SSL Type needed? (Full/Full Strict ?)

I am trying to update/setup about 30 domains so want to make sure I do it correctly, so I don’t have to go and do it again 30 times.

  • All domains are hosted and the sites when NS were with the host created Let’s Encrypt certificates.
  • Once I move the NS to Cloudflare those certificates will expire as the NS don’t directly point to the host

On my host’s help pages it says the only way to correctly secure the site is to issue a Cloudflare Origin certificate on the hosting site (well without paying for a SSL etc).

  1. Is this the best/only way to do it, and if I do that would I select Strict-Full on CF.
  2. Is there another way (my limited knowledge of SSL says not without buying a cert for each domain, as CF will send the visitor to the site and the site won’t have a SSL so will throw an error)
  3. If I do this for all 30 sites, will the Origin Cert expire and if so can it automatically update or will I need to update them manually each time.

I’m just after the easiest way to make sure the site is secure, and am trying to do it correctly the first time.

You can just keep using the same Let’s Encrypt certificates on your server, and use Full Strict. There’s no need to stop using them or let them expire.


As long as the sites are using HTTP-01 challenges and no Cloudflare settings interfere with those challenges, Let’s Encrypt should work fine. They have the advantage of working with visitors in the event that you need to pause Cloudflare. You can make some adjustments to Cloudflare to prevent unwanted interference with ACME HTTP-01 challenges.

If you need Cloudflare Origin CA certificates, the documentation is quite usable.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.