I just wonder for example:
a) if one Cloudflare account has successfully added approx. 35-40 websites (more or less)
b) if this user plans to switch from the “Flexible SSL” to the “Full (Strict) SSL” option using the option to create an Cloudflare Origin SSL and also adding the one from Cloudflare Origin CA root cert just in case
c) all the websites / domains are on the same server
Meaning that for each website there would be needed to download from Cloudflare Dashboard and upload the certificate on the server?
creating and installing an Origin CA certificate and also adding the one from Cloudflare Origin CA root cert just in case …
Moreover, the user would have as much Cloudflare SSL certificates as he has websites/domains added to Cloudflare, am I correct?
if one Cloudflare account has successfully added approx. 35-40 websites to it’s CF account dashboard (more or less) …
How is this in the practice?
Should the user save all the SSL certificates in one directory on the for example Linux server, and then just setup the needed Apache or Nginx to work on 443 with the websites on the server (virtualhost, etc.)?
with the assumption if it is already working only on 80 due to the usage till now of the “Flexible SSL” option …
Of course, the naming of the SSL certificates should also be considered for better maintenance work and organization, right?
all the websites / domains are on the same server …
Nevertheless, for how much years should the Cloudflare origin SSL certificate has to be setup / valid in that case when generating one for each website / domain in the Cloudflare account’s dashboard?
15 years (more or less?) …
Thank you for any kind of information and provided help!
Hope it will be usefull for other people too in that case.
One thing you can do if you are using Cloudflare Origin certificates is to create one certificate that covers all the needed hostnames on the origin. Provided all the domains are on the same account, you can type in a list when creating the Origin certificate, and you get one certificate with all the hostnames listed as SANs.
According to the documentation, an ACME endpoint is on the way, at which point you could use standard tools like acme.sh to manage the Origin cert issuance.
Regarding that, they use LE only for mail (SSL/TLS, DNSSEC/TLSA/DANE, etc.), but not for @ an WWW - currently having the “Flexible SSL” mode for Website access.
So, not using LE certificate for A @ and WWW records because of:
The security setup on the Web server (for example Nginx rules, that block ACME, /.well-known/, dot files, etc.) which needs to be all disabled before the renew process happens and enabled back when it sucessfully finishes
All the domains containing @ and WWW on one Cloudflare account (or multiple) would need to be put in the “gray cloud”, should have “purged cache” and put in “development mode” before the renew process happens and then back to “orange cloud” with “development mode - off” after successfull renew finish
Putting the at least two hostnames per domain, for example for 35 websites, would be like 2x35 = 70 SANs in one certificate - Which I guess, and I do not know what is the limit of Let’s Encrypt? 100?
Renewing process via TXT record would also be painful if it does not pass someway around, either if the DNSSEC fails somewhere for only one domain/hostiname
Well, at least some kind of the work could be done via Cloudflare API? Or to bypass the ACME’s via Page Rule on Cloudflare to make the renew request and the whole process easier?
Does anyone have some ideas or what should a user who maintains all that do and in a which way?