Cloudflare SSL certificate not in use but all features work?

Hi @golivenow,

That site is using Cloudflare, as you say. Cloudflare uses multiple different Certificate Authorities including Let’s Encrypt. You can check which you’re getting under SSL/TLS → Edge Certificates and customise the behaviour with the paid ACM add-on. It all seems to be working OK, though!

1 Like

Thanks for the quick reply! Yes, we have the Let’s Encrypt SSL certifcate created by Siteground within their Managed WordPress Hosting product. This is working fine as tested before we introduced CF. With Strict don’t we have to add something from Cloudflare to our server or is just an SSL at both ends enough for strict?

Nope, nothing at all. It just makes your site actually secure because right now anybody could intercept your connection as Cloudflare does not validate anything.

For the rest, what @domjh wrote :slight_smile:

1 Like

Is that possible? I’ve used Cloudflare on so many sites and every time I test using this checker: SSL Checker

It always displays this below, I’ve never once seen it display anything else.

I checked under Edge Certificates and you were right - it’s Let’s Encrypt. I check a handful of other sites we manage in the account and none of them mention a Certificate Authority.

It was the combined fact that Siteground use Let’s Encrypt and I’d never seen Cloudflare do so that led to me challenging it.

Solved!

1 Like

Thank you for this, that’s really useful to know! Just so I’m clear, why would anyone ever use Full?

The article addresses that

Ok thanks but why does it even exist if it’s of no use and you get the SSL warning? What scenarios are there where Full is suitable? Thanks again for the help :slight_smile:

Did you read the article?

Yes but I guess I’m unsure why Cloudflare would offer to ‘front sites and feign a valid HTTPS connection’. Why not jump from flexible straight to Full Strict. Perhaps if you could describe a real world use where Full is the best/only option for a website (and Full Strict would not work) then I would understand why they have it as an option. Thanks

It is not a good option, but people use it with a self-signed or expired certificate on the server. It should just be replaced by a valid one to use Full Strict and shouldn’t ever be the only option. For any site that needs HTTPS, it should be available from the origin with Full Strict.

Because it’s a nice marketing stunt and allows them to offer free SSL when there’s actually no encryption at all in the background, but the visitors will never find out about it.

It’s actually quite a security issue and millions of sites on Cloudflare use those settings without us having any idea which sites exactly are insecure but we do not need to expect a fix any time soon.

More sites are still on HTTP than we actually know.

In the real world, there are only two options: Off, and On. Anything else would throw a browser warning. Then you’ve got “black market” (flexible) and “grey market” (full/not strict). Where do you prefer to shop?

2 Likes

So it’s for users that have self signed or it could keep your website still using SSL in the browser (cosmetically) should your certificate expire. Ok understood, thank you :+1:

Should this happen, the certificate should simply be renewed, but unfortunately that is where it is used, yes.

1 Like

Self-signed or expired? Replace it with a Cloudflare origin cert.

https://developers.cloudflare.com/ssl/origin-configuration/origin-ca

3 Likes

Bluntly put, it’s for users who can’t be bothered to take the ten minutes and configure a proper certificate and don’t really care if they deceive their visitors or not.

Cloudflare opened a huge can of worms with these modes and undid a lot of what domain registries and browser vendors were trying to establish with SSL requirements.

1 Like

I’d be interested to hear someone from Cloudflare comment on this thread - a chance to offer some explanation and/or reasoning to the comments made.

What explanation or reasoning would you expect apart from what was mentioned already?

I’m just saying that perhaps someone who works at Cloudflare thinks differently about these comments. While not disregarding your helpful advice and points, it’s important to hear it from both sides :slight_smile:

That was my question, what other explanations or reasoning would you imagine?

The whole thing is to allow site owners to feign a secure site when they actually do not have a valid certificate nor encryption.