Let's Encrypt and Cloudflare. How to set?


#1

Hi. I dont’t know how to make these work together. These are my actions:

In cloudflare dashboard im disabling

  • ssl (off)
  • hsts
  • http rewrites
  • universal ssl

Im leaving enabled TLS 1.3 and 1.0 default + Authenticated Origin Pulls.

Then im pausing cloudflare and disabling DNS (clouds). Then im installing lets encrypt and checking if it works with https://www.sslshopper.com. And it works but my site is unacessible. In firefox i have SSL_ERROR_NO_CYPHER_OVERLAP error.

After this i tried in directadmin enabling safe SSL for domain and i checked use the symbolic link private_html to public_html.

Nothing changes.

Anyone can help what to do and in which sequence? My site is swiadomosc-zwiazkow.pl


#2

The issues here are multiple.

If you want to connect via HTTPS through Cloudflare you need to keep SSL, Universal SSL enabled at a minimum. Then you should use Always Use HTTPS to redirect everything to HTTPS. HSTS is optional, realize the potential consequences before enabling it, especially preload. HTTPS rewrites can be useful and work only while connecting via HTTPS, so enable it.

Authenticated Origin Pulls isn’t doing what you imagine, it’s not HTTPS requests to the origin. Read the help underneath it.

The way Cloudflare connects to the server depends on the user’s connection type (HTTP will always go through as HTTP) and the SSL setting (Flexible always to HTTP, although not recommended, Full always HTTPS without verifying the certificate, Full (Strict) HTTPS with valid cert).

To enable Let’s Encrypt use Certbot with the webroot method, it doesn’t require disabling Cloudflare.


#3

First, set your webserver to have SSL with letsencrypt. Don’t bother with Cloudflare at this point until it’s correct. Turn off the orange cloud in the DNS setting.

I don’t know what your webserver is, but this one should help you:
https://mozilla.github.io/server-side-tls/ssl-config-generator/

Then, after everything is good, you can turn on the orange cloud cloudflare on DNS setting and SSL full strict

Now, if you want authenticate origin pull, turn on the option and download the cloudflare cert for this and implement it on your server


#4

Thank you. I’m on shared hosting and don’t have those apache advanced configuration options (shell) - i have only access to directadmin + ftp + automatic lets encrypt installation.

Ok then

  • i enabled universal ssl
  • ssl is off now

And my 2 questions.

  1. Full or full strict for let’s encrypt and which is for better performance/sitespeed?
  2. Set it + https rewrites before i’m installing LE certificate and disabling cloud buttons or later?

And the last. I must create Cloudflare certificate or Lets Encrypt will encrypt in both ways?


#5

Full (Strict), as far as speed is the same.

Well, it then depends on how the hosting does it, that is something you need to ask them.

If you can provide your own certificate there put in one of Cloudflare’s Origin Certificates, they are free, last up to 15 years and are trusted only by Cloudflare.


#6

Here https://nickjanetakis.com/blog/lets-encrypt-vs-cloudflare-for-https

They don’t recommend free certificates.

As of installation of Lets Encrypt my host redirected me here


#7

Gonna comment on the main things.

Now, you can opt into using their “Full SSL” option instead, but now you lose the ease of use from the “Flexible SSL” option because you need to configure your own web server for SSL instead of just making a DNS change.

Including the previous section. This is correct, but you need to secure your website as well, plus it can be a one time thing every 15 years if you use their free Origin Certificates.

The above is easily enough reason to avoid them like the plague, but they also used shared SSL certificates. That means the SSL certificate being served with your domain is also being served to dozens or hundreds of other unrelated sites.

Come on, avoid them like the plague, it’s absurd. The recommend method before is always Full (Strict), which validated and encrypt the connection on both sides of their POPs. Obviously they still decrypt the data at the nodes, but every proxy CDN does the same (Akamai uses even their domain, Fastly, etc.), there are no solutions to this.

Also no one will care about the list of domains (not Google’s SEO rules, not 99.999% of users) and new ones are not shared anymore. I don’t know if you need to re-add the domain or ask support for the switch if it was shared previously. (@cloonan, would you mind confirming this?)

