ballagyr Posted September 29 Share Posted September 29 Hi, today I changed the management of my domain to CloudFlare and as usual, I generated the "Origin Server" certificate. I tried to apply these certificate on this server, but curiously, this is the only server where I can't use them, on others I can upload the (.pem) file without problems. Can I know the reason why I can't use them on Heliohost? Thank you! Quote Link to comment Share on other sites More sharing options...
wolstech Posted September 29 Share Posted September 29 We've had issues with those in the past...the main issue I recall is that the CF origin certs are not publicly trusted. They're basically self-signed certificates. I haven't messed with these in a while though. Can you put the pem and the key (if its separate) in your home folder (outside of your web root so it's not public!) so I can take a look when I get minute? We usually just tell people to generate an LE cert with the proxy turned off instead, then turn it on. Non-strict SSL ("SSL Full") is the supported and recommended setting on CF for our service. It should work with an LE certificate installed on our end. "SSL Full (Strict)" might work, but tends to be incompatible because it blocks the connection when the certificate is invalid. Plesk, Lets Encrypt, and our custom logic all expect to be able to call your website via its domain and still reach it in these scenarios. It will keep LE's certificates from renewing (especially if the current one is expired), and can result in your domain being disabled for not being hosted here if it lasts long enough... "Flexible SSL" should be avoided because it is insecure. Quote Link to comment Share on other sites More sharing options...
ballagyr Posted September 30 Author Share Posted September 30 Yes, I can do that, I'll create a folder with a hexadecimal name, with "000" at the beginning. But also I won't need them, because I thought they would be useful, to make CloudFlare's "Google Trust" work here. But I was mistaken. In fact, it is because of these certificate confusions that I avoid using "Full Strict" in SSL configurations, as I have had problems with them recently. Quote Link to comment Share on other sites More sharing options...
ballagyr Posted Wednesday at 04:32 PM Author Share Posted Wednesday at 04:32 PM OK, you can close this topic. Thanks anyway! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.