I have a web site that hosts a game on a third party hosting platform. There is no SSL cert on my server (Its all free and no user data passes between browser and my server). I use Cloudflare just for the SSL cert. The website is [Preformatted text](http://www.squaredle.co.uk)
Mostly this seems to work OK but I have had the odd user tell me that when they try and access my server they get a warning “This connection is not private” and the “website maybe impersonating xxxxx” (where xxxxx seems to be a perfectly valid site).
I can’t see a way of installing a third party ssl cert on my server (the web host want me to buy one).
What are my options so that I can provide the minimal (and cheapest) level of security. (I make no money from this, its just a bit of fun, so I am trying to do it as cheaply as possible).
That is the issue and what you need to fix. Your server needs to be secure first.
If your host requires you to buy a certificate you either need to do that or switch host, otherwise you can never have a secure site in the first place and hence receive such error messages. You also have a legacy encryption mode on Cloudflare, which is known for breaking sites.
In short, make sure your server is secure first and only then use Cloudflare. You can always take a look at Cloudflare’s Origin certificates.
Thanks again - assuming I add a cert to my server (Have to purchase - third party not supported). If I then choose strict mode will that be seemless - ie will there be any downtime for my users (thinking DNS propagation but assume this might not be relevant)
I would recommend to pause Cloudflare, configure the server properly for SSL, make sure the site loads fine on HTTPS, and secure the encryption mode with Full Strict. Once that all works, you can unpause Cloudflare and it should work fine.