Question before purchasing SSL cert

So I’ve recently moved my domain over to CF, in doing so has stuffed up the certificates pretty bad.

I have installed the Origin Server CA, however has broken my cert for email.

My question is, if I purchase a certificate though Cloudflare, then install it on my web server, does this publicly signed certificate also act as the Origin Server CA, or is the origin CA not needed anymore?

Just want to clarify before purchasing another cert.

Thanks

My question is, if I purchase a certificate though Cloudflare, then install it on my web server, does this publicly signed certificate also act as the Origin Server CA, or is the origin CA not needed anymore?

Cloudflare does not offer publicly trusted origin certificates. Cloudflare Origin CA certificates are self-signed certificates and used to encrypt traffic between Cloudflare and your origin web server.

You cannot download an edge certificate to be installed on a server.

If you get a certificate from say Let’s Encrypt or Digicert you will not need the origin CA certificate from Cloudflare and this will be your origin certificate once installed.

I assume since you cannot proxy your email records you are running into this known limitation:

Site visitors may see untrusted certificate errors if you pause or disable Cloudflare on subdomains that use Origin CA certificates. These certificates only encrypt traffic between Cloudflare and your origin server, not traffic from client browsers to your origin.
Origin CA certificates · Cloudflare SSL/TLS docs

1 Like

Correct, this is an issue as I am unable to proxy the mail record.

Not sure if this can be resolved?

But right now my issue is, I can either install my original cert for email for the mail subdomain which breaks the SSL between cloudflare and the site, or install the OriginCA on the webserver which break the email SSL.

Thanks

:logo: does not provide MX record proxying beyond their area 51 service: Cloudflare Area 1 | Preemptive Anti-Phishing & Cloud Email Security

See also:

I would also like to have setup mail routing but it would never work?

Maybe this would have also solved the issue with SSL for the email?

Email routing is an [insert personal opinion here] absolutely useless service [/end personal opinion] offered by :logo: for domains which you don’t care if you actually receive mail for. If you want to follow the steps in Email Routing | Easily create addresses and route emails feel free.

TLS on SMTP protocol… nice to have. Isn’t sorted by Cloudflare’s email routing. SMTP is a really old protocol… no requirement to send mail using TLS and many/most sending MTAs won’t require it. Requiring it on the receiving MTA is almost certainly going to result in dropped emails.

Set up your mail server based on the previously linked guide. Leave Cloudflare out of it beyond DNS resolution or pay for a service to be the public facing MTA (Cloudflare or provider of your choice).

1 Like

Ok thanks!

What does this MTA provider do? Is it just a mail routing service or does it actually host mail? I’m open to hearing more about this.

Also, no cert you can purchase from :logo: will allow you to export it for use in another context.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.