Question on how SSL Works with Cloudflare


We are testing Cloudflare (free to start with) with one website with the possibility of moving a few hundred more over if it works for us. The site has a current Let’s Encrypt SSL certificate. We moved the DNS over as required and traffic is going via Cloudflare for over a day now.

Our (possibly incorrect) understanding of how Cloudflare works to intercept bots etc, from pages like Why you should choose Full Strict, and only Full Strict , was that there would be the original Let’s Encrypt certificate on our server securing the data between Cloudflare and us, plus Cloudflare would issue an ‘edge’ certificate that secured the data between the browser and Cloudflare. The idea as we understood it was that this allowed Cloudflare to see the full request in the middle and better detect unusual requests, like bot activity. We were expecting then to see the certificate shown on the site in a browser to say issued by Cloudflare, but the certificate is showing Let’s Encrypt with no mention of Cloudflare.

On the control panel at Cloudflare it says the Certificate Authority is Let’s Encrypt but “(Managed by Cloudflare)” this is in the SSL/TLS section under Edge Certificates.

We’re confused. Can someone explain to us how this actually works, because the certificates are issued and renewed (ie managed) on our server. Does ‘Full (Strict)’ end-to-end encryption mean Cloudflare wouldn’t be able to effectively spot and block suspect requests/traffic in the middle?

Cloudflare uses Letsencrypt as one of the CAs for its edge certificates…

1 Like

And that’s exactly correct.

Cloudflare uses (among others) Let’s Encrypt certificates. Cloudflare used branded certificates in the past, but no longer, so this is as expected.

This setting is just for the connection between Cloudflare and your server. Full (strict is definitely the correct mode to use, it means Cloudflare will verify the certificate on your server and establish a normal https connection.

The other modes should never be used.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.