You Can Get a Dedicated SSL Certificate With Cloudflare, But…

It’s going to end up costing $5 / month per domain name.

That means if I wanted to protect all of my course sites as well as this site (which is 4 sites at the time of writing this article) I would need to spend $20/month for SSL certificates. No thanks!

That’s way more expensive than most SSL vendors. They typically charge $10 per year.

Solved before, new ones aren’t shared any more.

Cloudflare hijacks your DNS, which means their servers are hit first when someone tries to resolve your domain name, then it in turn sends the traffic to your server. So ignoring the SSL issues we went over above, you may experience much slower load times on your site when using Cloudflare (especially if you use their free plan).

They are a reverse proxy type of CDN, that’s their whole point, completely unrelated to SSL. Most likely there are much better load times, since paths are better in customer <-> Cloudflare <-> origin than direct customer <-> origin. Also they can cache your content, reducing load on your server if configured correctly obviously.

Unlike Cloudflare, there’s no monthly fees or additional fees for SSL certificates. Once you have it all configured, you can sit back and relax while cron and Let’s Encrypt does everything for you. It’ll work for life and it’s free.

Cloudflare has also a great and unlimited free plan, with global CDN, not shared SSL certificate with multiple other benefits.

This guy is basically trying to sell his course, which is fine by me, but it’s not really fair. Let’s Encrypt is great, but it’s not really a comparison with Cloudflare, you can use them both.


#8

I use Lets Encrypt on my server with Cloudflare. What I’d suggest is first get Lets Encrypt installed on your domain and make sure it works. I installed it with command line but if you are on shared hosting you’ll have to use a different method. I’d put Cloudflare on pause while you do this. And change your dns back to your origen server while you install Lets Encrypt. It might not be absolutely necessary but it narrows down possible places to go wrong.
At the moment your site is http only. Once you have your certificate installed you ought to be able to connect to https://yourdomain .
Then turn your dns back to Cloudflare’s server and unpause cloudflare. In the crypto settings choose SSL = Full(strict), Always use https = ON, Further http strict transport - i’ve left this alone, Authenticated Origen pulls - I’ve left this alone too, Minimum TLS version 1.1, Opportunist encryption = on. Onion routing = I have this on, TLS 1.3 = enabled, Automatic https rewrites = on, Disable universal ssl - I’ve left this one alone too.

I seem to remember that it might take Cloudflare time to generate a certificate. A few hours or up to 24 hours for a free site. Your green padlock should then show a cloudflare cert rather than Lets encrypt.

Hope that helps.


#9

I just wanted to make a note on this thread, if you are using LE and CloudFlare at the same time you might need to add a rule in place for the ACME Challenge url or auto renews of LE certificates might fail while CF proxy is enabled.

This is a simple rule to disable SSL force on the ACME requests.

yourdomain.com/.well-known/acme-challenge/

Set thuis as the URL the rule runs on but replace with your domain. Then under “settings are” pick SSL and set to OFF. This allows LE when checking the domain over http to make a connection to do verification.


#10

One - main problem. With SSL enabled and entering my site with HTTPS it has terrible TTFB.

See here https://swiadomosc-zwiazkow.pl/emocjonalni-uczuciowi-mezczyzni-pogardzani-przez-kobiety/

1 second in gmetrix
without - 300ms


#11

If you’re on a free plan and have a shared certificate, you can ask support to issue a new certificate. I’m looking for similar requests in order to anticipate their reply, not seeing any just yet. In September '18 we moved new free plans away from shared certificates and did the same for new pro plans earlier this year. Great newish SSL article here, https://support.cloudflare.com/hc/en-us/articles/204151138-Understanding-Universal-SSL

(PS - if you do put in the request to support, pls share the ticket number here to track their reply)


#12

Can confirm it works, Alex has been great and has been changing all of mine. A couple minutes of disabled SSL and everything done.

Ticket number 1652146 @cloonan, all of them done.