This connection is not private error

collectivefriction · August 5, 2023, 7:42pm

I have a web site that hosts a game on a third party hosting platform. There is no SSL cert on my server (Its all free and no user data passes between browser and my server). I use Cloudflare just for the SSL cert. The website is [Preformatted text](http://www.squaredle.co.uk)

Mostly this seems to work OK but I have had the odd user tell me that when they try and access my server they get a warning “This connection is not private” and the “website maybe impersonating xxxxx” (where xxxxx seems to be a perfectly valid site).

I can’t see a way of installing a third party ssl cert on my server (the web host want me to buy one).

What are my options so that I can provide the minimal (and cheapest) level of security. (I make no money from this, its just a bit of fun, so I am trying to do it as cheaply as possible).

Thank You

sandro · August 5, 2023, 7:49pm

That is the issue and what you need to fix. Your server needs to be secure first.

If your host requires you to buy a certificate you either need to do that or switch host, otherwise you can never have a secure site in the first place and hence receive such error messages. You also have a legacy encryption mode on Cloudflare, which is known for breaking sites.

In short, make sure your server is secure first and only then use Cloudflare. You can always take a look at Cloudflare’s Origin certificates.

collectivefriction · August 5, 2023, 8:15pm

Thank You for your reply

So what is the point of the flexible SSL option in cloudflare and why do most of my users not get an issue?

sandro · August 5, 2023, 8:17pm

There is no point in it, I am afraid.

It’s a legacy mode, which does not provide any security and breaks sites.

As mentioned, make sure your site is secure on HTTPS without Cloudflare and it will also work on Cloudflare. As long as you are not using Full Strict as encryption mode, you have an insecure site.

If you need a certificate, take a look at Let’s Encrypt or Cloudflare’s Origin certificates.

collectivefriction · August 6, 2023, 7:24am

Thanks again - assuming I add a cert to my server (Have to purchase - third party not supported). If I then choose strict mode will that be seemless - ie will there be any downtime for my users (thinking DNS propagation but assume this might not be relevant)

sandro · August 6, 2023, 7:27am

Generally not, you may want to take a look at How to eliminate (or minimise) downtime when adding your domain to Cloudflare as well.

I would recommend to pause Cloudflare, configure the server properly for SSL, make sure the site loads fine on HTTPS, and secure the encryption mode with Full Strict. Once that all works, you can unpause Cloudflare and it should work fine.

And yes, DNS propagation will not apply here.

collectivefriction · August 8, 2023, 11:44am

OK all seems OK for most testing I have done (Strict). but one user reports that they continually (2 days) get an error as below

collectivefriction · August 8, 2023, 11:44am

Other users and all the testing I do is fine!

sandro · August 8, 2023, 3:05pm

So you are on Full Strict now? Then it should be all right.

As for the error you posted, your server will be sending an invalid response here. Take a look at Community Tip - Fixing Error 520: Web server is returning an unknown error

collectivefriction · August 9, 2023, 2:43pm

Updated DNS to drop cloudflare and now seems OK.

sandro · August 9, 2023, 2:50pm

Glad you got it sorted out.

sandro · August 9, 2023, 3:10pm

This topic was automatically closed 20 minutes after the last reply. New replies are no longer allowed.