This Ques. is haunting me since 2 months now - Do I need a 3rd Party SSL with Free CF SSL?

ssl

#1

Ques - I have been told by the reps. at hostgator that your SSL (I bought with them) is not being used and won’t be used “AT ALL” till the time you are using CF free SSL (CNAMEs and MX Records).

But CF docs say that you need a signed, issue SSL from an authorized party to use Full Strict mode of SSL.

Should I spend on a 3rd party SSL or NOT when I would be using CF free SSL?

I am ok to use any of the below options till the time it doesn’t effect my site, HTTPS & Audience.

Flexible
Full Strict

Site - www.AccountingCapital.com

Can someone please explain this, Once and For All?

Regards
Sahil


#2

Let me explain that.

So from the user’s perspective your certificate will be always provided by Cloudflare, no matter the Crypto settings. This certificate is provided for free by Cloudflare.

On the server side you have multiple options, I will list them in order of preference, starting from the least preferred one:

  • no certificate and Flexible setting, which will set a non encrypted connection from the CF node to your server.
  • self-signed certificate and Full setting, which will encrypt the connection, but doesn’t validate the actual certificate.
  • valid third-party certificate and Full (Strict), which will also validate the certificate, but costs money (unless using something like Let’s Encrypt, but must be supported). This may be your best option if your host doesn’t allow for custom certificates or provides one for free.
  • valid (only for Cloudflare) Origin Certificate and Full (Strict), which are certificates freely generated in your dashboard, with long validity and trusted by Cloudflare (and only by them) which can be used to encrypt the connection to the server without too much hassle (do not need to renew every 90 days like Let’s Encrypt) or cost (they are free).

Hope this clarifies things. If you have questions don’t esitate to ask!


#3

Firstly, Thanks a lot for answering.

Now, I want to use Full-Strict so to be really great with security.

My Concern - HG customer support says an SSL bought and kept there is playing no role at all as CNAMEs and MX Records are those of CF and they can’t do anything.

I just renewed my SSL, told them to install and issue a fresh one, they said they can’t do anything as you are pointed to CF.

**Alternatively saying, If I don’t have a 3rd party SSL I can’t use full strict? Just because I bought an SSL means it will communicate with Free CF SSL automatically? What needs to be done here technically…

Regards
Sahil Ahuja


#4

The SSL on the webserver and the way you are connecting to it are independent of each other and Hostgator support should not care about that.

They may say that only if they need to verify the content. You may want to try and ask if they can install a custom certificate that you give them (using an Origin Certificate by Cloudflare).

I have never had to deal with Hostgator. Just buying a certificate and not installing it useless, it would be the same exact thing as not buying it.

@sdayman have you ever used Hostgator? Can you help?


#5

So precisely…

I have a Comodo SSL bought from HG, but they can’t tell me if it is communicating with my free cloudflare SSL or sitting their useless. I want to use Full Strict mode.

I just don’t know how to ensure its not sitting useless so should I renew or not as HG support is not helping… that’s the ultimate dilemma.

Regards
Sahil


#6

I see the problem now! If you can spare a few minutes of eventual downtime the problem is easily solvable: turn on Full (Strict) and wait a couple of minutes. If it continues to load then everything is fine, otherwise revert back,


#7

ok, I think we are close…

So, The good news is I am Full Strict right now and I have a live Comodo SSL which is due to expire in few days.

So far the site is working smoothly, So Should I get comodo SSL renewed or Not?

What happens if I don’t renew it as HG Rep says it isn’t being used, does this mean he is wrong and it is being used as I am currently Full Strict?

Regards
Sahil


#8

If you are using Full (Strict) then the certificate is used, for sure. Cloudflare check that the SSL certificate is valid and has the actual domain your are trying to reach on it.

I would renew it, but first check if you can upload a custom one. You would reduce costs that are not needed.