Help! Enabling HTTPS on Domain

Hello, I am the owner of the domain godaellihcs.com. It’s a registered domain in Google Domains and the web hosting is through a company based in the Philippines. I wanted to make my website HTTP secure at no cost right now since we already have a bunch of other expenses. So I did some research and ended up using Cloudflare since it was free. After discussing with our host, they said they can do it if I send them a certificate of my SSL. I created a certificate using the Origin Server tab and sent them the PKCS#7 and Private Key files. However, they said I need to provide them with the bundle and certificate details. I am confused because nowhere on the site does it mention anything about a bundle. Can anyone please help me?

Just go to SSL/TLS → Overview and change from “Off” to “Flexible” or better even use “Full” / “Full (strict)” if your webserver already has a certificate setup… This should be all that’s neccessary to enable HTTPS on your website.

image
I still get this.

Please do not mislead the OP. You suggested the OP made his site insecure. It should be Full Strict.

1 Like

Don’t do that. It doesn’t secure the connection between Cloudflare and the origin server and worst of all it deceives visitors into believing that their connection is secure when it actually isn’t.

1 Like

Did you access your website with https://?

If you go to SSL/TLS → Edge Certificates you can also enable “Always Use HTTPS”. This will automaticly redirect your users to HTTPS.

@izu21godfrey, you have a security issue on your server and need to fix that first. You need to install an SSL certificate on your server, you can either check out Let’s Encrypt or Cloudflare’s Origin certificates, but as long as your site is not secured it can’t work on Cloudflare either. It first needs to load fine with HTTPS without Cloudflare.

I totally agree that for the real security, everyone should go for “Full (strict)”, but for some occasions, “Flexible” does still provide more security than no SSL at all.

I am afraid it doesn’t, because it still keeps all traffic on HTTP. Please check out #tutorial as there are dedicated articles on that subject.

Okay, thank you! I do not have access to the server hosting the website. The company we hired to make the website has control of the server.

That’s all right, hence it’s best to talk to your host, they need to fix that.

They said they can install SSL but want to charge $100 a year for it. That’s not terribly expensive, but as I said before, I want to minimize my expenses as much as possible since the company is fairly new.

$100 a year actually is rather expensive. There are certificates which cost $10 a year, which is not that unreasonable. Nonetheless, there are also plenty of free certificates. The ones I already mentioned.

Bottom line, you need a certificate first on your server. Paid or free.

1 Like

Thanks, I’ll have a look.
But the connection between the client and Cloudflare would still be secure, right? And I woulb believe that this is the point where for example mitm attacks would be most likely to occur. But I totally agree that Full (strict) should be the norm. But if I had to choose between Off and Flexible I’d still go with Flexible.

Alright. Thank you for your expertise!

No worries, anything up to $10 a year is still reasonable for a certificate. Of course, if you can get it free, get a free one. But if your host charges you just to enable the certificate, I would recommend to switch host, no host should do that.

As for Origin certificates → Origin CA certificates · Cloudflare SSL/TLS docs

But they are only valid in a proxied context, so you will receive a warning if you try to load a site directly.

1 Like

:black_flag: Please remove post

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.