SSL Certificates


#1

My site is hosted on WP Engine, but I am routing the site through Cloudflare. I have my own SSL that is uploaded on WP Engine, but it looks like that SSL is being ignored and the shared SSL on here is being used for my account. Is that right? Why does this not use the SSL I already have in place?


#2

You need to upload your SSL cert to CloudFlare but you need to be on a pro plan to do so.

But you can order a dedicated SSL cert for $5/month on any plan.


#3

I am on a pro plan, but it says I need to on an even higher plan to upload a certificate, unless I am reading it wrong.


#4

We have the same exact issue on our end. Is there anyway to “disable” SSL from CloudFlare and depend soley on the SSL certs uploaded in WPEngine?


#5

My bad. It’s business not pro.


#6

Only if you set your records to :grey:

Basically CloudFlare acts like a webserver in front of yours and it needs a certificate to encrypt the sessions between them and your visitors. It’s not possible to “forward” a certificate from one server to another.


#7

So do I still need that SSL or is it serving no purpose at all?


#8

There are different SSL settings

Flexible: ssl connection with between user and CloudFlare, traffic between CloudFlare and your server falls back to http an will not be encrypted = no SSL certificate on your server needed

Full: Connection is fully encrypted, any SSL cert on your origin is ok, valid or not

Full (strict): full encryption, cert on your server must be valid.

You see that there must be a cert present on your server to support full encryption. You need the CloudFlare certificate unless you upgrade to business to be able to upload your own cert to CloudFlare.


#9

I am still confused…

I have a valid SSL uploaded on my server. My setting is set to full, strict. However, the SSL that appears to present is the SSL that cloudflare is supplying.

I found this out by checking the site on WhyNoPadlock.com

Does that first SSL keep the site secure from WP to Cloudflare? Or is it just a waste of money? That is what I am trying to figure out here.


#10

Since your setting is “Full (sctrict)”: yes

You can use a self signed certificate on your server which costs nothing. This will keep the connection between WPEngine and Cloudflare secure as well. Then you need to set your SSL setting back to Full.

So the Cloudflare certificate is shown to the user, your own certificate (self-signed, or issued by a CA) is shown to the Cloudflare proxies. Connection secured.


#11

@jerrymcconway, forgive me for jumping in but I’m also curious about this.

@MarkMeyer - So for the future, is it necessary to have a cert on the WPengine server, or are we SAFE if we JUST purchase a dedicated cert from cloudflare – without a cert existing on the wpengine server?


#12

Yes
But it is not necessary to buy one for your server. You can use a self-signed, or one from Let’s Encrypt for example.

Unsafe


#13

So here is what I did and I guess you should too. I had the same problem. I have a SSL certificate on y server. But as Cloudflare acts as a proxy, your site version servers via Cloudflare would need cloudflare’s SSL. But the Universal SSL that comes with cloudflare is shared with 100’s of other websites. Some of them were also adult websites, which I didn’t like.
This may also affect SEO because there is not dedicated certificate which reflects your domain name. (They say it doesn’t affect if SSL is shared, but it Improved SEO for me.)
So I purchased a Dedicated SSL, under crypto option. It is paid but just $5.
So I am now on cloudflare and also have a valid certificate.
I see you are on Pro plan. But using dedicated SSL would cost you additional per month.
Also, If you really don’t need Pro plan, you can switch back to free plan. I don’t think there are any additional benefits to it.