Does nginx needs certs if cloudflare manage it in front?


#1

Hello,

Silly question: does nginx needs certs if cloudflare manage it in front?

If Cloudflare manage my cert (by pressing a simple HPPS button), do I really need to take this cert and install it on all my nginx behind?

I tried to disable ssl on nginx, but nothing works, logs aks my cert location. Seems like I need to load certs on all my nginx somehow…

Thank you for your help.
Greg.


#3

In addition to what @sandro said, you can use one of the free Origin Certificates from Cloudflare, they work only with Cloudflare, but no one will go direct to the server theoretically.


#4

Thank you Matteo for your very quick answer!

For now I was creating my certificate using let’s encrypt.
But with cloudflare https button I thought, nice no need to update my cert on my 4 Nginx manually.

Cloudflare automatically auto update the cert.

If I download origin certification from cloudflare and put it on my 4 Nginx, do you mean I will not need anymore let’s encrypt, but I will still need to renew this origin cert every x months?

Thank you !

Greg.


#5

The Origin Certificate can last up to 15 years.

Also this is the most common misconception, but not having a certificate (or having one that is expired), while supported by Cloudflare do not actually protect from possible Man In The Middle attacks.