Can i use Cloudflare SSL on already Let's Encrypt installed site?

I have already installed Let’s Encrypt SSL on . Can i install Cloudflare SSL on my website if there is another SSL already installed?

It is helpful to understand that Cloudflare is a reverse proxy service.

When you have a certificate on your origin (the Let’s Encrypt certificate), and also use Cloudflare, there are two separate SSL connections involved:

  1. Between the Origin and Cloudflare (the Let’s Encrypt certificate is used).
  2. Between Cloudflare and the visitor (Cloudflare’s SSL certificate is used).

Cloudflare is essentially just decrypting, inspecting/modifying, and then re-encrypting the traffic from your server. In order to do this, they have to use a different certificate to the one on your Origin (since they don’t have access to the private key of that certificate).

1 Like

Thanks for the nice diagram and explanation, @_az!

The consequence of this for users is that you can definitely use CloudFlare in this case, but indeed CloudFlare will generate, and use, a separate certificate of its own for connections from the general public. Your Let’s Encrypt certificate can protect connections between CloudFlare and your origin server.

This situation can produce some unexpected problems and confusions because you will still have to renew your Let’s Encrypt certificate at least every three months. In the past, CloudFlare’s proxies interfered with some methods of renewal because Let’s Encrypt’s servers could no longer connect directly to the end-user’s origin server. Since the most affected methods have been discontinued, CloudFlare users might not notice this particular problem in the future.

However, there is no direct security benefit to using a Let’s Encrypt certificate to protect only the connection between CloudFlare and your origin server. CloudFlare provides an alternative which is at least as secure and usually more convenient in this case:

It’s more convenient because the private CA can issue a certificate that’s valid for many years, so you wouldn’t have to deal with certificate expiry and renewal very often.

The main disadvantage here is that if you discontinue using CloudFlare in the future, you will then have to once again get and install a certificate from a public CA such as Let’s Encrypt at that time.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.