Https certificate authentication – turn off

Hi,

I used Cloudflare to protect my website for about a month without any issues, since it started working. Yesterday, Let’s Encrypt certificate, which my domain service provided, expired. The domain provider refuses to renew it, because according to their rules, they would do it only, if their nameservers were set for DNS. The provider offers me an option to use Self-signed certificate, and recommends to turn off https certificate authentication on CDN (Cloudflare). Does that make any sense, how can I do that?

Thank you so far

It does not.

I am not quite sure why they’d refuse to renew it, you could try renewing it manually and then importing it (if that is possible). Alternatively, you could get an origin certificate from Cloudflare and have your host configure that one instead.

I’d advise against a self-signed certificate as that would require you to downgrade to a less secure “Full” setting. If your host is not cooperative when it comes to any of these alternatives I’d suggest you switch host.

1 Like

I think it’s because they want their clients to use their SSL protection, which is their new service. I can’t manually turn on Let’s Encrypt certificate, their admins do not allow that according to their rules. If you don’t have their nameservers, it’s impossible to prolong it. How can I get, plese, the origin certificate from Cloudflare and configure my host? I would like to do that to make it work.

Thank you

https://support.cloudflare.com/hc/en-us/articles/115000479507-Managing-Cloudflare-Origin-CA-certificates

Will your host let you use a CF origin certificate, even though they don’t allow you to use an LE certificate? That seems a bit inconsistent, but on the other hand, as long as it works, end users will just see the CF edge certificate anyway.

In case that I would anyway want to use Self-signed certificate, what should I set to make it work? Thank you

I’d really first check the origin certificate. A self-signed certificate is better than none, but as it cant be verified it is vulnerable to MITM attacks.

I know that it’s less safe option, but how to do that anyway? I will try later to set the origin certificate, but I need websites to be working as soon as possible. Thank you

Setting up an origin certificate takes just as much time as a self-signed one. You just need to configure either on your website and then Cloudflare to (preferably) “Full strict” or (not preferably) to just “Full”. What I mentioned in my first response.

Regarding self-signed certificate, I have set SSC on my domain, I changed the SSL protection to full, websites still don’t work.

Without details it is impossible to say anything.

I get that, what details, please, do you need me to share with you?

Domain and server IP.

https://prokopacek.cz
91.239.200.59

Well, the site loads fine with the certificate, however you are starting a redirection loop by redirecting your naked domain to “www” and then “www” to your naked domain.

Thats an issue on your server that you need to fix there.

I turned off redirecting to www, the website seems to be working, but without SSL, or only limited. https seems to be working somehow, but unsecured. is that what you meant regarding how it is going to behave?

HTTPS cant be unsecured :slight_smile:

What exactly do you mean by that? The warning message? That is because it is a self-signed certificate as I mentioned originally.

Yes, exactly. Okay, thank you so far. I’ll try to set the origin certificate later.

You will get a similar warning with an origin certificate, as these certificates are not trusted by browsers either, but only in a Cloudflare context. You will need to go through Cloudflare, however that should already work with a self-signed at this point too.

What do you mean exactly, please, by going through Cloudflare?