SSL already set up, is there a way to use CloudFlare?


#1

If you already have SSL set up and working on your site and wish to use CloudFlare, do you just set the SSL to Strict (Full) via the crypto tab? Anything else that is required?


#2

In theory. In practice there are tons of users reporting certificates
are taking anywhere from hours to days to get issued, so I would suggest
going :grey: initially (until Cloudflare confirms the certificate is
live), and only then switch to :orange: and test carefully.


#3

How do you know when CloudFlare confirms that the certificate is live?


#4

The UI should tell you whether the certificate is pending or live.

Being an untrusting sort, I leave the live hostnames :grey: initially
and create a https-test.example.com host in :orange: mode. Point the
test address to your web server’s IP – your server might not accept it,
that’s fine, it doesn’t matter as we don’t care about 4xx or 5xx errors
here), then wait until https://https-test.example.com loads and
validates successfully.

Since Cloudflare is requesting a certificate for example.com and
*.example.com, once any subdomain works you should be good to go live.


#5

Cloudflare has experienced delays issuing SSL Certificates for new domains. If your domain was added in Cloudflare recently you might be impacted by this. If you want to test Cloudflare’s certificates working for your domain without changing your entire site over, you can do this by testing one of your subdomains.

When Cloudflare issue’s your certificate we do it both for your apex domain (mydomain.com) and a wildcard for all subdomains (*.mydomain.com). If one of your subdomains works while Orange Clouded then your apex and other subdomains will work as well.

https://www.cloudflarestatus.com/

Selecting an SSL Option

If your Origin has an existing certificate you can take your pick of either Flexible, Full SSL or Full SSL (Strict).

You can use Full SSL (Strict) but that will require you to ensure your Origin’s SSL is renewed and maintained into the future as an expired certificate will not meet the requirements of Full SSL (Strict).

You can read more on SSL Modes here:


#6

I am not looking to use a certificate issued by CloudFlare. I already have a certificate from my host that will be auto renewed.


#7

Why would there be a delay in getting a certificate issued if I already have a certificate from my host that is live and working?


#8

If you are only planning to use Cloudflare for DNS it doesn’t matter. If you want to use Cloudflare for proxying SSL traffic (for DDoS) if you are planning to use a Cloudflare plan where you can upload your own certificate it also doesn’t matter. If however you want ot use those other services and don’t want to upload your own cert… Cloudflare acts as an SSL termination endpoint in order to provide CDN and WAF services, so there has to be a certificate on our edge to terminate that. By default we provide a free universal SSL certificate… or you can order your own through us to use on our edge or bring your own depending on plan type.


#9

If I see this in my account, I’m assuming this means that my universal SSL certificate has already been issued:


#10

It’s probably been issued, but the key indicator is the Status line near the top of the Crypto page in the SSL section. As @thedaveCA mentioned that Status will tell you if it’s Active or Pending.


#11

Yeah, it shows active with a green light.


#12

This topic was automatically closed after 14 days. New replies are no longer allowed.