[Solved] CloudFlare Origin Server certificates

[ballagyr]

Hi, today I changed the management of my domain to CloudFlare and as usual, I generated the "Origin Server" certificate. I tried to apply these certificate on this server, but curiously, this is the only server where I can't use them, on others I can upload the (.pem) file without problems. Can I know the reason why I can't use them on Heliohost?

Thank you!

[wolstech]

We've had issues with those in the past...the main issue I recall is that the CF origin certs are not publicly trusted. They're basically self-signed certificates. I haven't messed with these in a while though. Can you put the pem and the key (if its separate) in your home folder (outside of your web root so it's not public!) so I can take a look when I get minute?

 

We usually just tell people to generate an LE cert with the proxy turned off instead, then turn it on. 

Non-strict SSL ("SSL Full") is the supported and recommended setting on CF for our service. It should work with an LE certificate installed on our end.

"SSL Full (Strict)" might work, but tends to be incompatible because it blocks the connection when the certificate is invalid. Plesk, Lets Encrypt, and our custom logic all expect to be able to call your website via its domain and still reach it in these scenarios. It will keep LE's certificates from renewing (especially if the current one is expired), and can result in your domain being disabled for not being hosted here if it lasts long enough...

"Flexible SSL" should be avoided because it is insecure.

[ballagyr]

Yes, I can do that, I'll create a folder with a hexadecimal name, with "000" at the beginning. But also I won't need them, because I thought they would be useful, to make CloudFlare's "Google Trust" work here. But I was mistaken. In fact, it is because of these certificate confusions that I avoid using "Full Strict" in SSL configurations, as I have had problems with them recently.

[ballagyr]

OK, you can close this topic.

Thanks anyway!