Origin Server Cert

I created an Origin Server certificate because I’m using AutoSSL on cPanel and it won’t fetch ssl certificates (for some reason). I had a Sucuri firewall set up for my cpanel account and it did fetch autossl automatically and without issue. After changing, I figured I would dig in and find out how to set everything up in Cloudflare (because it’s more popular and may offer more robust security because of its widespread use).

I created the CSR on my server, created the Cloudflare certificate with it, uploaded the certificate to my server, and installed it.

Now I’m getting an error in cpanel about a cert in the chain being self-signed (not too big a deal) and expired (kind of a big deal). At the time of writing this topic, Cloudflare’s issue Let’s Encrypt certs in my area.

I have three questions:

  1. How do I fix this error?
  2. Do I switch Authenticated Origin Pulls on or off?
  3. Is there an improvement to Cloudflare in the works so I can use AutoSSL with Cloudflare? Is there a record I can add to my Cloudflare DNS to authenticate AutoSSL?

Hello. You may need to proxy your DNS connections (:grey::orange:) for the SSL certificate to work.

Origin SSL certificates are just self-signed certificates issued by Cloudflare that just Cloudflare trusts. This allows them to issue up to 15 year SSL certificates (even thoguh I don’t recommend them) that you need to install on your Origin server, and they just encrypt the connection between Cloudflare and your server. The other part of the connection is encrypted using the Edge (or Custom Hostname) certificate, which is created by Cloudflare and served to the user’s browser.

Hope it helps!

Which DNS connection should I proxy?

2022-09-02 (2)

Here’s a screenshot of the warning in cPanel.

In Cloudflare dashboard, the A, AAAA and CNAME records that you want to have SSL certificates with Cloudflare.

Since you’re using cPanel and Cloudflare Origin CA Certificate, may I ask if you’re going to use e-mail too? I assume your hosting and e-mail IP is the same :thinking:

I’d like to share my post, which includes 2 more posts and more information in detail, if interested to take a look (if that’s a question):

Yes. I’m using email, too. Yes it is the same ip.

It proxies email traffic, bypassing Cloudflare and Cloudlflare’s SSL, However, I’ve had no warnings about email not be encrypted.

Thanks for the article about the warning. Since it said the cert was expired, I thought perhaps Cloudflare or Let’s Encrypt had an expired cert in the chain.

Also, when I pause the site to fetch the AutoSSL cert, Cloudflare says:
Cloudflare continues to resolve the DNS. You can reactivate Cloudflare for this website at anytime.

Will DCV work with Cloudflare resolving the DNS?
Can’t I just put the ACME or Well-Known info in the Cloudflare as a record somehow?
Or can’t that and other DCV info be proxied through like the mail?

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.