Letsencrypt CF-proxy and Full(Strict)

My system is: gcloud+Ubuntu+Apache+Drupal+LetsEncrypt.

To get the CF proxy, which is the most useful in the free plan, I had to make a lot of tweaks. That is since I wanted to keep the certificate from LetsEncrypt. And to do so, I had to make sure that LetsEncrypt is working on its own while CF proxy and SSL are both off, and to chose Full(Strict) and Proxy on after that.

At the end, the certificate that is showing up is Cloudflare’s one and not LetsEncrypt. Perhaps that was intentional; Cloudflare carying on the certification made by a recognizable CA which is in this case LetsEncrypt. Thats the way I saw it lately.

Of course the moment i remove Full(Strict) and setting CF Proxy off, and after waiting for a while of course, the certificate is showing as LetsEncrypot. But that almost defeats the use of Cloudflare in the first place. I think that then the caching is still on, but without the proxy, the speed would be compromized.

So Because I though that I should see LetsEncrypt in the green lock, I had to set SSL completely off, but then, whithout setting the proxy off, I get Too Many Redirects error.

Are my settings fine or am i getting something wrong here?

For all intended purposes my settings now are: SSL: Full(Strict), Proxy On, LetsEncrypt is tested and functional but the green lock is showing Cloudflare Inc.

It looks like Full (strict) will allow many users to reach CF and retrieved content with only a small amount of requests from CF to your origin server to populate the cache. With Full (strict), you are requiring CF to:

  • Make an HTTPS request to your origin server
  • Require a valid certificate (see detailed requirements here)
  • Require valid certificate is from a valid Certificate Authority (list here)

That is different from another setting Strict (SSL-Only Origin Pull), where every request to CF results in a request to your origin server (detailed info here).

Some of what you are seeing makes sense to me: Seeing CF cert when Full(strict) is configured, for instance.

The too many redirects might be an SSL option throwing a wrench in the works. See Cloudflare SSL options incompatible with your origin web server, for instance.

Best of luck! :slight_smile:

You can break this down to two services:

  1. Cloudflare DNS. Your entry is set to :grey: and visitors go directly to your site.
  2. Cloudflare Reverse Proxy: Your entry is set to :orange:, and Cloudflare provides caching/optimization, and security.

Option 2 happens regardless of SSL setting. But it’s a reverse proxy, so visitors are hitting Cloudflare’s servers. Unless you’re on a Business or Enterprise plan, HTTPS will use Cloudflare’s TLS/SSL certificate because it’s their server. If you’ve set SSL to Full/Strict, Cloudflare will grab data from your server using HTTPS because you have your own SSL certificate there.

To summarize, it’s good that you have Let’s Encrypt on your server. It provides end-to-end encryption. And it’s normal to see a Cloudflare certificate when you’ve enabled the Cloudflare proxy.

Thanks @chroisa. I have reached this pages in many occasions.A I have been over all the links you have mentioned ,exluding the Strict(SSL-Only Original Pull) which is enterprise specific. In fact your last linked article Cloudflare SSL options incompatible with your origin web server was the only way to find out why things were not working as expected in a very common Too Many Redirects error case.

I think that CF proxy, LetsEncrypt and SSL settings in CF might get confusing for noobs like me, who never dealt with DNS caching, let alone CF.

Thanks a lot @sdayman for reassuring. Just what I needed to know!

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.