Is Universal SSL Needed When "Full" End-to-End SSL setting is used?

I have been using Cloudflare for a website (Wordpress for a while). So I added two new websites. Both basically identical Wordpress setups on the same VPS with same IP address. When the DNS switched, one web site worked, the other was getting an SSL error. I saw that the Universal SSL was working on the one that worked and the other had an “initialization error”

I looked at the main SSL setting of the website I had used with Cloudflare for years and noticed the SSL settings was set to “Full” End-to-End instead of the default “Flexible.”

I set both new websites to Full. That didn’t fix the problem until I disabled the Universal SSL on the website that Universal SSL failed to initialize.

My question is, is their any downside to using the Full SSL setting instead of flexible. My website automatically renew their SSL cert with LetsEncrypt! Is there any benefit to having Universal SSL enabled in this scenario?

You should use “Full (strict)”.

“Flexible” is HTTP only to your origin, even if the user is using HTTPS to Cloudflare. This means the connection is not encrypted to your origin server and data is therefore in the clear and at risk between Cloudflare and your origin.

“Full (strict)” ensures the certificate on your origin server is signed by a trusted CA, covers your hostname and is valid (in date). You should always use that mode.

“Full” uses the certificate on your origin to encrypt the traffic, but does not validate the certificate so means if the connection is intercepted or divereted, you and your users will not know, so this mode is also insecure.

As your host is handling LetsEncrypt on your origin for you, you can just switch to “Full (strict)”. You should keep Universal SSL enabled (so Cloudflare generates and updates the edge certificate) and use “Full (strict)” so your origin certificate is used to secure the connection from Cloudflare to your origin.

1 Like

I’m back to having a cypher mismatch error in the browser still. It’s saying an “internal error” at LetsEncrypt and yes it does look like a Universal SSL is needed unless I’m mistaken as that is to encrypt between the client and the Cloudflare proxy server, correct?

Correct.

What is your domain name? Someone can then take a look.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.