Remove Google Trust Services LLC SSL Certificate and use the Let's Encrypt one on my server

I am shocked to find that Cloudflare has added a “Google Trust Services LLC” SSL certificate to my website overriding the Let’s Encrypt certificate I’ve used for years without my consent.

How can I disable this Google certificate which I never asked for and revert to my previous settings which used the Let’s Encrypt certificate installed on my server?

I have clicked “Disable Universal SSL” which successfully removed the Google certificate from the “Edge Certificates” area of the site, however now my site doesn’t load.

What settings do I need to change so Cloudflare recognizes the Let’s Encrypt certificate installed on my server that I’ve used previously?

You need to understand how Cloudflare works.

Your site is proxied behind Cloudflare and users visiting your site connect to Cloudflare’s servers only, from where Cloudflare serves up “Universal SSL” and a Google or LetsEncrypt certificate generated by Cloudflare. Cloudflare then processes the request as per your settings and then Cloudflare connects to your server, secured by your own LetsEncrypt certificate.

For that reason, the certificate you see for your site will no longer be the one on your origin (while the site is proxied).

You need to re-enable Universal SSL and you also need to keep your origin certificate renewed so the Cloudflare connection to your origin continues securely.

Read…

If you want to see your own LetsEncrypt certificate, then you need to change your DNS records to “DNS only”, but then traffic goes direct to your origin and never passes through Cloudflare so no Cloudflare protections or features will be applied to your site.

1 Like

Thank you, that’s very helpful.

I signed up for Cloudflare in 2021 and I swear I remember seeing “Let’s Encrypt” as the certificate in the user-facing URL bar. Maybe that was the previous Cloudflare certificate provider and I mistook it for my own, but in any case - now I definitely see “Google Trust Services LLC” on the user-facing URL.

How can I use Cloudflare without using Google Trust Services? I don’t want to use any Google products. I never would have consented to this change had I been notified.

Cloudflare uses Google and LetsEncrypt for edge certificates so maybe you had a LetsEncrypt one before and assumed it was yours, when it was actually the edge certificate. (Both are needed as a backup certificate is also generated). (Or maybe you disabled the proxy).

Options…

3 Likes

Thanks for your help! I’ll look into upgrading.

Oddly, it says that free Universal plans should be served by LetsEncrypt on this page: https://developers.cloudflare.com/ssl/reference/certificate-authorities/
…yet all my sites have GTS. Maybe those docs are outdated.

Is it the “(Paid plans only)” phrase from here, that is giving you that impression?

Before the deprecation of DigiCert, and back when DigiCert was mostly the only CA being used, I was under the impression that Cloudflare only issued ECDSA certificates for the Universal SSL certificates on the free plan.

However, since the deprecation of DigiCert, and the addition of Google Trust Services,what I’ve seen in reality is that the free Universal SSL is covered by ECDSA P-256 certificates from Let’s Encrypt, and RSA 2048 bit certificates from Google Trust Services.

So, -

Would moving (and adding another) “(Paid plans only)”, so they appear respectively in the RSA sections under Let’s Encrypt and DigiCert from the image above be enough to change your understanding of the documentation?

Or what exactly is it, from that page, that makes you understand that they should alone be served by Let’s Encrypt, … and not by any other CA?

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.