CommunityTip - Security FAQ Read Me First

Please Read Before Posting

Please review this post and the ones linked and use the :search: in the top right to search for your issue. This Community Tip has questions and answers for the most frequently asked questions about SSL/TLS, the :search: will reveal additional advice & insight.

Background
This Security FAQ covers Cloudflare Spectrum, Cloudflare Access, Free Universal SSL, edge certificates, self signed certificates, and origin certificates, TLS, HSTS, and anything else on the SSL/TLS app.

Dedicated SSL

Redirect loop
If you are using Flexible SSL mode under the Overview tab of the Cloudflare SSL/TLS app and you are forcing HTTPS on your origin, this is the most likely cause of the issue. Flexible mode works by not encrypting traffic to and from your origin and Cloudflare. Because your origin is forcing https and the request is then redirected to Cloudflare where Cloudflare again tries to send the same http request, an infinite loop is occurring. This issue is discussed in this knowledge base guide – Why does Flexible SSL cause a redirect loop?

To fix this you have a few options:

Learn more about SSL in this Community Tutorial,
Step 2: Setting up SSL with Cloudflare.

Subdomain too deep/Custom Certificates and Extended Validation Certificates
Once Cloudflare has successfully provisioned our “Universal SSL” offering on your zone, please note that these certificates will only cover a single level of subdomains (*.example.com, not *.*.example.com):

  • Will work - www.example.com
  • Will work - example.com
  • Will work - test.example.com
  • Will NOT work - www.test.example.com
  • Will NOT work - staging.www.example.com

Should you need a certificate which covers multi-level sub-domains, you can purchase a Dedicated SSL Certificate with Custom Hostnames, where you can declare any multi-level subdomains during purchase.

If you would rather use your own certificate than a Universal SSL certificate that we provision, you will need to upgrade to our Business Plan and upload a Custom Certificate.

Please note that Cloudflare does not offer “Extended Validation” certificates at this time, if you wish to use one, you will need to purchase one separately and upload it to your Cloudflare account using the Custom SSL upload.

Optionally, purchase the Advanced Certificate Manager and create the dedicated certificate with custom hostname.

Understanding Advanced Certificate Manager
Managing Dedicated SSL Certificates

Supported Clients (SNI-only)

Our SSL certificates on paid plans (Pro, Business and Enterprise) will work with all desktop browsers, so if you are worried about compatibility or have many users with old browsers upgrading to one of our paid plans is recommended.

Both Dedicated Certificates and Universal SSL use Server Name Indication (SNI) certificates using Elliptic Curve Digital Signature Algorithm (ECDSA). SNI and ECDSA certificates work with the following modern browsers:

Desktop Browsers installed on Windows Vista or OS X 10.6 or later:

  • Internet Explorer 7
  • Firefox 2
  • Opera 8 (with TLS 1.1 enabled)
  • Google Chrome v5.0.342.0
  • Safari 2.1

Mobile Browsers

  • Mobile Safari for iOS 4.0
  • Android 3.0 (Honeycomb) and later
  • Windows Phone 7

Note that any API services or payment gateways communicating with your site must also support SNI and ECDSA in order to connect to your website through Cloudflare.

SSL Modes - SSL to the Origin

Cloudflare offers the following SSL modes:

  1. Flexible SSL: SSL is terminated at the Cloudflare edge servers. Everything between your client and Cloudflare is encrypted, between Cloudflare and your origin, is not encrypted. You would not need a certificate for this.
  2. Full SSL: SSL is terminated at the Cloudflare edge server. Then it is encrypted again, and sent back to your servers all encrypted. You would need an SSL cert installed on your server. You can use a self-signed certificate on this option.
  3. Full SSL (Strict): Same as SSL Full, but you must have a certificate that is signed by a CA, such as GlobalSign. If you do wish to enable Full Strict, you could install a free Cloudflare origin certificate at your host.

A full overview of our SSL settings can be found [here] (https://support.cloudflare.com/hc/en-us/articles/200170416).

Should you wish to use the Full or Full (Strict) configuration options, you will need to have a certificate on your origin web server.

If you use the Full (Strict) option, this SSL certificate must be valid and either signed by a Certificate Authority or be using our Origin CA service.

Mixed Content Errors and Redirect Loops

If you notice the green padlock missing from your browser when connecting over HTTPS, it will likely be a mixed-content issue. Mixed content errors mean that your website is being loaded over HTTPS but some of the resources are being loaded over HTTP. To fix this you will need to edit your source code and change all resources to load over a relative path, or directly over HTTPS.

For example, if you load your images with a full URL:

<img src="http://example.com/image.jpg" />

You would want to change this to:

<img src="//example.com/image.jpg" />

By removing the http: , the browser will use whichever protocol the visitor is already using. See this article for more information. Alternatively, you can install a Mixed-Content Fixer plugin which should automatically replace the http with https in these sections. For Wordpress, we have had success with the SSL Insecure Content Fixer plugin.

An alternative option would be to enable the Automatic HTTPS Rewrites feature that can potentially fix these errors for you automatically. Do be aware that resources loaded by JavaScript or CSS will not be automatically rewritten and mixed content warnings will still appear.

These issues are most often associated with users of Cloudflare’s Flexible SSL service. You can check whether you are using Cloudflare’s SSL service in Full or Flexible mode by logging into your Cloudflare dashboard and clicking on the Overview tab of the SSL/TLS app, then heading down the SSL setting.

Flexible SSL Users

Flexible mode works by not encrypting traffic to and from your origin and Cloudflare. Because your origin is forcing https and the request is then redirected to Cloudflare where Cloudflare again tries to send the same http request, an infinite loop is occurring. I was able to confirm your site is indeed enforcing a HTTPS redirect.

To fix this you have a few options:

Additionally, Cloudflare also appends an X-Forwarded-Proto header, which can either be http or https depending on the protocol the user used to visit the site, like this:

X-Forwarded-Proto: https

When Flexible SSL is set and a visitor requests to Cloudflare over HTTPS - Cloudflare requests to the origin over HTTP. In that scenario the origin server can tell that the visitor was using HTTPS by inspecting this header.

Certificate Not Provisioned
View the DNS app records to ensure ( example.com ) and www.example.com or example.com are orange-clouded.

For the Cloudflare Universal SSL certificate to be provisioned, you must orange-cloud any required records. Once the DNS record has been orange-clouded, your Cloudflare Universal SSL certificate will start to be provisioned.

Further information about how to do this can be found on the quick setup guide below:

Other SSL/TLS Errors

Fixing Error 520: Web server is returning an unknown error
Fixing Error 521: Web server is down
Fixing Error 525: SSL handshake failed
Fixing Error 526: Invalid SSL certificates

Security Option
Dedicated SSL Certificates allow you to secure multiple levels of your subdomains and include your fully qualified domain name in the Common Name (CN). Learn more about Dedicated SSL Certificates.

If You Need More Help
This community of other Cloudflare users may be able to assist you, login to Cloudflare and post your question to the Community. When you post on the Community make sure to include as much of this information as possible: the specific error message you are seeing, the URLs this is happening on, screen shot of the error, and the steps to reproduce the error. Please indicate what troubleshooting steps you’ve tried in order to help us help you.

Expert Comments Appreciated
This Community Tip will remain open for input from Community experts and those familiar with this issue. We really appreciate comments like: “What are the three things to always try”, or “Do this first” or “In my experience”.

This is a Cloudflare Community Tip, to review other tips, click here.

Çevirmek…traduzir…翻译…traducir…Traduire…Übersetzen…:greyg: Translate this Tip

AQSECT 030321

2 Likes