Let's Encrypt SSL certificate added to Cloudflare Dedicated SSL Certificate

dash-crypto
#1

For more than a year now, my website has been using a Cloudflare Dedicated SSL certificate which I pay on a monthly basis to maintain, for the website to return HTTPS.

Recently, I’ve moved web hosts, and the new web hosts have installed a free Let’s Encrypt SSL certificate onto my website through cPanel. The reason for this is not clear, and their explanations have not been either.

What is the purpose of “Let’s Encrypt”? Why do I need it when I was already using a paid Cloudflare SSL certificate? Why is it that now, if I cancel the Let’s Encrypt certificate through cPanel, the website will go down entirely and return a 404 error instead of using the Cloudflare SSL like it did before?

I’m not sure I understand what the point of this Let’s Encrypt SSL was.

#2

Even with Cloudflare SSL, your origin server/web host still needs a way of encryption the connection between Cloudflare and the origin.

In flexible mode, Cloudflare uses HTTP instead of HTTPS to connect, which means the origin does not need a certificate installed but it also means the connection between Cloudflare and the origin is plain text (which is very bad).

In order to ensure the connection is secure between CF and your origin, you do need a valid SSL certificate on your origin. This can either be a Cloudflare “origin CA”-issued certificate (only valid between CF and the origin) or an actual, CA-valid certificate like the ones issued at LetsEncrypt and traditional CAs. This is why you need LetsEncrypt (or any other CA), so that your connection is secure end-to-end.

So you should keep the letsencrypt certificate, otherwise the connection between CF and the origin won’t be secure and could be MITM’d.

1 Like
#3

So even though I was using a dedicated Cloudflare certificate with SSL level “Full” before, Let’s Encrypt as a different valid certificate is there to encrypt the connection between Cloudflare and the origin, which I assume was not done to the same extent previously?

#4

Since you have it set to “full” (and not strict), CF was set to allow any certificate, even self signed, just as long as SSL was working correctly. Chances are your host either had an old certificate or a self-signed certificate installed, and now it just uses a valid LetsEncrypt certificate.

The dedicated certificate you pay for at Cloudflare is just between CF and the visitor, so no matter what certificate you have at your origin, CF will show the certificate you bought.

3 Likes