Using Cloudflare as a Reverse Proxy to enable SSL certificates?

Hi everyone, apologies in advance for my noob status with this stuff but I’m struggling to find any satisfying answers out there.

We are running into an issue at my job wherein we have a large quantity of building controls equipment that all have integrated web servers. These are simple to make accessible through forwarding the magic ports (80 and 443) on the site network to them, and according to the documentation they have integrated Let’s Encrypt support so HTTPS access to these things should be a breeze.

However, this is not the case. The Let’s Encrypt certificates are simply not being installed despite us setting up subdomains to point to their IPs, the vendor is being a huge PITA and seems to think everything is our fault, and this isn’t even considering the security concerns with opening ports 80 and 443 in the first place. We also don’t have any sort of control over the web server running on these devices.

I’ve read about Cloudflare workers being able to function as a reverse proxy, and that SSL certificates are given for free to all domains. Does this mean that there is a way to serve valid certificates for these devices without actually installing certs on the web servers?

For example, device1.example.com would proxy to x.x.x.x:5656, with 5656 being forwarded to 443 on the device, and the accessing browser would be served a valid SSL certificate that gets rid of the security warning message. Is this at all reasonable or am I out to lunch?

Welcome to the Cloudflare Community. :logodrop:

How was lunch? :wink:

You need to secure your origin before you place Cloudflare in front of it, otherwise you will be sending unencrypted traffic between the Cloudflare proxy and your origin. The following tutorial illustrates what happens when you front SSL.

Have you visited the Let’s Encrypt Community yet? That is a good place to resolve to seek assistance with the real problem you are encountering.

The Let’s Encrypt community forums generally assume that the user has control over the servers they are trying to get certs for. This is not the case here. Just changing the logo on the home page requires us to contact vendor support and have them SSH into the device, to give some context for how locked-down these things are.

I can at least manually install certs, but for over 100 sites it has to be a long-term solution if I am to go this route. Reading what you’ve posted, am I correct in assuming that I could just generate origin certs with 15 year expiries and install those? Or is that also a security no-no?

1 Like

You certainly can install a long-lived Cloudflare Origin CA certificate as long as you will only access those devices through Cloudflare. That aspect was the only reason I didn’t explicitly suggest that option. I am glad that you noticed it in the tutorial. It sounds like it may be the best fit for your use case

Just be sure to configure all of your HTTPS traffic to route through the Cloudflare proxy.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.