Need to set up Certificate?

Do I need to set up a certificate if I already have one through A2 hosting? I am just a beginner, but set up with Partial setting and switching to Full set up.

If your origin server already has a certificate applied, then you don’t need another one. Cloudflare takes care of the one between the user and Cloudflare.

It was mentioned in a comment that the free certificates through your host will not renew if you have Cloudflare? It was suggested to get an origin certificate through Cloudflare - they auto renew. Is this correct?

It depends on the host that you have.

They don’t auto-renew, but you can get them for 15 years

1 Like

Origin certificates from Cloudflare can be handy because of the long expiration however they can only be used with orange-cloud traffic. If you grey-cloud (or pause Cloudflare proxy service for your whoe domain), browsers will throw an error because they’re not real trusted certificates (they’re only trusted by Cloudflare’s proxy).

I don’t know anything about A2. SOME web hosts will fail to renew certificates if your DNS entries are orange clouded (example: Github Pages, Google Sites) but this is not universal. Note that SSL mode Full (non-strict) will continue functioning with an expired certificate (obviously this can be seen as a security risk). Full (strict) will break immediately if the origin certificate expires.

Again I don’t know anything about A2 but have you looked into the possibility of using LetsEncrypt / Certbot on your origin? That’s probably the most robust choice, the certificates can be used both orange-clouded and grey-clouded, automatic renewal is easy, and orange-clouding does not break automatic renewal. But if it’s just a basic web host with no shell access, it might not be an option for you.

1 Like

This is all greek to me. I am managing basic Wordpress sites, that are hosted on an inexpensive plan. I have subdomains which are most of sites I manage.

I am interested in Cloudflare because I have less expensive hosting. I can talk with A2 about the SSL expiring?

I don’t really need to speed up the sites - I am just interested in learning how to do this.

Well a lot of it depends on your web host and what they’re capable of and how you interact with their systems.

Based on a quick documentation search, it seems like A2 admits that having your DNS entries orange-clouded can cause them to fail to renew your certificate

So you have a few different options:

  1. Use Cloudflare for DNS but don’t orange-cloud (proxy) the traffic. This means most Cloudflare features (most notably caching) won’t be available. But Cloudflare is still a great DNS host even if you never touch the proxy features.

  2. Orange-cloud the traffic and use SSL mode Full (Strict), with the understanding that your site might break if A2 fails to renew the certificate, requiring you to temporarily grey-cloud the DNS entries in order to normalize the situation. I looked at the A2 docs a bit and it seems like they’re using Sectigo for their certificates now, I don’t know much about them but I assume they’re probably 3-month certificates. So going this route you’d be looking at potentially having to do a bit of work every 3 months to keep things running.

  3. Orange-cloud the traffic and use SSL mode Full (Non-strict), this will prevent service from being disrupted when the certificate expires but it’s a security risk

  4. See if A2 will let you install a Cloudflare origin certificate … I couldn’t find anything in the quick doc search I did. IF they do, and if you go this route, you’ll have to keep the DNS entries orange-clouded or browsers will throw an error.

I’m not listing Certbot as an option as I’m pretty sure it would be impossible with this setup.

This is what A2 says:

You can still use AutoSSL certificates on our server along with Cloudflare’s own SSL certificates. Note that the only certificate visitors to your site see will be the one provided by Cloudflare, so it doesn’t matter what SSL certificate you have installed on our end as long as one is installed. AutoSSL will work with a Full DNS setup as long as forced HTTPS redirects are disabled at Cloudflare.

A Cloudflare Origin Certificate will also work. Those are provided for free from Cloudflare and can be installed in cPanel in the SSL/TLS page

What is the best route to go?

Right now everything is set up with Full non-restrict so that the websites work - some didn’t work without this setting. How much of a security risk is this?**

I would use the AutoSSL certs. Sounds like they will auto-renew so just easier to manage.

You can probably do full strict as the certificate on your host should be signed by a trusted CA.

o.k. is full strict the recommended setting for Cloudflare. I can actually use another setting. It wasn’t working before because I was in the middle of adding new properties for my websites on the search console. I had not changed the changed the websites to one domain, yet.

Yes always use full (strict) if you can. Based on A2’s response it sounds like you shouldn’t have any issues, although it sounds like they want you to turn off Cloudflare’s automatic redirects to HTTPS (in Edge Certificate configuration) probably because they need HTTP to be able to reach them in order for their certificate renewal process to work. End-user attempts to use HTTP should still get forwarded to HTTPS, it’ll just be A2 doing it instead of Cloudflare (be sure to verify that this actually works as expected)

Thanks for all of your help! I will email A2 about what you said.

This is what A2 recommends:

To get the origin certificate for your site, log in to Cloudflare (a link that A2 gave me) and select your domain. Then, go to the “SSL/TLS” tab and select “Origin Server”. On this page, click “Create Certificate”. You will be taken to a new page to confirm, where you can click “Create”. You will then be presented with an SSL certificate and private key generated by Cloudflare. You can copy and paste this certificate and key into “SSL/TLS” > “Manage SSL Sites” in cPanel to install it. Once installed, this certificate is valid for 15 years, and you can leave proxying enabled at Cloudflare.

I would have to renew their SSL every 3 months. What do you think?

Leslie

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.