Cert for Digital Ocean Load Balancer, Cloudflare DNS?


#1

Digital Ocean’s Load Balancer can create a LE Cert on it’s own but only if you use their DNS.

I have a setup where Cloudflare is the DNS for their CDN/Security capabilities but I’m using Digital Ocean’s Load Balancer. There’s no way to generate the cert from the Load Balancer in this setup. Is there any advice on how to go about this?


#2

Hi @tanner,

I’m not sure this situation has come up before on our forum. It seems to me that there are lots of ways that you could do it, but they might not be very well-integrated with Digital Ocean’s setup.

I’m a bit confused about how the two services interact. Is Cloudflare pointed at the DO load balancer as the origin server? (If so, why is this necessary? Do you still get a huge volume of origin requests due to unique content or database transactions?)

I believe that the easiest case in this configuration is probably not to use Let’s Encrypt at all but instead to use Cloudflare’s origin CA service

With this service you can get a free non-publicly-trusted certificate that you can install on DO to secure the interaction between Cloudflare and DO. This certificate will be valid (for Cloudflare’s connection to DO only) for a period of 10 years, so it won’t have to updated. This is arguably more secure than using a publicly-trusted CA certificate for this purpose.


#3

Hey @schoen thanks so much for the prompt response. It’s as you mentioned

Cloudflare DNS -> DO Load Balancer -> web app1/2

One VM can probably handle the requests with caching, but what I’m trying to solve is redundancy so that I have flexibility of tearing down or modifying the servers in case I need to scale in the future.

Since Cloudflare has their Strict and Flexible https service, if I have Strict enabled, that just means I need to install a cert on the DO Load Balancer as the origin server, is that right? So the servers behind the Load Balancer are http? If they were https, would that cause any issues? Cloudflare https -> DO Load Balancer https -> web app https?


#4

Just tried using the Cloudflare Origin CA and added it to the load balancer but this is what is coming up


#5

Are you actually using their CDN service, or just DNS? The Origin CA is only useful when used in conjunction with the CDN. If you’re not using the CDN then it won’t help you.

If want to use the CDN for some subdomains but not others, maybe you could try delegating the others to Digital Ocean’s name servers using NS records. (I don’t know if that would work).


#6

Oh sorry, I think I might have misinterpreted how you were using Cloudflare, then. But I thought that “for their CDN/Security capabilities” meant that Cloudflare was actually terminating TLS connections and that you’d configured the DO infrastructure as the origin server in your Cloudflare account.


#7

I’d be using their CDN service, I didn’t quite know how the cert was working so I had turned off their proxy for the time being to see if the load balancer would work with the Cloudflare cert. I’m guessing that it won’t unless, like you said, that the proxy is off.

So for this situation I need

  1. Cloudflare proxy on
  2. Cloudflare Origin CA installed on the load balancer
  3. The load balancer to forward https calls to http to the application?

No certs on the application server is fine?


#8

@jmorahan @schoen Okay, as long as I have the Cloudflare proxy on, I’m able to access both the front and backend of my WordPress site. However, I noticed that the scripts on the page were loaded with http. Normally I just change the home or site url to https:// and it’s fine, but when I do change it to https, the /wp-admin/ gets in a redirect loop. I think this has to do with the application servers being http while Cloudflare and the load balancer utilizing https. Any tips?


#9

If they’re on the same LAN or VPN and you trust that nobody can get malicious access to that network.


#10

I guess it’s probably because the connection coming in to the web server is always HTTP, so Wordpress doesn’t know when it doesn’t need to redirect.

One solution might be to leave it as HTTP in your Wordpress configuration and change it in Cloudflare instead, using the “Always Use HTTPS” and “Automatic HTTPS Rewrites” options.


#11

That’s the funny thing, I have Always Use HTTPS and Automatic HTTPS Rewrites on in Cloudflare. On the homepage it will show that there are unsafe scripts - right now I’ve tested that this warning shows even if I modify site url and home url to http or https


#12

I could only add one screenshot in a post. This is the “Insecure content” warning.

Screenshot_102818_072654_PM


#13

Okay… so that was not that smart of me. I went ahead and installed the cert on the load balancer and the two application servers and all is good in the world!