CloudFlare Origin SSL with Full (Strict) SSL option - multiple websites/domains on the same server?

I just wonder for example:
a) if one Cloudflare account has successfully added approx. 35-40 websites (more or less)
b) if this user plans to switch from the “Flexible SSL” to the “Full (Strict) SSL” option using the option to create an Cloudflare Origin SSL and also adding the one from Cloudflare Origin CA root cert just in case
c) all the websites / domains are on the same server

Meaning that for each website there would be needed to download from Cloudflare Dashboard and upload the certificate on the server?

  • creating and installing an Origin CA certificate and also adding the one from Cloudflare Origin CA root cert just in case …

Moreover, the user would have as much Cloudflare SSL certificates as he has websites/domains added to Cloudflare, am I correct?

  • if one Cloudflare account has successfully added approx. 35-40 websites to it’s CF account dashboard (more or less) …

How is this in the practice?
Should the user save all the SSL certificates in one directory on the for example Linux server, and then just setup the needed Apache or Nginx to work on 443 with the websites on the server (virtualhost, etc.)?

  • with the assumption if it is already working only on 80 due to the usage till now of the “Flexible SSL” option …

Of course, the naming of the SSL certificates should also be considered for better maintenance work and organization, right?

  • all the websites / domains are on the same server …

Nevertheless, for how much years should the Cloudflare origin SSL certificate has to be setup / valid in that case when generating one for each website / domain in the Cloudflare account’s dashboard?

  • 15 years (more or less?) …

Thank you for any kind of information and provided help!
Hope it will be usefull for other people too in that case.

Using the already published tutorial to gain “end-to-end”:

My eyes glazed over a bit on that one.

From the Cloudflare end, every zone is independent. How you want to configure your server is up to you.

15 years? That’s what I go with. I can delete the cert from my server and Cloudflare whenever I want if necessary.

1 Like

Yes, That was the kind of information which I was wondered about.

Right, each domain with separate origin SSL created in CF dashboard for the specified domain - that is how it is and should be for sure.

Thank you

One thing you can do if you are using Cloudflare Origin certificates is to create one certificate that covers all the needed hostnames on the origin. Provided all the domains are on the same account, you can type in a list when creating the Origin certificate, and you get one certificate with all the hostnames listed as SANs.

According to the documentation, an ACME endpoint is on the way, at which point you could use standard tools like acme.sh to manage the Origin cert issuance.

1 Like

Good point out there!

I also saw the situations like there are 20-25 websites pointed on the same server.

Most of them are using Let’s Encrypt but only for their A record “mail” which is like mail.example.com, mail.example.net, mail.example.org and this A records are “gray cloud”.

Regarding that, they use LE only for mail (SSL/TLS, DNSSEC/TLSA/DANE, etc.), but not for @ an WWW - currently having the “Flexible SSL” mode for Website access.

So, not using LE certificate for A @ and WWW records because of:

  1. The security setup on the Web server (for example Nginx rules, that block ACME, /.well-known/, dot files, etc.) which needs to be all disabled before the renew process happens and enabled back when it sucessfully finishes

  2. All the domains containing @ and WWW on one Cloudflare account (or multiple) would need to be put in the “gray cloud”, should have “purged cache” and put in “development mode” before the renew process happens and then back to “orange cloud” with “development mode - off” after successfull renew finish

  3. Putting the at least two hostnames per domain, for example for 35 websites, would be like 2x35 = 70 SANs in one certificate - Which I guess, and I do not know what is the limit of Let’s Encrypt? 100?

  4. Renewing process via TXT record would also be painful if it does not pass someway around, either if the DNSSEC fails somewhere for only one domain/hostiname

Well, at least some kind of the work could be done via Cloudflare API?
Or to bypass the ACME’s via Page Rule on Cloudflare to make the renew request and the whole process easier?
Does anyone have some ideas or what should a user who maintains all that do and in a which way?

Thank you!

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.