How is FULL SSL encryption working without a self-signed cert?

I have a site with a GoDaddy SSL certificate. I recently started using Cloudflare and pointed the nameservers to Cloudflare. The SSL/TLS encryption mode is currently set to “Full”.

How is traffic encrypted between Cloudflare and my origin server? The “Full” option on the setup screen says it uses a self-signed certificate on the server, but I never set this up. Is that connection somehow using the GoDaddy certificate? If the GoDaddy certificate is being used, I must need to continue renewing it, right?

Is a better option to create an “Origin CA” certificate, install that on my origin server, then switch to Full (Strict) as shown below? It seems like if I could get that working, I could stop renewing through GoDaddy. Is that correct?

https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/

“SSL Full” means Cloudflare encrypts the traffic, however Cloudflare doesn’t check the validity of our servers’ SSL self-signed certificate.

Could be it was issued from cPanel or some other way around in the meantime.

Depending on how long period the self-signed certificate is issued, usually yes and it’s a case with any SSL certificate.

If possible, yes, always. At least, at Cloudflare we can set it up to 15 years.

I do think, however if you’re using the same origin host/server to send out emails, then it might be better to renew GoDaddy since Cloudflare’s Origin CA certificate doesn’t work publicly without proxy :orange: and works only with HTTP(S) traffic.

This is an IIS server, and I have never done anything with a certificate other than installing/updating the GoDaddy certificate for the past few years.

Are you saying that if I don’t need to send email, and all traffic is https://, I can install Cloudflare’s Origin CA certificate on the origin server, and I don’t need the GoDaddy cert at all? If so, this is good news as I spend a lot of money each year on SSL certs for servers.

I also run few VMs and websites which are working over the IIS on my Windows Server 2012 R2 machine and all proxied via :orange: Cloudflare :wink:

Yes, correct. Exactly :slight_smile:

I am sorry to hear this :cry:

If there is a need, you can always generate and use Let’s Encrypt for both e-mail, web traffic, ftp and other kind of traffic. If this helps you in some case for further cases.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.