Did I do it set SSL correctly?

#1

Just recently, I finished setting up SSL to my website which I don’t have root access.

I filled out some “SSL request form” they asked me to do. I provided them with CRT and private key

that I got from free SSL certificate service called ZeroSSL. So they can wrap up whatever’s left to apply SSL setting to my website.

I didn’t get the reply from the web hosting support yet. This part is something that bothers me.

I’m not sure if they finished their part to configure SSL to my website. With this uncertainty in mind, I gave myself a shot to set SSL setting to “Full (Strict)” under the Crypto App in Cloudflare dashboard.

“Visitor — Cloudflare — Origin Server” (Topology)
As far as I’m concerned I should get 525 or 526 error when connection between Cloudflare and Origin Server is not HTTPS encrypted under the condition of Full (Strict)

So far, I can access to my website without any problems. Does this mean I and hosting service provider did our job correctly?

1 Like
#2

Looks like it all works great, I see the cert on the origin server and the page loads securely.

#4

When you say you see the cert on the origin server and the page loads well.

You are referring to my website right? Cause I don’t recall putting my site’s domain name

anywhere here on this post. maybe somewhere on my profile.

Anyway, isn’t it that the visitors will never know if Cloudflare and origin server are connected via HTTPS?

How do I know for sure whether they(Cloudflare and origin) are securely connected?

Because if a website is properly engaged with cloudflare and Flexible SSL option’s enabled

looks like visitors will always see the mark that they are safely connected to the website when in fact they are not end-to-end encrypted.

#5

Hi @dmcare2017, your site loads securely.

To see the certificate on your origin, from a terminal window, enter this command:
$ curl -svo /dev/null --resolve example.com:443:123.123.123.123 https://example.com/

Replace example.com with your domain and 123. with your origin IP address. You’ll receive a reply back with the details of your certificate. As you have a cert on your origin, you can set SSL on the crypto tab to Full (Strict).

To me, it looks like you and your hosting service did the job correctly.

1 Like
#6

@cloonan is a Cloudflare employee and part of the Community Team, so he can look into your question/issue more in-depth. Your domain name isn’t anywhere on the forum by the looks of it :slight_smile:

This is correct. There is a product request Header indicating encryption status of the origin connection for indicating the connection status but it’s not confirmed yet. Flexible mode is really only meant for providers that charge extra for SSL and that don’t work at all when set to Full.

2 Likes
#7

Thanks for replying cloonan

I tried your command line and this is what I got.

I’m not so familiar with the linux environment but from the looks of it

the result’s telling me I don’t have certificate installed on my server.

But still I have Full (Strict) set on cloudflare. Is this something that is possible?

  • Added dmcare.co.kr:443:183.111.199.190 to DNS cache
  • About to connect() to dmcare.co.kr port 443 (#0)
  • Trying 183.111.199.190…
  • Connected to dmcare.co.kr (183.111.199.190) port 443 (#0)
  • Initializing NSS with certpath: none
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • Server certificate:
  •   subject: CN=dmcare.co.kr
    
  •   start date:  3월 29 04:09:50 2019 GMT
    
  •   expire date:  6월 27 04:09:50 2019 GMT
    
  •   common name: dmcare.co.kr
    
  •   issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
    

GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: dmcare.co.kr
Accept: /

< HTTP/1.1 200 OK
< Server: nginx
< Date: Sat, 30 Mar 2019 04:00:17 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Vary: Accept-Encoding
< X-Powered-By: PHP/7.0.0p1
< Link: https://dmcare.co.kr/index.php?rest_route=/; rel=“https://api.w.org/
<
{ [data not shown]

  • Connection #0 to host dmcare.co.kr left intact
#8

I ll take a look at the link some time later thanks Judge.

The question is that would Flexible mode automatically kick in when the situation is not allowed for

Full (Strict) to work, just like mine.

I tried cloonan’s command line and I assume the result’s saying

I don’t have certificate on the origin server. But I can easily access my website without a problem.

#9

You do have a valid certificate on your server. A LetsEncrypt certificate valid until the end of June.

This, coupled with your “Full strict” setting, would basically mean you have a proper and secure SSL setup on your server and Cloudflare.

Just make sure your regularly renew your server certificate when/before it expires and you should be good to go.

1 Like
#10

oh I see there’s a issuer line. But I got my certificate through

zerossl.com cause I don’t have root access. Why would the issuer be Let’s Encrypt.

By turning off SSL under the Crypto app and trying to access the website by https prefix,

would this be properly way to asses the presence of SSL? Just to make sure I really have SSL…

I assume this method might be wrong since the website points to Cloudflare name servers and all traffic goes through

Cloudflare servers, visitors can only open connection with the website by the Cloudflare page rules

which, this time, will be SSL option being turned off. Consequently Cloudflare will force visitors’ browser

to connect via http and of course, the browser will notify visitors that they are not securely connected with

the website even with the certificate properly installed on the origin server.

Feels like I’m saying the same thing over and over again. It’s really annoying me since the official reply
from my web hosting service provider isn’t so helpful at all… They just assumed I and they got the cert.
correctly since I have Full (Strict) option turned on and have no trouble accessing the website.

#11

HTTPS would still work but you would get a redirect to HTTP. You would actually need to disable universal SSL to disable SSL altogether. You could still connect via HTTPS in that case, but you would get a protocol error.

What is your actual concern? You do seem to have a valid certificate in place and with having chosen “Full strict” Cloudflare should connect via HTTPS.

#12

https://zerossl.com/free-ssl/#howtocrt - they use LetsEncrypt :slight_smile:

The terminal command posted above assessed whether or not SSL was properly installed. the --resolve option made it bypass Cloudflare, instead going directly to your origin. This means that the LetsEncrypt certificate

that’s shown here is the one configured on the server.

#13

okay, that kinda put away my doubts

appreciate your reply, Judge :grinning:

#14

I know I’m kind of obsessed. sorry for that. It’s my first time trying to get a basic security to my website, that is why.

But you guys helped a lot. Thank you.

1 Like
#15

Thank you guys.

I really appreciate your answers. Helped a lot. :smiley:

1 Like