Can you Use an SSL Certificate with Cloudflare?

Last updated on

Earlier, I’d written about how to install an SSL certificate in just a couple of clicks using cPanel’s “Let’s Encrypt” plugin. Most hosting providers now offer this functionality and you can transform your HTTP site into a secure HTTPS site in a few minutes without much hassle.

However, if you’re using CloudFlare there can be complications. For example, this site wp-tweaks.com makes use of CloudFlare’s services to speed things up. At the same time, it uses Let’s Encrypt as shown here:

Let’s Encrypt is a free offering from SiteGround. While there are no “SiteGround Coupons” as such, they do have deals. And a free SSL cert is one of them. It’s valid for 90 days and renews automatically 30 days in advance.

You can see in the screenshot, that my domain has a “Let’s Encrypt” certificate. However, when I open the site in a regular browser, it shows a different certificate instead:

Using an SSL certificate with Cloudflare

Why Does a CloudFlare Certificate Show instead of Let’s Encrypt?

SiteGround along with many other host providers, also have built in Cloudflare integration. You can enable it with just the click of a button from the control panel. This is much easier than logging into Cloudflare, changing your DNS settings and configuring it.

The way Cloudflare works, is by caching your content on their servers, and then serving that to requesting entities. So when you access a domain using Cloudflare, you’re not actually accessing the origin server, but CloudFlare’s servers. As a result, you never see the encrypting certificate of the origin server. Only that used by CloudFlare. Which is of course, a Cloudflare SSL certificate!

Does this Mean you Don’t Need an Origin Certificate?

If your certificate is going to be hidden by Cloudflare the natural question is whether you need an original certificate on your server at all! After all, there’s no point in going through the trouble of setting something up at your end if your content will be served from a different server right?

While it’s true that you can get away with not setting up an origin server all, I wouldn’t recommend it for the following reasons:

No Encryption Between your Server and Cloudflare

The most obvious reason to use SSL on your origin server even with Cloudflare is so that the traffic between the origin and the Cloudflare cache is encrypted. If only Cloudflare SSL is enabled, then everytime Cloudflare accesses your site, it’s doing so via plain text. This is terribly insecure and doesn’t actually reap the benefits of end to end SSL because you’ve introduced a vulnerability.

A hacker could intercept the traffic between the two points, introduce their own content and Cloudflare will never know. Then your users would be fooled into thinking that they’re getting accurate content from your server because of Cloudflare’s SSL certificate, but in reality it’s not secure at all.

Unable to use the Full (strict) Option with CloudFlare

When enabling the “Crypto” option in Cloudflare, you have the choice between the following options:

  1. Off
  2. Flexible
  3. Full
  4. Full (strict)

The “Full (strict)” option is the most secure, where Cloudflare will validate your origin server SSL certificate with each request. If you don’t have a trusted SSL certificate on your origin server, then you’ll have to use a less secure option like “Flexible” or “Full”.

So if you want proper security, you need to get a certificate for your origin server even while using Cloudflare!

Pause Cloudflare Temporarily to See your Site’s Origin Certificate

If you want to verify that your origin Let’s Encrypt certificate is properly installed, you can always pause Cloudflare for a short while so that your requests will be served directly instead of via an intermediary. Do this by going to “Overview” in the Cloudflare interface, and then the choosing “Pause” as shown here.

Pause Cloudflare Temporarily

This will make Cloudflare only serve as DNS and nothing else. All caching, security etc will be disabled until you enable it again. After pausing it, you need to wait for a while as Cloudflare updates and directs all traffic to your origin server. Once that’s done, access your site through another browser like say Firefox, and you will now see your original SSL certificate. The reason why I recommend using another browser, is that Chrome takes a really long time to update the SSL certificate, and will continue showing it for a while.

However, if you wait long enough, even Chrome will eventually update:

Let's Encrypt Certificate now Visible

You can see that now it’s showing the correct certificate on the origin server, instead of the Cloudflare SSL. Once you’ve verified this, don’t forget to go back to Cloudflare and re-enable it!

So that’s the low down on using an SSL certificate with Cloudflare’s crypto options. It’s certainly possible. Just keep in mind that your actual certificate will be hidden unless you pause Cloudflare!

About Bhagwad Park

I've been writing about web hosting and WordPress tutorials since 2008. I also create tutorials on Linux server administration, and have a ton of experience with web hosting products. Contact me via e-mail!

Speak Your Mind

*