Cloudflare universal certificate and HTTPS question (AWS ELB)

My web server is an AWS EC2 instance behind a network load balancer (ELB). I’m managing my DNS using cloudflare.
Configuration Description

  • “Always used HTTPS” setting turned on.
  • The ELB on AWS is configured to listen on port 443 using another wildcard certificate (*.development.mydomain.com), issued by AWS
  • The CNAME records on Cloudflare DNS have been updated

The URL I’m trying to reach is a second level subdomain
(myapp.development.mydomain.com)

Questions

  1. I can reach https://myapp.development.mydomain.com but I get no response when I try to reach http://myapp.development.mydomain.com. With always use HTTPS, shouldn’t the http be automatically redirected as https by cloudflare?

Cloudflare’s diagnostic test Check if redirecting unencrypted HTTP traffic works fails with the message Your request failed because the web server did not respond.

  1. When I use the https://myapp.development.mydomain.com site and look at the certificate issuer, it is AWS. I would have expected it to be cloudflare. Am I doing something wrong here?

  2. The Universal certificate is only valid for 1 level of the subdomain. However I do see a secure :lock: icon despite the fact that I have not ordered an Advanced Certificate. Does this mean that I may have a security hole, since the documentation states:

Blockquote Universal SSL certificates only support SSL for the root or first-level subdomains such as example.com and www.example.com . To enable SSL support on second, third, and fourth level subdomains such as dev.www.example.com or app3.dev.www.example.com , you can:

Hoping someone can help me address these.

Thanks.

Is the DNS entry for myapp.development :grey:?

Purchasing an ACM certificate for *.development.mydomain.com is the simplest solution. On Enterprise plans you could use modify the host header to the origin also.

Thanks @michael.

The entry for myapp.development is image

I did get an SSL certificate for *.development.mydomain.com from AWS and I have set it up on the ELB. I do see the :lock: icon in my browser with a certificate issued by AWS.

The redirection of http://myapplication.development.mydomain.com to its https://myapplication.development.mydomain.com is still not working despite the following selection

As the hostname is :grey:, none of the Cloudflare proxy features like Always Use HTTPS will have any effect.

You have lots of options here. One choice is:

Purchase an ACM cert to cover the name in use (as Universal will not cover the multi-level sub domain). Then ensure your SSL Mode is Full (Strict), either domain wide or for this specific hostname using a page rule. If it is not already Full (Strict) on the SSL/TLS tab of your dashboard you will need to be careful not to break any other hostnames in this zone. Then you can make the DNS entry :orange:.

I purchased an advanced certificate to register *.development.mydomain.com

My SSL mode is set to FULL. Is changing to strict a pre-requisite to redirect http to https?
Also should I delete the DNS entry that I already have created and should re-create it after changing SSL mode to FULL (strict)? In other words, does the sequence matter?

If I’m interpreting correctly, just changing the DNS entry to proxied will also fix the http → https issue. Is that accurate

Thanks for your responses @michael

No, technically the SSL Mode has no relationship to Always Use HTTPS.

In your setup, you already have a valid cert on the Origin, and no HTTP at all. The default mode of “Flexible” would break your setup. Full will work, but Strict is more secure and always recommended.

No and no. Sequence does not matter.

Sounds like just flicking to :orange: will do the trick.

Thanks @michael. Appreciate your assistance

It works as expected. The following is the summary for anyone why might run into a similar situation:

  • Added a certificate to cloudflare using Advanced certificate manager for *.development.mydomain.com
  • Always Use HTTPS set to true
  • Modified the DNS entry to use proxy
    image
  • Added listener to AWS ELB to listen on port443 with a certificate for *.development.mydomain.com
1 Like