Running autoSSL or Lets Enrypt


#1

Ive recently upgraded two VPSs and cPanels installs and now can provide global auto SSLs through Lets Encrypt or the cPanel AutoSSL… the Cloudflare SSL seems to be messing up everything in browsers …i presume there is a global switch to turn that off…?.

Any other support docs about using autoSSL on an Apache server with Cloudflare accounts would be great to get…my server co is an affiliate provider of CF but gives one line answers to questions…like go to here to ask…!!!

thanks…

Cheers


#2

Cloudflare is an SSL endpoint for traffic it proxies. Short of upgrading to a plan which allows for uploading your own certificate or bypassing Cloudflare, using a Cloudflare issued cert free or paid is required if you want to do SSL.

What’s the error you receive or the problem you’re having specifically when proxying through Cloudflare using SSL?


#3

Well this s one reply from my server com…

"If the domains are using cloudflare, by default they will be using cloudflare SSL. If you want to use the Letsencrypt SSL enabled in server for a domain using cloudflare, then you need to upgrade the cloudflare package for the domain or remove cloudflare masking for the domains. Once done, the Letsencrypt details will be shown when you check the site in SSL checker. "

And this

“Also please note that I could see that the domain xxxxxxscreening.com is using cloud flare service. If you are using free cloudflare plan, it will not support third party SSL certificates. If you wanted to use 3rd party SSL, you need to upgrade your cloudflare plan.”

Very confused by all this…since they sell cloudflare through thier operations and give discounts if I use them instead of directly, which i mainly have your sites with your free monitoring services…


#4

Hi. So it sounds like you have three options to choose from:

  1. Utilize the free Cloudflare plan to create an origin certificate to install on your server and disable LetsEncrypt/AutoSSL.

  2. Upgrade to a Cloudflare plan that allows for uploading your own certificate to utilize the LetsEncrypt/AutoSSL certs.

  3. Disable Cloudflare completely :frowning: and utilize LetsEncrypt/AutoSSL exclusively.

I’m not too familiar with LetsEncrypt & AutoSSL unfortunately. Is there a particular reason you’d like to utilize those resources for SSL instead of Cloudflare?


#5

I’m also curious to hear what’s getting messed up in the browsers. I have Cloudflare fronting multiple types of websites and haven’t had SSL mess anything up.


#6

Well yes Andy…autoSSL comes free with my servers cpanel accounts and upgrades, which im paying good money for anyway, and Lets Encrypt, well the same also im an OS liker…also doing everything in one place is about time efficiency, im a lone wolf here…time wasted going back to multiple players to find solutions to things like this…even this week, is a drain on my ability to make a living…

sdayman…I use predominantly Joomla scripts, well nearly exclusively …i dont know whether there “force SSL” is maybe causing some of my issues, but ive been unable to turn it on in Joomla (after enabling in on a server) without both Chrome and FF throwing back SSL errors, which my server co seems to thinks its my free accounts with CF here issues…but IE browsers dont seem to care which is just bizarre in itself…

Im no techy as you might notice…just a website designer so some of this is out of my league…but have 40+ websites to figure best solution out on…


#7

There’s a delay between signing up and SSL issuance. How long have these sites been on Cloudflare? Does it work when set to “flexible” SSL? And not when on full? If it does then it would seem to potentially be something with Cloudflare. But if it doesn’t work in either scenario then it’s likely just waiting on SSL issuance.

What’s the exact error you’re receiving?


#8

I did not think with the free plans i have any control over SSL settings here?..am i wrong there?

But this one is set to flexible…these sites have been on cloudflare for several months i think…

Here is an example…and despite clearing cache on browsers countless times the same error persists…even reducing the pages (links in menu) displayed on this site down to just the home page…maybe im imagining things but boy is it getting frustrating…


#9

So that looks more like a mixed content warning than an issue with the certificate. I just hit the same site in Chrome and got the green lock for both the bare root and the www domains…

Same in Firefox…

Not sure if you changed something, but it appears to be working now.


#10

Control is available on the crypto tab:


#11

I did not think with the free plans i have any control over SSL settings?..am i wrong there?


#13

yes, see above.


#14

This is a simple solution. you don’t turn on your CF until the SSL is issued by cpanel, then you can turn on the CF.

That said, new versions of cpanel are not allowing the autoSSL to get past CF to see the origin server so autossl thinks that the domain is invalid.

I think that cpanel and CF need to work together on this or people will either select a new dns or new server service. My suggestion that CF add a setting that allows autossl to see the origin IP to issue new server side certs. There are hundreds of thousands of these issues right now with the new cpanel sw release.


#15

Do you have a link to a forum or support discussion about this issue with the new cPanel release? I’m trying to track down exactly what the change was that started this latest SSL renewal issue.


#16

they have a new issue and looked at one of my servers to check it out, I was not even getting ssls without cloudflare on several servers, some database error.

they said they would have a patch today or tomorrow. could not get autossls on any of my new servers with comodo or lets encrypt.


#18

You need a premium account to use custom SSL across the Cloudflare network, and I believe you have not been able to use lets encrypt because of the way it performs validation for automatic certificate issuance, however Cloudflare SSL certificate is good enough and can be generated on the panel in Crypto, Origim certificates