Cloudflare Load Balancing and Correct SSL Configuration & Setup (Help Needed)

loadbalancing

#1

We currently have CF setup and working with Wordpress. We have purchased a CF dedicated SSL certificate and we operate in FULL (STRICT) mode as we also have a real SSL cert on the server as well. Everything is working great and all traffic goes through Cloudflare.

Now we have decided to move from a single server that is hosting our WordPress site to a cluster of three servers running behind the Cloudflare load balancer service. The servers are up and operational and are load balancing like they are supposed to but for the life of me I cannot figure out (or find out) how to configure the SSL between these new servers and Cloudflare. Further, I am not sure the process when we go to move our DNS from the single server to the load balanced cluster and what happens with our CF dedicated SSL certificate.

We currently have www.domain.com pointing to Cloudflare with a Cloudflare dedicated SSL cert. When I set up the load balancing, I used www2.domain.com to do all of the setup and testing and make sure I have the health monitors set up and working, the failover worked correctly.

What I suspect is that I need to somehow get certificates on my origin (server-one, server-two, and server-three) so that there is an SSL connection between Cloudflare and those servers and then maybe (through magic???) when I decide to make the change I just change the hostname on my load balancer configuration. According to the documentation that I have been reading, any load balancer host entry will override Cloudflare DNS until I turn off load balancing.

I also assume that when I set my load balancing hostname to my www hostname, the Crypto and Argo services I have configured against that hostname will automatically follow and now the load balancers in from of my cluster will answer https queries with the correct SSL certificate.

I know I am doing a lot of assuming and what I am really looking for is maybe some guidance or direction to prevent me bringing down our entire website because I don’t understand how to make the move from single server Cloudflare to load balanced Cloudflare for the same hostname.

Given the background above, I guess my specific questions are:

  1. How do I make sure traffic between the CF load balancers and my cluster of servers is secured by SSL in such a manner that CF works correctly? I know that CF offers a free TLS certificate for Origin Server <-> CF communications, but I don’t know if this is specific to my main website Origin server. If not, how do I get three of them for my three servers?

  2. Will CF accept self-signed (or even Let’s Encrypt) SSL certs assigned to the specific servers (server-one, server-two, server-three) or will CF expect that each of the servers will all respond using the main website SSL certificate (www.domain.com) and so I just use my current SSL cert that is on my main site now for www.domain.com on all three servers?

  3. When I am ready to switch from my single website currently hosted behind CF to my load balanced site also hosted under the same account and domain behind CF, is it as simple as settings my load balanced hostname to www and per the documentation, it will override any other CF-based DNS for that host?

Sorry for such a long post, and thanks in advance for any help or guidance!