You don’t need to change anything on Cloudflare’s side. Cloudflare’s Full (strict) SSL mode will recognize and validate your origin server’s Let’s Encrypt certificate. This setup is considered best practice as it ensures an encrypted connection all the way from the client to your origin server. Just make sure your server is configured properly to serve the Let’s Encrypt certificate and that it stays up to date.
thank you. think Ive got my head around it now - disabled CF proxy and could see the lets encrypt cert being used, then it implemented the google cert when CF is proxied again. For some reason I thought a cert needed copying either on CF or on my end server.
Seems you can disable universal ssl which I presume would then use my letsencrypt cert only, but haven’t tested that yet and don’t see a reason to
can i also ask if there’s any need to open port 80 on my router FW… Cloudflare is handling ssh redirects so only ssl gets requested, nothing needed on my origin server as that 443 page gets served directly
If proxied it wouldn’t do that. You’d get an error in the browser as there would be no certificate at the Cloudflare edge at all.
Cloudflare needs to terminate the SSL connection in order to decrypt and apply its features before making a separate onward SSL connection to your origin (using the certificate on your server). You can’t “look through” Cloudflare to your origin certificate, only bypass it by disabling the proxy.
To use the proxy and your own SSL certificate at the edge requires a business or enterprise plan as I mentioned; the certificate has to be uploaded to Cloudflare. Otherwise Universal SSL or Advanced Certificate Manager is required for Cloudflare to place and manage the edge certificate for you.
I also only use port 443 for Cloudflare. The only issue will be when renewing your LetsEncrypt certificate if you use a HTTP-01 challenge as that needs HTTP instead of HTTPS and so needs exceptions added to your Cloudflare configuration for it. For that reason I use a DNS-01 challenge for LetsEncrypt certificates instead (with the cloudflare-dns plugin to automate the process).
interesting, thank you. Does CF perform some validation with the Lets encrypt cert on my server or just ignore it? I get that clients will only see CF but just curious if it uses LE at all during the handshake
After the user has made an SSL connection to Cloudflare, Cloudflare makes an SSL connection to your origin. With “Full (strict)” Cloudflare will check your origin certificate is signed by a trusted CA, not self-signed, covers the hostname and is valid (in date) - the same process as a browser makes when connecting to any site’s SSL. If not valid you will get an error (error 525 or sometimes others). So you need to keep your origin certificate updated. Cloudflare updates the edge certificate.
That’s why “Full” should never be used as it makes an SSL connection and requires a certificate, but ignores the validity of it. This means your connection could be diverted to another server as any certificate is good enough for Cloudflare to tell the client that the connection is secure, when it actually isn’t. The same as a browser giving a warning about a certificate, then you telling the browser to accept it anyway.