If the origin certificate expires


#1

When the origin certificate expires, will there be a connection problem for visitors?

My ssl setting is FULL on Cloudflare. Thanks.


#2

If it’s just Full (not Full/Strict), I believe the certificate will still work with Cloudflare, as Cloudflare doesn’t seem to error-check the certificate.


#3

It will work on Full. My origin certificates have expired months ago. :slight_smile:


#4

For security, you should use valid, non-expired certificates and Full (strict) mode, though.


#5

An expired cert doesn’t harm the encryption itself. :thinking:


#6

But it does nothing to prevent the connection from being MITMed by anything with any certificate.

Edit: It helps against passive attackers, but not active attackers.


#7

Agreed.

I must add that access to my websservers is restricted to CloudFlare, SSH through VPN and a few static IPs and a jump host with 2FA via Duo Security. Maybe that’s why I slightly ignore if the cert is valid or not.

And renewing Let’s Encrypt certificates via CloudFlare protected hosts is a mess.


#8

How so? I have…the acme thingie (it’s early here)…on my servers and it looks like .well-known access is letting me renew my certs.


#9

I got I timeout the last time I tried it. Even after setting an Any - Any -Allow rule. So it’s not the firewall. Did I miss something? :thinking:

I used an exposed host to renew the certs in the past but…


#10

My servers block anything that’s not Cloudflare (but 22 is open to my home IP). Certbot runs every week with the webroot flag and that seems to keep it happy.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.