Dedicated SSL will not enable

I am trying to enable Full (strict) SSL\HTTPS, but I seem to be stuck at the Universal SSL status, even though I have tried Off, Flexible, Full and Full (strict). I even disabled Universal SSL hoping to force it to work. When I first created my account and domain, etc, it worked, but I was having some redirect errors on our website so I switched back to the Universal option (I know that is incorrect now). See below image:

Usually that message would indicate an issue, however given that you seem to have ordered a dedicated certificate I would assume that should be fine and you actually dont need the universal certificate.

Your site actually seems to load fine, right?

It looks like you managed to figure out something to get it working, I suspect you don’t know why.

The Universal or Dedicated SSL certificate is different to the SSL Mode (Off, Full, Flexible etc.), and they have nothing to do with each other.

The Dedicated/Universal SSL certificate is for the user to Cloudflare. The relevant setting there is “Always Use HTTPS”, which forces the User-Cloudflare connection to be SSL, similar to redirecting HTTP to HTTPS on your origin.

The SSL Mode is for Cloudflare to Origin, and the setting depends on what type of cert (if any) you have on your origin, and whether your origin supports HTTPS. Flexible is if your origin is HTTP only (not recommended), Full is if your origin has a cert that is invalid (like out of date or self-signed) and Full (Strict) is if the cert is valid.

Your origin has a valid cert from Comodo which expires in about two months. You are also doing a redirect on your Origin from HTTP to HTTPS. (I checked directly against your origin, the IP ends in 188?). If you were using Flexible with that origin redirect then you would have had a problem.

The correct SSL Mode for you is Full (Strict). Just make sure to renew the Comodo cert in the next two months (or use Lets Encrypt).

If you notice in the picture, I do have Full (strict) set, but it is stuck at Red Dot and Certificated Deleted. It never changes to the appropriate state. Also when it was properly enabled, I got the dedicated Cloudflare SSL (with the right domain stjosephsea.org), now I have the Origin Comodo SSL cert. The whole reason I was changing these modes was to eliminate the “Too many redirects” on 4 of our pages, one being our donation page, which is very important to management. I don’t get the redirect errors, now, which is good, but I would like to be able to fully enable Full (strict) mode, but it is not changing state. Is there a support number to call? Maybe it is something on the back-end?

The website loads, fine, and the redirect errors are gone, but it would be nice to be fully encrypted end-to-end

You are. As @michael mentioned, you have a soon to be expiring Comodo certificate on your origin and you have the dedicated certificate on between your visitors and Cloudflare. And, you’re set at Full (Strict).

But, you do have some mixed content issues on some pages and that may lead to your comments about end to end, not all pages are. The donate page is, lots of other issues on other pages.

Here’s a tip with some suggestions to address the mixed content issues, https://community.Cloudflare.com/t/community-tip-fixing-mixed-content-errors/42476.

There is phone support for enterprise accounts. To reach support, for free, business and pro, login & go to https://dash.Cloudflare.com/?account=support and select get more help.

Well, except for the by-design-decryption on the edges, it is, isnt it? What makes you think it isnt?

You have a valid certificate on your own server and - assuming you are on Full strict - this will secure the connection between your server and Cloudflare. Furthermore you have a dedicated certificate on Cloudflare, which secures the connection between your visitors and Cloudflare.

I do admit though, the UI is confusing by mentioning right next to the SSL mode that the (universal) certificate has been deleted -> @cloonan

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.