We are testing Cloudflare (free to start with) with one website with the possibility of moving a few hundred more over if it works for us. The site has a current Let’s Encrypt SSL certificate. We moved the DNS over as required and traffic is going via Cloudflare for over a day now.
Our (possibly incorrect) understanding of how Cloudflare works to intercept bots etc, from pages like Why you should choose Full Strict, and only Full Strict , was that there would be the original Let’s Encrypt certificate on our server securing the data between Cloudflare and us, plus Cloudflare would issue an ‘edge’ certificate that secured the data between the browser and Cloudflare. The idea as we understood it was that this allowed Cloudflare to see the full request in the middle and better detect unusual requests, like bot activity. We were expecting then to see the certificate shown on the site in a browser to say issued by Cloudflare, but the certificate is showing Let’s Encrypt with no mention of Cloudflare.
On the control panel at Cloudflare it says the Certificate Authority is Let’s Encrypt but “(Managed by Cloudflare)” this is in the SSL/TLS section under Edge Certificates.
We’re confused. Can someone explain to us how this actually works, because the certificates are issued and renewed (ie managed) on our server. Does ‘Full (Strict)’ end-to-end encryption mean Cloudflare wouldn’t be able to effectively spot and block suspect requests/traffic in the middle?