Need straightforward explanation about how CF Certificates works

What is the name of the domain?

mydomain.com

What is the issue you’re encountering

My SSL certificate always expires after 3 months and not auto renewal even if I have the 15 years CF origin certificate

What steps have you taken to resolve the issue?

I tried different combinations of changing encryption mode from Full (Strict) to full, also disabling the CF Edge Certificates (Universal SSL).

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full (strict)

What are the steps to reproduce the issue?

I’m having a hard time with Cloudflare certificates and I’m struggling to understand the issue I’m facing. I need a straightforward explanation of all the certificates and the best approach to using them under Cloudflare, as I have many expirations, and my website is not accessible even though I’m following the documentation. My setup is as follows for any scenario below:

• I’m always using Full (strict) for the current encryption mode
• My DNS is proxied
• CF Edge Certificates (Universal SSL) are enabled

Difficulties I’m facing:

• I tried using Let’s Encrypt with Cloudflare, but it is not auto-renewing after three months, causing my website to stop working frequently.
• I attempted to use CF Origin Server SSL for 15 years, but it expires after three months as well.
• I tried using my own SSL (DigiCert), and while it works, I need to disable the Cloudflare proxy.

Now I’m having a hard time knowing the best way to ensure the SSL certificate will keep updating and working without issues while providing the best security and performance.

• Do I need to disable CF Edge Certificates (Universal SSL) when using any certificate?
• What is the best way to use CF Origin Server SSL for 15 years without issues?
• What is the most effective and secure method?

Thanks

When you use the Cloudflare proxy, you need 2 certificates:

• One on your server to secure the connection between Cloudflare and your server. This is called the origin certificate.
• One on Cloudflare to secure the connection between visitors and Cloudflare. This is called the edge certificate.

The edge certificate is managed by Cloudflare and is always valid for 90 days and renews 30 days before expiration.
But for the origin certificate, you have options. You can either use your own certificate, or an origin certificate provided by Cloudflare.

It does not. What you see expire after 3 months is the edge certificate.

So, to confirm I need to use the following as best practice (when Cloudflare proxy on):

• Full (strict) mode enabled.
• Use the CF Edge Certificates (Universal SSL) which will auto renewal always 30 days before expiration.
• On server-side either to use CF Origin Server SSL for 15 years or install my own SSL certificate.

Also, if possible, to help me with the following:

• Is there any situation where CF Edge Certificates (Universal SSL) can conflict with my own certificate?
• What will happen on the above scenario if the CF Edge Certificates (Universal SSL) didn’t auto renew/can this happen?
• What is the difference between using CF Origin Server SSL for 15 years or install my own purchased SSL certificate?

Thanks

Yes on all 3 counts.

Using Cloudflare does often interfere with issuing your own certificates. There are workarounds, but using the CF Origin Cert is the easiest way.

It can happen, but it’s very rare. I believe Cloudflare sends you a warning if your certificate is about to expire, but the certificate system is very stable and usually has no problems.

CF Origin certificate can only be used if the domain is proxied. If you don’t proxy via Cloudflare, you need your own certificate.

Noted. Really appreciate your help.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.