Installing Cloudflare Origin SSL in Cpanel, which is the right method

Hi Friends,

Thank you very much for your continued support.

Just a few days ago I integarted Cloudflare with my site and everthing is runnning great at the moment.

However I am slightly worried and want to make sure that my site does not face any problems while its auto SSL gets renewed every 90 days.

My site is hosted on a VPS account with an Auto SSL installed and my site redirects all HTTP requests to HTTPs/www, through htaccess.

Domain name: homemade-circuits.com

I have configured my Cloudflare in the following manner:

  1. I have selected Full (strict) SSL.
  2. And I have kept “Always use HTTPs” option disabled to ensure that my site’s Auto SSL renewal does not have problems.

Presently everything’s running perfectly.

However, if suppose even after keeping the “Always use HTTPs” disabled my site still goes through an Auto SSL renewal problems, then to get rid of this problem permanently, I have read online that I need to install Cloudflare origin certificate into my site’s cpanel.

I know how to create CF origin certificate and the private keys, but I am confused regarding the right way to install these into my cpanel.

Here are a couple of articles which explain how to install the Cloudflare certificate into cpanel, but these two articles use two different methods in Cpanel.

I would be really grateful if you could kindly check and tell me which out of the two is the correct CPANEL procedure? This is explained at the bottom of the articles.

Thanks so much in Advance!

Swag

Greetings,

Thank you for asking.

Well, I am not quite sure why your AutoSSL fails when you have “Always Use HTTPS” option disabled :thinking:

But, a workaroud is to disable the Always Use HTTPS option at Cloudflare.
It should work, as it would access via HTTP (which somehow it needs and uses that way to renew it).

Nevertheless, regarding the usage of Cloudflare Origin CA Certificate and the headache the AutoSSL renewing process causes to you, I’d like to ask firstly if you are using that cPanel for your e-mail too or not?

I ask, because from my experience with cPanel hostings and CF Origin CA Certiifcate, I don’t know why and the reason why, but anytime when I installed the certificate to the cPanel, the cPanel installed it all over all sub-domains - www, autoconfig, webmail, mail, sub, etc., even if I generated the CF Origin CA Certificate only for naked (root) domain and www.

So, somehow cPanel is :poop: when it comes to this.

Nevertheless, we cannot use Cloudflare Origin CA certificate for e-mail. It works only for web traffic (HTTP / HTTPS).

Furthermore, I am afraid we cannot use both AutoSSL for “mail” and Cloudflare Origin CA certificate for “domain.com www sub, etc.”, as far as cPanel unfortunately installs that Cloudflare Origin CA certificate for all sub-domains automatically, therefore no way to use AutoSSL :confused:

The other fact of cPanel when we install CF Origin CA certificate, cPanel will always say “expired” or “not valid” certificate warning for Cloudflare Origin CA certificate.
You should ignore this warning and just make sure you’re SSL/TLS settings are set correctly to the Full (Strict) SSL at Cloudflare dashboard.

The thing which I knew to do to get and renew my AutoSSL certificate, if I have had to renew the SSL certificate, I’d suggest you to switch DNS records to :grey: (DNS-only). Then wait for 10-15 minutes. Start the AutoSSL renewing process. Upon success and verify your website is loading without any HTTPS error, switch them back to :orange:.

Bottom line, from your both mentioned articles, it might depend as my question “are you also using e-mail from the same cPanel hosting, or not?”.

Either use Cloudflare Origin CA certificate, or stick with AutoSSL - but, when it’s the time to renew them you can (as already suggested → disable Always Use HTTPS), or you would have to:

  1. Use the “Pause Cloudflare on Site” option from the Overview tab for your domain at dash.cloudflare.com .
  2. The link is in the lower right corner of that page.
  3. Give it five minutes to take effect, then make sure site is working as expected with HTTPS without any error
  4. Check with your hosting provider / cPanel AutoSSL / Let’s Encrypt / ACME / Certbot and renew it
  5. Only then, when your website responds over HTTPS, you should un-pause Cloudflare and double-check your SSL/TLS setting to make sure it’s Full (Strict).

My post covering all that here:

Thank you so much fritex, for your kind reply,

My site has not failed the Auto SSL renewal process yet. I am only anticipating that it might fail after about 25 days, and I am preparing for that possibility.

However, if you are perfectly sure that keeping “Always Use HTTPS” option disabled will not cause this problems, then that’s great news for me and I don’t have to worry at all.

However, I am just trying to be prepared for a situation if at all my site SSL renewal fails even after keeping the “Always Use HTTPS” option disabled.

My cpanel is not associated with any email ID. And I have no plans of associating an email ID with my cpanel account.

Awaiting your kind reply.

Best Regards
Swag

Got it, I understand you.

The thing is, I remember a few cases where AutoSSL failed to renew on a cPanel hosting and 50 of my websites went down for few hours as far as clients have had implemented so called HSTS.

Nevertheless, in one case the error was some with cPanel AutoSSL, so I have had to manage to switch all of them to Let’s Encrypt via cPanel.
Later on, when it was fixed, I switched back to the AutoSSL.

The second case was I heard from my colleague in a data center. And similar happened to me and I have had to write to DC support to find a solution for me overnight because my client could be mad in the morning if he sees his service(s) wouldn’t be working.

And the fact, the domains weren’t using Cloudflare at all.

Meaning, this happens from time to time.

If you’d search a bit “autossl failed” or similar terms, you could find a number of cases and topics on cPanel forums:

OK, thanks for your reply.

So I will keep “Always HTTPs ON” disabled and hope I don’t have problems with my Auto SSL renewals.

Thanks again for your valuable time.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.