I’m new to CloudFlare and SSL. It’s my understanding that the ‘Shared’ SSL does not give you full end-to-end encryption protection. And with say, the free plan, it is possible to use Let’s Encrypt on the origin side, but the disadvantage is that renewal + CloudFlare becomes a manual process. Or so it seems…
Also I’m not sure if you can actually use the Pro plan with Let’s Encrypt?
I’ve heard of Dedicated SSL, but I’m not sure exactly what it is and if it provides end-to-end encryption?
Can you please suggest what my options are in terms of end-to-end encryption, with the easiest implementation?
All this is very new and daunting in a way. Your feedback is appreciated.
Depends on your definition of end-to-end encryption.
Generally speaking (except for Enterprise plans), Cloudflare never offers end-to-end encryption as the data is always de- and then re-encrypted on the proxies.
However, if you ignore that part and make sure you are on “Full strict” you will have a semi end-to-end encryption in the sense that all HTTPS communication will be encrypted during transfer, and that includes universal certificates.
So the Dedicated SSL is not an “Origin” SSL?
Is the solution then to use “Cloudflare” Origin SSL?
The reason I’m asking is that in using Let’s Encrypt Auto SSL, when it inevitably expires in 3 months after issue, I will then manually have to tell CloudFlare that it’s been renewed. Is that correct?
It is not. The dedicated certificates are for the proxies only and you will never get even close to that certificate . The origin certificates are for your server on the other hand and free, however they only work in a proxied context, as they are not signed by a publicly recognised CA.
Depends what for. You can use an origin certficate, but also any Lets Encrypt certificate or even any paid certificate which is recognised by mainstream browsers.
No, as long as your certificate is valid and working for browsers, it will also work for Cloudflare. An origin certificate would have the advantage of not having to renew it every three months, however - again - it is only valid for proxied connections. If you access it directly via a browser you will get an untrusted warning.
So an Auto Let’s Encrypt certificate could work? And when it auto-renews, then CloudFlare detects this and continues working - without manual intervention on my side to ‘refresh’ it to let it know that the certificate has been renewed?
Also if I use auto Let’s Encrypt on the Origin, will it work with the Pro plan?
I.e. do I have to purchase a certificate from a CA or will the Auto one from Let’s Encrypt work?
No, you still have to make sure that it renews. Should it fail to renew and end up with an expired certificate, you will get a 526 error on Cloudflare because the certificate does not validate any longer.
Ok but if the certificate auto renews successfully, then there should be no user intervention required on the Cloudflare side? It will continue to work as normal (unless something went wrong with the renewal)?
So just to confirm:
Auto Let’s Encrypt Certificate on Origin + Cloudflare Shared SSL = Full end-to-end encryption with auto-renewal?
As long as your certificate renews, you will have a valid certificate and Cloudflare’s proxies will be perfectly happy with that. Take into account, sometimes there are issues with an HTTP based certificate validation as LetsEncrypt occasionally runs into Cloudflare’s security layer.
Yes, end-to-end in the sense that both connections (user-proxy/proxy-origin) are encrypted. Not in the sense that the data is only tunnelled through Cloudflare. It will still be decrypted on Cloudflare’s side.
. The origin certificates are for your server on the other hand and free, however they only work in a proxied context, as they are not signed by a publicly recognised CA.
your response, information and patience is greatly appreciated.