Move Existing site that forces https on siteground

dash-dns
dash-crypto
#1

I have a new customer and we want to move them to siteground using cloudflare. First they will NOT point their name servers to siteground. They will make the needed changes on their dns to point it to cloudflare/siteground.

We moved the site to the new server at siteground and can see it via the ip and changing my host record. We managed to point the site to siteground long enough to generate a cert on siteground and then change dns via this article: https://www.siteground.com/tutorials/cloudflare/external-domain/

In the wordpress options table we have both the site and url set to the url with the https:// in it.

After we make the change the site resolves correctly but we get the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error. We can’t wait 24 hours for a cert to be generated. This site can’t be down for 10 minutes and it can’t run without https because it has SO many links from other locations that point to https.

Can someone tell me how to switch this over using cloudflare and all the certs pre-generated? Siteground is struggling to figure this out for me. Thanks!

#2

You could could set the DNS records to :grey: wait until the certificate ist issued. Visitors will connect to the origin and the current certificate will show up.

As soon as your SSL status is ‘active’ here you can change them to :orange:

Welcome aboard :slight_smile:

1 Like
#3

Thanks for the reply Mark. Orginally we had it pointed to siteground but they get so much traffic it crashed the site. I am already using the business plus plan so I need cloudflare in play to help the server handle the load.

Are you telling me we can point DNS to Cloudflare and it will pass through all traffic to the origin and bypass cloudflare all together and will still generate the ssl cert?

#4

Yes, once your nameservers are pointing to Cloudflare, even with the record set to :grey: the certificate issuing process will start. Once it has been issued, you can then switch to :orange: to use the Cloudflare features.

I always recommend changing all DNS records to :grey:, then switching the nameservers. Then wait for the certificate to be issued and enable :orange: on the relevant records.

#5

I am not quite sure about your question, but if it is whether you can have your domain point to Cloudflare and use their DNS servers without actually proxying through Cloudflare’s servers, then yes, you can do that. As @MarkMeyer and @domjh explained you will need to switch the respective records from :orange: to :grey:, after which it will resolve directly to your server.

However, as far as the SSL certificate is concerned, you will need one on your server in any case, regardless whether you proxy or not.

#6

We aren’t using cloudflare’s DNS server. Since it is hosted at siteground they force the use of their DNS servers. If that would work then main issue is still that the server at siteground can’t handle the traffic on its own without cloudflare. Is there a way to generate the cert before we make the move? Would the $5 cert I have the option to purchase under edge certs fix this issue all together?

#7

If it is currently pointing directly to the server then it wouldn’t make any difference to the load by changing to Cloudflare DNS set to :grey:, it would work as it currently does as long as all the DNS records are correct.

As soon as the cert is issued, you can then switch to :orange: to gain the benefits of Cloudflare.

I don’t believe so, they don’t issue the cert until the nameservers point to them.

Make sure that when you make the switch, you have the SSL mode in Cloudflare set to Full (strict) so you don’t cause a redirect loop, as it sounds like you already have a valid cert on your server.

#8

Ok, that is what I thought. Right now they are hosting the site on Amazon using a caching mechanism from Amazon. They have one cert issued by Amazon. Typically if we were moving the site to siteground I could purchase a cert before hand proving ownership via domain owner email or setting a DNS record.

So they are moving from Amazon to Siteground with cloudflare at the edge. Given that most people are now running SSL on their site someone needs to figure out a way to move a site to another hosting provider utilizing cloudflare without downtime and running https. This seems a little silly to me at this point that there is no other way to prove ownership other changing DNS and then bringing the site down for a period of 24 hours to generate certs.

#9

It generally doesn’t take a full 24hrs… What is probably recommended, is to change the nameservers to Cloudflare but have the DNS records there pointing to Amazon set to :grey: if you can, then once the cert is issued, then change the records to point to the new host.

On paid plans it doesn’t take 24hrs.

#11

It is a paid subscription. Unfortunately I can’t change the name servers to cloudflare because the client wants to maintain control which I understand because it is a LARGE organization and worldwide. I couldn’t if I wanted anyways because when I click on DNS I get this:

Your DNS zone file is hosted by SiteGround.com, a Cloudflare partner. Changes to your DNS settings must be made through the SiteGround.com website

I was looking at the crypto options and per your earlier post it says if I set it to strict then it uses the cert that is already installed at siteground. When we tried before it was set to flexible. You think with strict it will serve via https using the cert on the server now and I won’t get the cipher error? Trying not to upset the customer to much by their site going down everytime we try to flip the dns records. Luckily they setting a super low TTL time so we can switch back to the amazon server pretty quick. Thanks for all your help on this everyone!!

#12

If it is a partner setup, the plans are different and you would need to contact your host for assistance. Every partner setup is slightly different so we (definitely I) generally struggle to help.

If you have a cert on your server and are currently using HTTPS then you should definitely switch to Full (strict). Flexible means that CF tries to connect to your origin over HTTP, not HTTPS so often causes issues if you redirect traffic to HTTPS on the server.

#13

Perfect thanks! Yes I am forcing https on the server through wordpress because I have https in the siteurl in the db in the options table.

Finally if it is set to strict will I still get an error until cloudflare generates the cert or will it try to use the cert on the server and still show the site? Any way to test this setup before you switch it? Kind of like how I change my host record to point a website to a server when global dns isn’t setup yet?

#14

As I am not too familiar with partner setups, I am going to see if @cscharff will jump in here to answer your last couple of questions! :grin:

#15

So SiteGround would need to handle this for you. They could potentially either A. allow you to provide a Cert of your own that they upload, B. Provide you with the information to populate a file on the .well-known-pki path or C. allow you to configure CNAME validation records or D. Allow you to do email validation for a cert.

Those are the possibilities that Cloudflare supports for SSL issuance; now which of those SiteGround may support I can’t say. I have no insight into their processes or policies. But you might ask if any of those are a possibility…

1 Like
closed #16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.