Using Cloudflare's SSL certificate without installing it on hosting provider

What is the name of the domain?

declan.studio

What is the error message?

ERR_TOO_MANY_REDIRECTS

What is the issue you’re encountering

My website will not load due to getting a “too many redirects” error. I wanted my website to run through https, so I changed my SSL settings and enabled “always use https”. I have no rules about redirection in my .htaccess file on my hosting provider, however my hosting provider does not allow access to uploading an SSL certificate or generating its own without paying. It streams http traffic fine, and my website ran fine before I attempted to change it to https. I dont know how to resolve the redirection issue, and Im just guessing that it has to do with a lack of SSL certificate on my hosting provider. How can I resolve this for free? Is this an issue with my hosting provider or can it be fixed through cloudflare?

What steps have you taken to resolve the issue?

Domain nameservers set to cloudflare’s nameservers
Domain managed on Domain.com, hosting using free plan from FreeHosting.com
Website runs fine through http (as of this step)
SSL/TLS encryption changed from Flexible to Full (Strict)
Automatic HTTPS Rewrites and Always use HTTPS enabled
Cache Purged
Website no longer works on https or http. I want it to run exclusively on https
I generated an origin certificate and saved the .pem and .key files to my desktop, but I cant upload them to my hosting provider without paying.

Was the site working with SSL prior to adding it to Cloudflare?

No

What is the current SSL/TLS setting?

Full (strict)

Screenshot of the error

You should install SSL on your origin and use Cloudflare with “Full (strict)” SSL.

Fronting a non-SSL origin with Cloudflare SSL is not secure (traffic between Cloudflare and your origin would be unencrypted if you did so), so ensure SSL is working on your origin before enabling Cloudflare.

Im wondering why I need SSL encryption between my origin and cloudflare if cloudflare can encrypt incomming traffic. My hosting provider also says I need to pay to install SSL on my origin, which I want to avoid doing. If it is impossible to run my website on https without installing SSL on my origin, please let me know, Ill change hosting provider, if not, could you please let me know what Im doing wrong in my cloudflare SSL setup?

When you put your site behind Cloudflare, 2 connections are required. The first is between the user and Cloudflare, then second is between Cloudflare and your server/host.

Both of these should be secured using SSL. Using Cloudflare to give SSL to only the first hop is even worse than no SSL as it fools your users into thinking their data is encrypted when it is actually being sent in the clear between Cloudflare and your server.

See…

1 Like

Ill switch hosting providers then, thanks for the info, but why does it matter what happens between my hosting provider and cloudflare? Isnt the entire point of cloudflare that it takes in dangerous traffic and creates a safe passage between there and my home server? Whats the point of running traffic through cloudflare if it can still be intercepted before it gets to my hosting provider? Im also not gonna be dealing with any personal info on my site.

Between Cloudflare and your home server is still the public internet and your ISP so you either need to use SSL on your web server, or a Cloudflare tunnel, to ensure that traffic is encrypted on that leg. It’s also not just about the encryption, the SSL certificate (when used with Cloudflare’s “Full (strict)” setting) ensures the connection is to your origin and not diverted elsewhere.

1 Like

I see, thank you for your info
Ill do some digging into “cloudflare tunnels” but I think its best I find a new hosting provider that can give me an SSL certificate.
Thanks for patiently answering all my questions, have a great day :slight_smile:

1 Like

You can get free SSL certificates from LetsEncrypt, or use a Cloudflare origin SSL certificate (that requires use of the Cloudflare proxy), if your host will let you install one of those.

I need to pay to install an ssl certificate on my host which is what Ive been trying to bypass, btw does letsencrypt provide an ssl for all platforms or only cloudflare?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.