Switching form Strict to just Full encryption?

My site has a wildcard ssl certificate that will cost a lot to renew.

I believe “Full” encryption will suffice, So I hope to avoid this cost.
1 Will this work correctly even though the domain has multiple A and CNAME records?

2 If so what steps do I need to take, if any, when the existing certificate expires?

With Thanks

It won’t, you’ll simply disable security on your site and will have an insecure site.

This article has all details.

1 Like

I DO intend to evaluate whether “Full” will suffice as a separate question.

In the event that, hypothetically, Full is used, I would like to know the answers to these questions

1 Will this work correctly even though the domain has multiple A and [CNAME] records?

2 If so what steps do I need to take, if any, when the existing certificate expires?

Thanks

As already mentioned, it does not. You will only make your site insecure, but I already wrote that.

Again, the article has all the details. Not quite sure why I had to write that twice.

So no, do not switch to Full - and that also make the other questions obsolete.

No. If you’re expecting a secure connection to your server, you’ll not get that with anything less than Strict.

The article @sandro linked to includes solutions to maintain a secure connection, such as the Origin CA certificate. You can do this right now, before your expensive certificate expires.

1 Like

Thanks for the input but that is not the question I am asking.-- I KNOW it will be less secure.

But what i would like to know to know is:

1 Will this CONNECT (even if not secure) even though the domain has multiple A and [CNAME] records?

2 If so what steps do I need to take, if any, when the existing certificate expires?

It won’t be less secure, it won’t be secure at all, because you won’t have any validation whatsoever.

So your entire hypothesis is wrong, which makes the whole question pointless I am afraid.

I am not sure what you mean by “this connect”, but nothing will change in your setup, except that you will have an insecure setup at that point, which anybody can take over as outlined in the article. But the HTTP connection itself will work - of course on an insecure setup.

That’s it.

Full (non-strict) allows expired and self-signed certificates. That’s the essential difference between strict & non-strict: strict requires that the certificate is signed by a CA, and that it’s not expired.

The user will definitely still connect to Cloudflare’s proxy server if set to Full.

Whether or not they CONNECT to your server will be up for debate, as that traffic can then be intercepted by anything with an invalid certificate.

I can see that you want a fully secure connection. The best approach is to fix it before your existing certificate expires.

Origin CA certificate is the easiest approach. Let’s Encrypt would be the best.

https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/

https://certbot.eff.org/

1 Like

This my bad for not being clearer in my question

1 Will the CF DNS continue to work even though the domain has multiple A and CNAME records?

2 If so what steps do I need to take, if I decide that I am OK with the security issues incurred by using the Full setting, when the existing certificate expires?

Cloudflare’s DNS system is unrelated to any encryption mode. You can switch it to Off and it will still work.

There are no steps to take here. Get any valid certificate, such as an Origin certificate and make sure it is correctly configured on your server. That’s a matter of a couple of minutes.

You can get a free certificate from Let’s Encrypt. You could also get a free origin certificate from Cloudflare. There’s no real reason to pay for certificates any more.