-signed certificate and the redirect loop because you are on Flexible (which is HTTP) but expect HTTPS and the users actually hit Cloudflare with HTTPS.

What is more important to you? Less hassle or security?


#12

To add: I’ve already tried zerossl as far as a trusted authority, which uses Let’s Encrypt on the backend. Didn’t work, and I found out later from their FAQ that it’s basically a known issue with Byet as to why it doesn’t work with them. This is why Flexible through Cloudflare seems more and more appealing y’know?


#13

That would mean no encryption between you and Cloudflare though and some sort of pretended user security :). But anyhow, if you want that you should remove the HTTPS redirect and you should be good.


#14

Ok, did that on my server config. You see anything different on your end?


#15

No redirect anymore, but a directory listing.


#16

I’m not keen on MITM going back to my server from the client as would be the vulnerability with Fliexible, but I’d really like to look reputable to start with and use revenue to get better. Self-signed certs aren’t the way, but given that all the free tools are at my disposal: this should simply work. I shouldn’t have to register a different login for cloudflare and shut this one down simply because it matches on Byethost. There should be a way to do this simply and effectively from cloudflare’s end. I’ve deleted as much mention of SSL as I could possibly delete on the Byet end, and Byet sent me here to get it fixed. I’ve kept the config for my site in Cloudflare as simple as I possible can, while still enabling what must be enabled for it to work.