Cloudflare SSL not being applied

I have a subdomain and hosting set up with a 3rd-party. In my Cloudflare DNS settings, I have my A record set as cms and the corresponding IP of the host with the proxied setting enabled. I assume now Cloudflare’s SSL will be used instead of the web host? BTW, I also have Cloudflare’s Full (strict) SSL option enabled.

However, Cloudflare’s SSL is not being applied.

Instead of seeing my site, cms.mysite.com, I get Cloudflare’s page: Invalid SSL certificate, error 526.

What am I doing wrong? Do I always need a valid SSL with the origin host server even if I want to use Cloudflare’s SSL?

Cloudflare’s certificate is used to encrypt the connection between Cloudflare and the client.

To encrypt the connection between your Origin and Cloudflare, your Origin still needs a valid certificate (or a Cloudflare Origin certificate).

1 Like

I noticed when I changed from Full (strict) to just Full, it applied Cloudflare’s SSL.

Full is an unsafe mode that simply ignores that the certificate on your Origin is invalid and uses it anyway. You should only ever use Full (strict).

1 Like

Thank you! Will do. The origin host says it can take up to 24hrs to apply their Positive SSL.

You can use an Origin Certificate from Cloudflare if your connection is proxied. It lasts up to 15 years and has basically no downsides as long as you only use it for websites proxied by Cloudflare.

Cloudflare can sometimes interfere with the HTTP ACME challenge that is performed to acquire a certificate on your Origin, so if that doesn’t work you know why :wink:

1 Like

Much appreciated!

Certbot now has a plugin that uses your Cloudflare token (or the global key, not recommended) to automatically create, then delete, TXT records using the API so you can use the DNS method to get certificates. I just use a script like this to thrash through all the origin certificate generation or renewal now. (10 seconds per domain is fine on my paid accounts, I increase to 60 seconds on free accounts for reliability).

#!/bin/sh

# Wildcard domains for general and internal use
certbot --dns-cloudflare --dns-cloudflare-propagation-seconds 10 --dns-cloudflare-credentials ./cloudflare-credentials.txt --preferred-challenges dns certonly -d example.com -d *.example.com

# Specific certificates for named domains
certbot --dns-cloudflare --dns-cloudflare-propagation-seconds 10 --dns-cloudflare-credentials ./cloudflare-credentials.txt --preferred-challenges dns certonly -d www.example.com
certbot --dns-cloudflare --dns-cloudflare-propagation-seconds 10 --dns-cloudflare-credentials ./cloudflare-credentials.txt --preferred-challenges dns certonly -d blog.example.com
...

https://certbot-dns-cloudflare.readthedocs.io/en/stable/

1 Like

I’m also using the certbot-dns-cloudflare plugin, but that’s not very practical as a recommendation for most managed hosting environments where you cannot run arbitrary software :wink:

But I’m doing pretty much the same as you for adding domains. Never had a problem with the 10 seconds so far.

certbot certonly -a dns-cloudflare \
--cert-name domain.tld \
--dns-cloudflare-credentials /etc/letsencrypt/cloudflareapi.conf \
--dns-cloudflare-propagation-seconds 10 \
-d domain.tld,\*.domain.tld \
--preferred-challenges dns-01

And that’s is the cronjob I run daily for renewal:

0 10 * * * /usr/local/bin/certbot renew --post-hook "systemctl reload apache2 postfix dovecot" > /var/log/certbot.log 2>&1

But that is probably getting a bit… semi-off topic :sweat_smile:

1 Like

Cerbot DNS doesn’t need to run on the machine doing the hosting, that’s its main advantage over HTTP methods. You can run it on any machine and then just upload the certificate files as normal. We have a cluster of machines so generate/update the certs on a central management machine and then rsync them out to the origins.

10 seconds gives us about 10% failures on a free account but on an Enterprise account we can run at < 5 seconds without problems.

True, but useful for someone hopefully!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.