Confused with SSLs

Hi everyone

I have a number of domains, some of which have SSLs (supplied by Thawte and Comodo) installed directly on our web server.

Recently we have moved over to Cloudflare and after the DNS changes noticed that the certificates (when viewed through the browser) was now being provided by CF.

As the original SSLs are more secure I would prefer to use those over the shared SSL that CF provides although I am not too sure on the steps I should be taking to achieve this.

I have tried:

  • Disabling the universal SSL
  • Changing the SSL to Full (Strict)
  • Changing the SSL to Off

In the latter 2 I get the same error in the browser of: Domain uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH

If I inspect the certificate in the browser it still says it’s pointing to the shared CF certificate.

I tried doing the “Upload Custom Certificate” but that needs more than the free account.

Thanks in advance
Simon

What makes you think so? The Cloudflare certificates are just fine, there is no need to replace them.

1 Like

The only way to use your own certificates would be to disable proxying on that subdomain unless you use a Business account.

There is no need to change the certificates. The Cloudflare ones are just fine. If you don’t want shared certificates or you want custom subdomains you can but a dedicated one from Cloudflare. You can substitute the ones on your server by using the free ones that Cloudflare provides.

Hi thanks for the reply.

Looking at this link: https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean

It indicates that Flexible secures between your visitor and CF, but not between CF and and our site.

Cheers for reply.

Yeah I have already bought the certificates up front originally, so thought I may as well get use out of them.

For new sites, I tend to just use the CF ones.

What about if we have payment options like PayPal checkout or Stripe checkout, where do don’t take the payment on the site, but we do store personal info about what someone has ordered. (Not credit card info). Assume would need to use Full SSL (Strict) for those.

Thanks

Also how do I disable proxying on the subdomain? Cheers

By switching the DNS record in question from :orange: to :grey:

1 Like

That is correct. Flexible is very convenient if you cant use TLS on your server but it gives a false sense of security to the visitor. The connection between your server and Cloudflare will be only encrypted if you use one of the Fulls.

Yeah, but then that defeats the object of using Cloudflare to help mask the DNS.

So is the only way to use my own certificate and a “Full” option and also keep the proxy on, is to move off the free platform? As that wouldn’t be an option.

It looks like I can buy a dedicated SSL direct from CF for $5pm. Would that be “Full (Strict)”?

Thanks

Basically, the Cloudflare certificates are just fine and there shouldnt be any need to use your own (at Cloudflare’s side. Your server is a different subject) but if you are concerned about security, you should be fully aware that - if you proxy your site, i.e. it is :orange: - all data transmitted will go through Cloudflare and will be decrypted on their site and then - if you use one of the Fulls - re-encrypted and forwarded to your server.

Of course it does, but you asked how to disable the proxy :wink:

If you want to use your own certificate the only option would be to switch to the business plan. But why would you have such a focus on your own certificate?

hehe I certainly did ask :slight_smile:

It’s not as such using my own certificate, it’s more me being new to CF and am used to having a full SSL so just exploring the options.

So at the moment I have about 20 SSLs that I have previously bought that are installed on the web server. So I guess I have 3 options:

  1. Upgrade to business plan and continue to use my current SSLs (that would be mega expensive for the sake of it)

  2. Ditch the old SSLs and use Flexible SSL provided by CF for them all

  3. For those that I feel need Full (Strict), buy a Dedicated SSL through the CF control panel and then ditch all the old SSLs.

Looks like I am ditching all the old ones as it’s either 2 or 3.

I guess the question is still, for those domains that I feel need to have Full (Strict) on, will this option come with the Dedicated SSL provided by CF.

Cheers again

Full strict is not about the certificates on Cloudflare’s side but only whether Cloudflare expects a valid certificate on your side or not.

Unless you have special requirements I’d say have your original certificates installed on your server and use them to properly secure the connection between your server and Cloudflare. In that case you should also be able to safely set it to “Full strict”. Then, on Cloudflare’s side, simply use the Universal certificates issued by Cloudflare automatically.

Once your original certificates are up for renewal I’d look into Cloudflare’s Origin certificates, as they are free.

Thanks, although that is also what I am having difficulty getting working.

So prior to moving our domains to CF, we had the original SSLs already installed and working.

But I am not sure what to change in CF to stop it from overriding the SSL with it’s own. See original post at the top. No matter what I do, the SSL seems to still be the CF shared SSL and I get the error.

Origin certificates look awesome and will defo look into those when they come to expiry.

There is nothing you can do short of disabling the proxy service. Your certificates are irrelevant as far as the user-facing connection is concerned. They only come into play when it is about the connection between your server and Cloudflare.

Ok cheers, so if I want to keep my own certificates then I need to disable the proxy. Unfortunately can’t do that as that is one of the main reasons migrated the domains to CF.

So in order to keep the proxy in place, I guess I will have to ditch the my current SSLs and just use those provided by CF.

I do need that extra bit of security on some of them so that it’s Full (Strict). Is it worth just generating the Origin certificates now for those?

Again, what is the reason for this fixation :slight_smile: on your certificates?

You still need them to encrypt the connection between your server and Cloudflare. Only, if you want them to be user-facing as well you’d need to change to the business plan.

Not sure what you mean by that.

Maybe check out

All valid certificates (so including the ones you have now) + the Origin certificates from Cloudflare are valid for doing Full (Strict). The Full (not Strict) is useful for self-signed certs, expired ones and ones in which the actual domain name you are requesting isn’t present (usually shared hosting, CDNs…).

With your current situation, use Full (Strict) until the certificates are expiring, then, instead of paying to renew them simply create a new origin certificate (possibly even only one with all your subdomains if their are all in the same Cloudflare account) and configure it just like any other certificate on your origin. It won’t be trusted by browsers, but Cloudflare would be the only one connecting.

1 Like

Ah no fixations, I am happy to get rid of them, I am just exploring everything.

Ok so how do I set it up so that CF secures between the browser and CF, but then the original cert secures between CF and the server?

Maybe it’s easier to try and explain what I am trying to achieve. I have 2 kinds of websites.

  1. Want to have the padlock in the browser so the visitor feels comfortable with the site and also Google doesn’t penalise us for not being https. The free flexible SSL from CF seems to solve that.

  2. We collect personal information from the visitor and maybe store in a back office. The Flexible option from CF doesn’t secure between CF and our server, so need to do something there, whether it’s our current SSLs, new dedicated SSLs through CF or creating new Origin certificates from CF which we plop on our server.

So really just need a bit of guidance and advice for option 2. I don’t mind if I use totally new SSLs provided by CF or otherwise, I just want to be able to use the CF proxy and on some domains, use the Full (Strict) option so I know the data is fully protected from the visitor to the server.

As you can guess I am not enormously technical and very much appreciate the information you have provided :slight_smile:

Thanks again