SSL best practice: Cloudflare and ServerPilot

What is the best practice (from a security standpoint) for setting up SSL between Cloudflare and ServerPilot? I have a domain on a “Pro Website” account and my SSL/TLS encryption mode is set to “Flexible”.

On ServerPilot I have the option to enable AutoSSL, or add a custom SSL certificate.

Thank you in advance!

Behind Cloudflare, I recall I had trouble with AutoSSL at ServerPilot, so I added a custom SSL certificate. And then definitely use Full (Strict) mode here.

1 Like

Thanks @sdayman. So I’ve made the following changes but I’m still struggling:

  1. Cloudflare: changed SSL mode to “Full (strict)”
  2. Cloudflare: disabled “Universal SSL”
  3. Cloudflare: changed “Proxy status” to “DNS only”
  4. Cloudflare: generated a new Origin Certificate
  5. ServerPilot: disabled AutoSSL, disabled “Redirect to HTTPS”
  6. ServerPilot: installed certificate on the app

The domain is now resolving but I receive the “Warning: Potential Security Risk” error with “Error code: SEC_ERROR_UNKNOWN_ISSUER” in Firefox and “NET::ERR_CERT_AUTHORITY_INVALID” in Chrome.

If I run the domain through SSL Checker I get green ticks for everything with the exception of the following:

" The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. The fastest way to fix this problem is to contact your SSL provider.

Common name: CloudFlare Origin Certificate
SANs: *,
Organization: CloudFlare, Inc. Org. Unit: CloudFlare Origin CA
Valid from April 16, 2020 to April 13, 2035
Serial Number: 599c5890c6e9144655c0008d95ee1e8607c4315d
Signature Algorithm: sha256WithRSAEncryption
Issuer: CloudFlare, Inc."

You’ll need to turn this back on for Cloudflare to proxy your site as HTTPS.

That did it! Thank you.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.