I am giving y first steps at Cloudflare and would be grateful if you could help me to clarify some issues regarding the SSL certificate.
I understand Cloudflare provides a free shared Universal SSL certificate to every domain name added to our Cloudflare account. Every time we add a domain name to Cloudflare:
Would it automatically get a free shared Universal SSL certificate even if the domain is parked at another registrar?
Do we have to pay for annually for renewing the shared Universal SSL certificate? Does it renew automatically or do we have to renew it manually?
Would the free shared Universal SSL certificate be installed even if the HTTPs option is not enabled?
For clients like myself who only have the shared Universal SSL certificate:
Where could I find the FTP address (host name), the username and the password that are needed to upload the files to the internet under FTPS-FTP over explicit TLS/SSL?
The hosting company I use (Namecheap) provides a Free Positive SSL certificate for free for the first year. I understand it should be more or less equivalent to the shared Universal SSL certificate offered by Cloudflare. Let’s imagine I have a domain name parked at Namecheap, but its DNS are pointing to Cloudflare. Therefore, taking into account a free basic SSL certificate is being offered at both ends:
Should I disregard the Positive SSL certificate offered by Namecheap?
Can I have the SSL certificates active at both ends without creating any conflict?
If I purchase a dedicated IP address linked to my shared hosting account at Namecheap, could I get the free shared Cloudflare SSL certificate associated to the dedicated IP or I will have to upgrade to the Advanced Certificate Manager?
It is not. One secures the origin (your server) connection, and one secures the browser connection. You need both.
There’s no file hosting here. Cloudflare is a proxy service. There are ways to have Cloudflare pull content to server from its datacenters, but it’s not the standard configuration you’re used to.
There’s no good reason to do this. Especially if Cloudflare is proxying your site. Nobody will notice that IP address, and it has no impact on your proxy service here. Certs are in no way tied to an IP address.
The bottom line is this: If you have a site that’s currently working with HTTPS, Cloudflare will work great with no extra muss or fuss.
As I have many domain names, it might be technically simpler and more cost-effective if I just purchase at Namecheap a multi-Domain SSL certificate to avoid configuring stuff on a per domain basis. Also, I don’t think Namecheap would be willing to allow clients to upload Cloudflare certificate to their servers. Otherwise they would be losing business, apart from the fact it will increase their workload by providing technical support. Having said that, Namecheap is an excellent hosting company as they make their best to offer timely and efficient support. There are a lot of hosting companies in the internet with flashy and beautiful websites who just want to grab money. I would treat them as scammers.
Your explanations have cast light on two key areas: (1) Now I understand that issues regarding FTP address are dealt by the hosting company we use; and (2) SSL certificates are not linked to an IP address.
I believe you may have overseen the following issues:
Would the free shared Universal SSL certificate be installed even if the HTTPs option is not enabled? By the way, can HTTPS be activated at both ends (Namecheap and Cloudflare).
Would Cloudflare automatically renew the free shared Universal SSL certificate or we have to renew it ourselves manually? Anyway, I will be transferring ALL my domain names to Cloudflare, not only because of a cheaper renewal price, but due to the range of features offered.
I wanted to address the core issue of securing the server with SSL first.
Universal SSL is inextricably tied to the HTTPS option. You need both. And Universal SSL auto-renews.
The only caveat about using Cloudflare Registrar is that those domains have to use Cloudflare name servers for as long as those domains are registered here. Only a third of mine are. The others are evenly split between two other registrars.
It seems to me using Cloudflare name servers is not a serious caveat. Perhaps for certain domain features at least in certain companies for options like domain redirection if I am not mistaken, etc. I have a domain name at Namecheap linked to a website whose DNS are from a registrar in New Zealand and there is no problem at all. In short, I think having Cloudflare DNS as registrar and hosting elsewhere pose no difficulties as long as we own the domain names parked at Cloudflare.
Have a nice end of day
ADDENDUM: As you brought to my attention the issue of possible caveats by using Cloudflare DNS servers, I will submit a ticket at Namecheap asking them what would be the caveats at their end by doing so. Perhaps it would be better having that issue clear before continuing the transfer of domain names from Namecheap to Cloudflare.
Wait, I think now I realise what you were referring to. Apparently, the actual caveat is that we cannot change the DNS of domain names in our Cloudflare account. I will check this with Namecheap to see if this fact would not enable me to host my Cloudflare domain names with them.
UPDATE TO LATEST THREAD: I submitted the ticket below to Namecheap. Please feel free to read my question and their answer:
CASE SCENARIO: Hello! Let’s say I own a domain called DUDUKON.COM (dummy name) which is parked at Cloudflare with DNS from Cloudflare, as follows:
QUESTION: Can I host DUDUKON.COM with my Namecheap share hosting plan (Stellar Business) even if that domain has Cloudflare DNS?
Please note I cannot change the DNS at Cloudflare if I keep the current plan I have with them?
RESPONSE FROM NAMECHEAP: We would like to inform you that you will be able to add the domain name DUDUKON.COM to your hosting package using the cPanel plugin “Addon Domains”. Feel free to use this guide:
Hi Sandro. I am ignorant in IT and web matters, but your comments and advice make sense. So, I will not fail to go through previous threads and documents found at Cloudflare. The issue you should bear in mind is that people like me get confused because we may be inclined to believe there may be conflicts if SSL certificates are activated at both ends (Cloudflare and our hosting provider).
My understanding according to what sdayman and yourself have said is that I need to install the certificate at the hosting end even if the shared Universal SSL certificate is active at Cloudflare. If this is so, then we need to purchase a certificate at the hosting side from the second year as their basic SSL certificate is only offered for free during the first year.
As an aside, I would have chosen “Full Strict” anyway until proved otherwise. Just a matter of common sense even without having read Cloudflare documentation and tutorials. If I am given the choice of sleeping on the grass in a park (so, incurring the risk of being attacked) or inside a comfortable secured shelter, why am I going to choose the former and less secured option?
ADDENDUM: I understand where amnonbc is coming from as it might not be necessary to activate Full Strict option for a static site that only have one or a few photos and information like brochure type sites. On the flip side, I suppose that even basic static sites may be attacked for a number of reasons that could be found on web related books. This is an assumption I make as I am not knowledgeable on these matters.
That is correct, @sdayman’s advice was spot on in this context.
There is nothing wrong per se with paid certificates, as long as they are reasonably priced of course (there are examples where they charge hundreds of dollars). That being said, you should still be aware that there are plenty of free certificates out there and they work just as well. @sdayman has already mentioned a few examples.
You are absolutely right here
I am afraid he still is wrong here. A site is either secure or it is not. What he suggested would have made sure that a site is still transferred over HTTP. What he claimed, unfortunately often comes up because people did not fully understand how Cloudflare works and believe the famous SSL padlock in the browser is enough and that’s unfortunately not the case. There’s also more on that at Why you should choose Full Strict, and only Full Strict.