SSL strict cert options

All, I have 4 domains routed through CF, 3 of them redirecting to the main .com address, and this points to my dyndns record for a site hosted at my house.

The site is running on Linux / Apache and I setup certbot for my domain, which successfully created the certs locally.

In CF, SSL is set to full strict. Requests are showing the universal cert that CF creates between them and origin.

1; How do I get CF use my Lets encrypt/Certbot cert?
2; Is number 1 best practice over using their universal google cert?


If you want to use your own certificate at the Cloudflare edge, you need to have a Business or Enterprise Plan…

is this a relatively new thing with CF? Could have sworn I set this up with LE certs a few years ago using a free plan

You don’t need to change anything on Cloudflare’s side. Cloudflare’s Full (strict) SSL mode will recognize and validate your origin server’s Let’s Encrypt certificate. This setup is considered best practice as it ensures an encrypted connection all the way from the client to your origin server. Just make sure your server is configured properly to serve the Let’s Encrypt certificate and that it stays up to date.


thank you. think Ive got my head around it now - disabled CF proxy and could see the lets encrypt cert being used, then it implemented the google cert when CF is proxied again. For some reason I thought a cert needed copying either on CF or on my end server.

Seems you can disable universal ssl which I presume would then use my letsencrypt cert only, but haven’t tested that yet and don’t see a reason to

1 Like

can i also ask if there’s any need to open port 80 on my router FW… Cloudflare is handling ssh redirects so only ssl gets requested, nothing needed on my origin server as that 443 page gets served directly

If proxied it wouldn’t do that. You’d get an error in the browser as there would be no certificate at the Cloudflare edge at all.

Cloudflare needs to terminate the SSL connection in order to decrypt and apply its features before making a separate onward SSL connection to your origin (using the certificate on your server). You can’t “look through” Cloudflare to your origin certificate, only bypass it by disabling the proxy.

To use the proxy and your own SSL certificate at the edge requires a business or enterprise plan as I mentioned; the certificate has to be uploaded to Cloudflare. Otherwise Universal SSL or Advanced Certificate Manager is required for Cloudflare to place and manage the edge certificate for you.

1 Like

I also only use port 443 for Cloudflare. The only issue will be when renewing your LetsEncrypt certificate if you use a HTTP-01 challenge as that needs HTTP instead of HTTPS and so needs exceptions added to your Cloudflare configuration for it. For that reason I use a DNS-01 challenge for LetsEncrypt certificates instead (with the cloudflare-dns plugin to automate the process).

ha, yeah thanks - found that out when setting up lets encrypt and it failed to verify. Soon as I opened port 80 on FW it was fine, then closed it off again

1 Like

interesting, thank you. Does CF perform some validation with the Lets encrypt cert on my server or just ignore it? I get that clients will only see CF but just curious if it uses LE at all during the handshake

After the user has made an SSL connection to Cloudflare, Cloudflare makes an SSL connection to your origin. With “Full (strict)” Cloudflare will check your origin certificate is signed by a trusted CA, not self-signed, covers the hostname and is valid (in date) - the same process as a browser makes when connecting to any site’s SSL. If not valid you will get an error (error 525 or sometimes others). So you need to keep your origin certificate updated. Cloudflare updates the edge certificate.

That’s why “Full” should never be used as it makes an SSL connection and requires a certificate, but ignores the validity of it. This means your connection could be diverted to another server as any certificate is good enough for Cloudflare to tell the client that the connection is secure, when it actually isn’t. The same as a browser giving a warning about a certificate, then you telling the browser to accept it anyway.

1 Like

thanks for this, much appreciated

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.