I have configured my Cloudflare in the following manner:
I have selected Full (strict) SSL.
And I have kept “Always use HTTPs” option disabled to ensure that my site’s Auto SSL renewal does not have problems.
Presently everything’s running perfectly.
However, if suppose even after keeping the “Always use HTTPs” disabled my site still goes through an Auto SSL renewal problems, then to get rid of this problem permanently, I have read online that I need to install Cloudflare origin certificate into my site’s cpanel.
I know how to create CF origin certificate and the private keys, but I am confused regarding the right way to install these into my cpanel.
Here are a couple of articles which explain how to install the Cloudflare certificate into cpanel, but these two articles use two different methods in Cpanel.
I would be really grateful if you could kindly check and tell me which out of the two is the correct CPANEL procedure? This is explained at the bottom of the articles.
Well, I am not quite sure why your AutoSSL fails when you have “Always Use HTTPS” option disabled
But, a workaroud is to disable the Always Use HTTPS option at Cloudflare.
It should work, as it would access via HTTP (which somehow it needs and uses that way to renew it).
Nevertheless, regarding the usage of Cloudflare Origin CA Certificate and the headache the AutoSSL renewing process causes to you, I’d like to ask firstly if you are using that cPanel for your e-mail too or not?
I ask, because from my experience with cPanel hostings and CF Origin CA Certiifcate, I don’t know why and the reason why, but anytime when I installed the certificate to the cPanel, the cPanel installed it all over all sub-domains - www, autoconfig, webmail, mail, sub, etc., even if I generated the CF Origin CA Certificate only for naked (root) domain and www.
So, somehow cPanel is when it comes to this.
Nevertheless, we cannot use Cloudflare Origin CA certificate for e-mail. It works only for web traffic (HTTP / HTTPS).
Furthermore, I am afraid we cannot use both AutoSSL for “mail” and Cloudflare Origin CA certificate for “domain.com www sub, etc.”, as far as cPanel unfortunately installs that Cloudflare Origin CA certificate for all sub-domains automatically, therefore no way to use AutoSSL
The other fact of cPanel when we install CF Origin CA certificate, cPanel will always say “expired” or “not valid” certificate warning for Cloudflare Origin CA certificate.
You should ignore this warning and just make sure you’re SSL/TLS settings are set correctly to the Full (Strict) SSL at Cloudflare dashboard.
The thing which I knew to do to get and renew my AutoSSL certificate, if I have had to renew the SSL certificate, I’d suggest you to switch DNS records to (DNS-only). Then wait for 10-15 minutes. Start the AutoSSL renewing process. Upon success and verify your website is loading without any HTTPS error, switch them back to .
Bottom line, from your both mentioned articles, it might depend as my question “are you also using e-mail from the same cPanel hosting, or not?”.
Either use Cloudflare Origin CA certificate, or stick with AutoSSL - but, when it’s the time to renew them you can (as already suggested → disable Always Use HTTPS), or you would have to:
Use the “Pause Cloudflare on Site” option from the Overview tab for your domain at dash.cloudflare.com .
The link is in the lower right corner of that page.
Give it five minutes to take effect, then make sure site is working as expected with HTTPS without any error
Check with your hosting provider / cPanel AutoSSL / Let’s Encrypt / ACME / Certbot and renew it
Only then, when your website responds over HTTPS, you should un-pause Cloudflare and double-check your SSL/TLS setting to make sure it’s Full (Strict).
The thing is, I remember a few cases where AutoSSL failed to renew on a cPanel hosting and 50 of my websites went down for few hours as far as clients have had implemented so called HSTS.
Nevertheless, in one case the error was some with cPanel AutoSSL, so I have had to manage to switch all of them to Let’s Encrypt via cPanel.
Later on, when it was fixed, I switched back to the AutoSSL.
The second case was I heard from my colleague in a data center. And similar happened to me and I have had to write to DC support to find a solution for me overnight because my client could be mad in the morning if he sees his service(s) wouldn’t be working.
And the fact, the domains weren’t using Cloudflare at all.
Meaning, this happens from time to time.
If you’d search a bit “autossl failed” or similar terms, you could find a number of cases and topics on cPanel forums: