The best configuration for httpS://sub2.sub1.foo.com

Hi.

Before starting with Cloudflare, I had several two-level subdomains (https://sub11.sub1.foo.com, https://sub12.sub1.foo.com, etc.) working with Let’s Encrypt SSL certificates in the origin server. Everything worked ok.

I decided to use Cloudflare (Pro plan), but I left the Let’s Encrypt certificates working in the origin server. After some problems, Clodflare support team advised me to acquire the monthly custom dedicated certificate, and the website is now working ok with:

  1. The Let’s Encrypt certificates working on the origin server
  2. the “Full” encryption mode
  3. In the “Edge Certificates” tab, I have
  • Active “Dedicated certificates” (green dot), for *.sub1.foo.com, *.sub2.foo.com, *.foo.com
  • Active “Universal certificates” (green dot), for *.foo.com, foo.com

If I check the SSL certificates, they are working ok:

Common name : foo.com
Alternative names (SANs) : foo.com, *.sub1.foo.com, *.foo.com, *.sub2.foo.com
Organization: CloudFlare, Inc.
Valid From Sep 21,2019 to Sep 21,2020
Signature Algorithm : ecdsa-with-SHA256
Issuer : CloudFlare Inc ECC CA-2

I have some questions:

  • is it necessary to have the Let’s Encrypt SSL certificates running in the origin server? Wouldn’t it enough with SSL certificates just in Cloudflare? Can this issue (two certificates in Cloudflare and in the origin server) harm the speed of my website?
  • is it necessary to activate both “Dedicated certificates” and “Universal certificates”?

Thank you very much in advance.

Absolutely yes. SSL Certificate - GoDaddy

If you have purchased a dedicated certificate you wont need the universal certificate.

Hi Sandro. Thank you very much for your answer.

So, as far as I understand, I should leave the Let’s Encrypt Certificates running on my origin server.

On another hand, should I try to deactivate the “Universal certificates”? Is it ok if I have both Dedicated and Universal?

Absolutely, otherwise SSL wouldnt work.

That should be fine. Though the universal certificate wouldnt work in your case anyhow, because of the host level. That is why you got a dedicated certificate, right?

This topic was automatically closed after 30 days. New replies are no longer allowed.