If you’re thinking of the Advanced Certificates, they are $10/month, but you probably don’t need one. What are you trying to accomplish? Cloudflare edge certificates are free, certificates for your origin server are free, and your site is working now via HTTPS.
I just came back to CF. How do I get the Cloudflare edge certificates onto my Linode VPS. I’ve been searching for a way to do that, and thought this could all be avoided by paying them. Is there a URL describing how to do this?
Previously, Cloudflare certificates were shared between customers, and if you wanted to have a dedicated SSL certificate for your domain, you’ll need to pay. It’s pricing was:
$5/month if you wanted to include yourdomain.tld and *.yourdomain.tld in the certificate.
$10/month if you wanted to include additional hostnames (ie. yourdomain.tld, *.yourdomain.tld and *.subdomain.yourdomain.tld).
Cloudflare has started issuing dedicated SSL certificates for free since at least two-three years (when I started using Cloudflare).
Since then, because universal SSL are now dedicated to your domain and protect yourdomain.tld and *.yourdomain.tld, Cloudflare has removed the $5/month certificate and improved the $10/month one, letting you select CA, certificate duration, add custom hostnames, and more.
You don’t put the edge certificate on your server. That stays on the Cloudflare edge.
You do need a certificate on your web server. Cloudflare does provide certificates for this purpose (for free) that are only valid for communication between Cloudflare and your server. However, it will probably actually be easier to just use a real certificate on your web server.
Right now, your site is working via HTTPS. What is the encryption mode you have selected? In Cloudflare’s dashboard, if you select the website, then SSL/TLS, there are four options. The one you want is “Full (Strict)”. If that is what you’re using right now, you are done.
If not, and assuming you are using a standard OS install at Linode like Debian, you can easily set up Certbot to give you a free certificate from Let’s Encrypt. There are instructions here.
For an authoritative or full domain — domains that changed their domain nameservers – your domain should automatically receive its Universal SSL certificate between 15 minutes to 24 hours of domain activation. Provisioning time depends on certain security checks and other requirements mandated by Certificate Authorities (CA).
This certificate covers your root domain (example.com) and all first-level subdomains (subdomain.example.com).
However, I do not see where to fill out any info or download a template, etc.?
Cloudflare is deprecating their DigiCert (Cloudflare Inc ECC CA-3 & RSA CA-2) certification authority, and they are moving to Let’s Encrypt and Google Trust Services (GTS). When adding your website to Cloudflare, it generated an SSL certificate for it. You should be able to change the CA via the API, but for almost all of the cases, it isn’t necesary. Advanced Certificate Manager also allows you to obtain SSL certs from Sectigo (only via the API).
Edge certificates are non-exportable, and Cloudflare generates them for you unless you have the Business ($200/month/zone) plan, which allows you to upload one SSL certificate.
That won’t work for you. Since Cloudflare edge certificate are non-exportable, you’ll need to install what’s called an Origin certificate in your server. Those are certificates that are only trusted by Cloudflare and they establish a secure connection between CF and your server.
Remember that you need to proxy ( → ) your site’s DNS connections to use Cloudflare and it’s SSL certificates.
The Let’s Encrypt certificate you see when you visit your site in a browser is Cloudflare’s edge certificate. This is set up automatically for you and no action is necessary on your part to configure it or to renew it.
If you want to stop using Let’s Encrypt on your server itself, you can install a Cloudflare Origin Certificate instead. These are good for years but only for connections between Cloudflare and your server (meaning you must always have your DNS entry proxied for your website to work). In the Cloudflare Dashboard, choose your domain name and then go to SSL/TLS and choose Origin Server. There, you have the option to generate an Origin Certificate that you can install on your server.
Your site being down is unrelated to certificates. Your domain is failing to resolve due to a DNSSEC error. This problem wasn’t there yesterday, so whatever you did, change it back. In particular, try disabling DNSSEC.