I originally had cloudflare installed with a SSL from cpanel so when I disable or pause cloudflare my site is still secure and I get the lock next to the domain. However I tried installing cloudflare orgin SSL and when I pause cloudflare it says the certificate is not trusted.
My question is how do I know if my site is secure from cloudflare to my server if Im getting a non trusted certificate when I disable cloudflare.
Is it more secure to use the CPanel SSL or Cludflare origin SSL?
I noticed that if i’m using the clouflare one it allows me to select full(strict) which seems more secure
Origin certificates are only trusted by Cloudflare but not by browsers. If you keep your records always proxied, you can keep the Origin certificate, otherwise you should configure a publicly accepted one, such as e.g. Lets Encrypt.
Had a similar problem myself. Been running Cloudflare Origin certs for a few months - plus HSTS preloaded on the Chrome browser list. Everything running smoothly on 10 sites.
Then Thursday evening I log into cPanel and it says domain not pointing on my primary domain. When I enquire support says that the IPs were updated and I’m still on the old ones. Flush your DNS settings and tick the two boxes to keep same settings.
Longest two boxes I’ve ever ticked.
So initially I’m thinking DNS issue - not a certificate issue. Eventually I got to the bottom of it, deleted all the origin certs and installed the Let’s Encrypt from Hostinger.
My question is why has it been okay up till now if browsers don’t accept them? Especially when my sites are hard coded into the browser?
Would also like to point out - that people are wrongly saying that it’s only for the Origin because they call it an origin certificate - but it actually encrypts from end to end - so browsers do support it.
If your site is in Cloudflare then the users are seeing a valid certificate delivered from the Cloudflare edge, and Cloudflare is seeing your Cloudflare Origin cert. Users are not connecting to your origin, so never see the Cloudflare Origin cert.
Hi Michael, that’s exactly how I understood it… initially. But the diagram explains it as if it’s one single conection regardless whether you’re running full or strict SSL. The only difference it seems is that the strict certs are names individually whereas the let’s encrypt ones are universal.
Also they’re both installed on the origin so that’s misleading anyway, surely?
Maybe the diagram is to simplify it for the website?
And the origin certs aren’t as strong cryptographically, I don’t think. Roughly half the size.
When I first installed it at Hostinger, both certs showed at first. Then it only started showing the Cloudlare cert.
They have been working for at least 4 months up until two days ago.
Seems strange that all of a sudden they were flagged on every browser?
Thanks for your help.
It is definitely not a single connection. There is a TLS connection from Browser to CF, then a separate connection from CF to your Origin. From the documentation:
Origin CA certificates only encrypt traffic between Cloudflare and your origin web server and are not trusted by client browsers when directly accessing your origin website outside of Cloudflare. For subdomains that utilize Origin CA certificates, pausing or disabling Cloudflare causes untrusted certificate errors for site visitors.
The default origin RSA cert has a key length of 2048, which is the current norm. You can upload a CSR specifying a longer key length.
You say you or your provider made changes to certificates and/or IP addresses last Thursday. It is likely that that change was the cause of the error messages you saw.