Purchasing a cert from Cloudflare?

Answer these questions to help the Community help you with Security questions.

What is the domain name?

Have you searched for an answer?
Yes

Please share your search results url:

When you tested your domain using the Cloudflare Diagnostic Center, what were the results?
Yes. Pages come up fine for now.

Describe the issue you are having:
I would like to purchase a cert from Cloudflare. A few years ago this was possible @ $5/month. Is this still possible? What is the monthly charge?

What error message or number are you receiving?
N/A

What steps have you taken to resolve the issue?
N/A
1.
2.
3.

Was the site working with SSL prior to adding it to Cloudflare?
Yes

What are the steps to reproduce the error:
N/A

Have you tried from another browser and/or incognito mode?
OK

Please attach a screenshot of the error:
N/A

If you’re thinking of the Advanced Certificates, they are $10/month, but you probably don’t need one. What are you trying to accomplish? Cloudflare edge certificates are free, certificates for your origin server are free, and your site is working now via HTTPS.

2 Likes

Thanks for your reply.

I just came back to CF. How do I get the Cloudflare edge certificates onto my Linode VPS. I’ve been searching for a way to do that, and thought this could all be avoided by paying them. Is there a URL describing how to do this?

Thanks.

Lester

Previously, Cloudflare certificates were shared between customers, and if you wanted to have a dedicated SSL certificate for your domain, you’ll need to pay. It’s pricing was:

  • $5/month if you wanted to include yourdomain.tld and *.yourdomain.tld in the certificate.
  • $10/month if you wanted to include additional hostnames (ie. yourdomain.tld, *.yourdomain.tld and *.subdomain.yourdomain.tld).

Cloudflare has started issuing dedicated SSL certificates for free since at least two-three years (when I started using Cloudflare).

Since then, because universal SSL are now dedicated to your domain and protect yourdomain.tld and *.yourdomain.tld, Cloudflare has removed the $5/month certificate and improved the $10/month one, letting you select CA, certificate duration, add custom hostnames, and more.

They have also published a blog post about that:

Here you have:

Hope it helps!

1 Like

You don’t put the edge certificate on your server. That stays on the Cloudflare edge.

You do need a certificate on your web server. Cloudflare does provide certificates for this purpose (for free) that are only valid for communication between Cloudflare and your server. However, it will probably actually be easier to just use a real certificate on your web server.

Right now, your site is working via HTTPS. What is the encryption mode you have selected? In Cloudflare’s dashboard, if you select the website, then SSL/TLS, there are four options. The one you want is “Full (Strict)”. If that is what you’re using right now, you are done.

If not, and assuming you are using a standard OS install at Linode like Debian, you can easily set up Certbot to give you a free certificate from Let’s Encrypt. There are instructions here.

2 Likes

Hi. Yes, I have had Letsencrypt certs on ingber.com for a few years, but now they are giving me only grief. I would like to change to CF certs. I still do not see how:

On Enable Universal SSL certificates · Cloudflare SSL/TLS docs I see:

Full DNS setup

For an authoritative or full domain — domains that changed their domain nameservers – your domain should automatically receive its Universal SSL certificate between 15 minutes to 24 hours of domain activation. Provisioning time depends on certain security checks and other requirements mandated by Certificate Authorities (CA).

This certificate covers your root domain (example.com) and all first-level subdomains (subdomain.example.com).

However, I do not see where to fill out any info or download a template, etc.?

That is why I came to this page.

Lester

Edge certificates are automatic. You needn’t do anything. Your site already has one.

I would like to purge Lets encrypt and start again with Cloudflare certs. For example, on Re: Your certificate (or certificates) for the names listed below will expire in 17 days (on 20 Sep 22 01:23 +0000) - Help - Let's Encrypt Community Support I appreciate the help there (as well as here), but Lets encrypt is likely mangled beyond recognition and I’d like to get on with an alternative approach to getting my site working without my certs expiring.

Cloudflare is using my Lets encrypt cert since it was present when I transferred to CF. I see now that has complicated matters a bit.

I have gone through the steps for Ubuntu on Install the Cloudflare certificate · Cloudflare Zero Trust docs but that does not seem to be enough.

Cloudflare is deprecating their DigiCert (Cloudflare Inc ECC CA-3 & RSA CA-2) certification authority, and they are moving to Let’s Encrypt and Google Trust Services (GTS). When adding your website to Cloudflare, it generated an SSL certificate for it. You should be able to change the CA via the API, but for almost all of the cases, it isn’t necesary. Advanced Certificate Manager also allows you to obtain SSL certs from Sectigo (only via the API).

Edge certificates are non-exportable, and Cloudflare generates them for you unless you have the Business ($200/month/zone) plan, which allows you to upload one SSL certificate.

That won’t work for you. Since Cloudflare edge certificate are non-exportable, you’ll need to install what’s called an Origin certificate in your server. Those are certificates that are only trusted by Cloudflare and they establish a secure connection between CF and your server.

Remember that you need to proxy (:grey::orange:) your site’s DNS connections to use Cloudflare and it’s SSL certificates.

The Let’s Encrypt certificate you see when you visit your site in a browser is Cloudflare’s edge certificate. This is set up automatically for you and no action is necessary on your part to configure it or to renew it.

If you want to stop using Let’s Encrypt on your server itself, you can install a Cloudflare Origin Certificate instead. These are good for years but only for connections between Cloudflare and your server (meaning you must always have your DNS entry proxied for your website to work). In the Cloudflare Dashboard, choose your domain name and then go to SSL/TLS and choose Origin Server. There, you have the option to generate an Origin Certificate that you can install on your server.

2 Likes

Thanks for those details. I had a temp internet glitch in my hotel, and am now trying to install the Origin Certificate.

That attempt failed and now my website is down. I guess I could start with a new website, but I’d prefer not.

Your site being down is unrelated to certificates. Your domain is failing to resolve due to a DNSSEC error. This problem wasn’t there yesterday, so whatever you did, change it back. In particular, try disabling DNSSEC.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.